More than 30 WordPress plugins from the EssentialPlugin package have been compromised with malicious code that gives attackers unauthorized access to websites using them.
The issue is particularly concerning because many of these plugins have hundreds of thousands of active installations, putting a large number of sites at risk.
The backdoor was actually planted as early as August 2025, shortly after the plugin collection was acquired by a new owner in a six-figure deal. However, it remained inactive for months before being quietly activated through recent updates pushed to users. Once triggered, the malware began contacting an external command and control server to receive instructions.
Security researcher Austin Ginder first discovered the problem after being alerted to suspicious behavior in one of the plugins. His deeper investigation revealed that all plugins in the EssentialPlugin suite had been affected. The injected code downloads a file named wp-comments-posts.php, which mimics a legitimate WordPress file but instead injects malicious content into the critical wp-config.php file.
What makes this attack particularly difficult to detect is its stealth. The malware is designed to stay invisible to site owners and only display spam content to search engine crawlers like Googlebot. This allows attackers to generate spam pages, insert hidden links, and create redirects without the website owner noticing anything unusual.
The system also uses Ethereum-based address resolution for its command and control infrastructure, adding another layer of evasion. Depending on instructions from the server, the infected sites can serve fake pages, spam links, or redirect visitors to malicious destinations.
Further analysis showed that the backdoor only activates under specific conditions, such as when a particular endpoint returns malicious data. This selective behavior helped it remain undetected for a long time.
WordPress.org responded quickly by removing the affected plugins and pushing forced updates to disable the malicious functionality. However, they warned that this does not fully clean infected sites, especially if the wp-config.php file has already been modified. Administrators are advised to manually inspect their files and ensure no malicious code remains.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The team also cautioned that while the fake wp-comments-posts.php file is a known indicator, the malware could be hiding in other locations as well, making a full security audit essential for any affected site.
