RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: seo-spam (2 articles)Clear
threat
2026-04-29

A WordPress redirect plugin used on 70,000 sites was secretly running a hidden update channel that fetched code from an attacker-controlled server for five years

A WordPress security researcher found a backdoor that's been quietly running on 70,000 websites for five years. The Quick Page/Post Redirect plugin had a hidden self-updater added in 2020 that pointed not to WordPress.org but to anadnet[.]com, an attacker-controlled domain. In March 2021 that updater silently delivered a tampered version of the plugin - replacing the real plugin with one that included a passive backdoor. The backdoor only triggers for visitors who aren't logged in (so site owners never see it firing) and was used to inject SEO spam into pages served to Google's crawler. WordPress.org pulled the plugin pending review.

wordpressquick-page-post-redirectsupply-chaindormant-backdoorseo-spamanadnetplugin-takeoverfive-years
Check
If you run any WordPress site, list your installed plugins today and remove Quick Page/Post Redirect immediately - the directory pulled it but installs already on disk are still active.
Affected
Any WordPress site running Quick Page/Post Redirect plugin - 70,000 confirmed installs. Sites running versions 5.2.1 and 5.2.2 received the tampered build directly from anadnet[.]com. The pattern of buying a legitimate plugin business and quietly adding malicious code is increasingly common.
Fix
Uninstall and delete Quick Page/Post Redirect from every WordPress site you manage. Search wp-content/plugins/ on disk - removing via the dashboard alone may not catch every install. Block anadnet[.]com and w.anadnet[.]com at your DNS resolver. Audit your sites for SEO spam visible only to crawlers (compare 'fetch as Googlebot' against what regular visitors see).
threat
2026-04-15

Attacker bought 30+ WordPress plugins on Flippa, planted backdoor in August 2025, activated it 8 months later across hundreds of thousands of sites

One of the most methodical WordPress supply chain attacks ever: a buyer known only as 'Kris' purchased the entire Essential Plugin portfolio (30+ free WordPress plugins) on the Flippa marketplace for six figures. In August 2025, they injected a PHP deserialization backdoor in version 2.6.7, disguised as a compatibility check for WordPress 6.8.2. The malicious code sat dormant for eight months, building trust. On April 5-6, 2026, the attacker activated it - the C2 domain analytics.essentialplugin[.]com began distributing payloads to every site running the compromised plugins. The backdoor injected cloaked SEO spam into wp-config.php, visible only to Googlebot. WordPress.org permanently closed all 31 plugins on April 7 and pushed a forced auto-update - but the cleanup only removed the phone-home code, not the wp-config.php modifications, meaning compromised sites still served spam after the 'fix'. This happened the same week as the Smart Slider 3 supply chain attack we reported April 11 - two different supply chain attacks via the WordPress trusted update channel in one week.

wordpresssupply-chainessential-pluginflippabackdoorseo-spamphp-deserializationdormant-malware
Check
Check if any of your WordPress sites use plugins from the Essential Plugin / WP Online Support author. The full list of 31 affected plugins includes Starter Templates, Starter Templates for Starter Template, Blog Designer, Countdown Timer Ultimate, Starter Templates Manager, and many more.
Affected
WordPress sites running any of the 31 Essential Plugin plugins that were active before April 8, 2026. The backdoor was present since version 2.6.7 (August 2025). Affected plugins include: Starter Templates for starter template themes, Blog Designer for Post and Widget, Countdown Timer Ultimate, Album and Image Gallery Plus Lightbox, Audio Player with Playlist Ultimate, and 26+ others.
Fix
If any affected plugin was active on your site: (1) Check wp-config.php for injected code and clean it manually - the WordPress.org forced update did NOT fix this. (2) Search for and remove wp-comments-posts.php if present. (3) Scan all files for additional payloads. (4) Rotate all admin and database credentials. (5) Check for hidden admin accounts. The WordPress.org forced update to 2.6.9.1 disabled the phone-home mechanism but did not remediate existing compromise. Treat affected sites as fully compromised.