A WordPress redirect plugin used on 70,000 sites was secretly running a hidden update channel that fetched code from an attacker-controlled server for five years

A WordPress security researcher found a backdoor that's been quietly running on 70,000 websites for five years. The Quick Page/Post Redirect plugin had a hidden self-updater added in 2020 that pointed not to WordPress.org but to anadnet[.]com, an attacker-controlled domain. In March 2021 that updater silently delivered a tampered version of the plugin - replacing the real plugin with one that included a passive backdoor. The backdoor only triggers for visitors who aren't logged in (so site owners never see it firing) and was used to inject SEO spam into pages served to Google's crawler. WordPress.org pulled the plugin pending review.

Check

If you run any WordPress site, list your installed plugins today and remove Quick Page/Post Redirect immediately - the directory pulled it but installs already on disk are still active.

Affected

Any WordPress site running Quick Page/Post Redirect plugin - 70,000 confirmed installs. Sites running versions 5.2.1 and 5.2.2 received the tampered build directly from anadnet[.]com. The pattern of buying a legitimate plugin business and quietly adding malicious code is increasingly common.

Fix

Uninstall and delete Quick Page/Post Redirect from every WordPress site you manage. Search wp-content/plugins/ on disk - removing via the dashboard alone may not catch every install. Block anadnet[.]com and w.anadnet[.]com at your DNS resolver. Audit your sites for SEO spam visible only to crawlers (compare 'fetch as Googlebot' against what regular visitors see).