Overview
- WordPress closed more than 30 EssentialPlugin plugins and pushed a forced update after reports that recent releases planted malware on customer sites.
- Anchor Hosting’s Austin Ginder traced the breach to a backdoor added after a new owner took over EssentialPlugin in 2025 for a six‑figure sum.
- The malware fetched a fake file named wp-comments-posts.php and wrote code into wp-config.php to create a hidden path for remote commands.
- Directory data shows over 20,000 active installs and the vendor advertises 400,000 total installs, which leaves many sites needing manual audits and removal to be safe.
- Researchers say this is the second plugin takeover in weeks and warn that WordPress does not alert users to ownership changes, creating a gap attackers can exploit.