The WordPress platform has been hacked, which has led to malware spreading to thousands of websites.
The EssentialPlugin breach affected thousands of websites. This is a popular suite of WordPress plugins. This means these sites may be distributing malware. This malware allows attackers to gain unauthorized access to your site. We'll explain what this malware is, how it can affect you, and what to do if your website is compromised.
This vulnerability was discovered by security researcher Austin Ginder. You can check out his post on Anchor Hosting , where he details what happened and provides a list of affected plugins. This isn't a new issue; the attacker introduced the malware in August 2025 but only recently began distributing it to users via updates.
This means an attacker can generate random email pages, cause malicious redirects, and direct users to different websites. A command and control server is used to manage all of this. The vulnerability affects thousands of websites due to the large number of sites using EssentialPlugin plugins. In total, more than 30 plugins were affected.
Austin Glender discovered this issue after receiving a notification about a WordPress plugin containing code that allowed third-party access. He then launched an investigation and confirmed that it was a security vulnerability present in the EssentialPlugin package since August 2025, when the project's ownership changed.
It's worth noting that EssentialPlugin includes numerous add-ons used by countless websites. For example, it features a news feed to display the latest articles, as well as image galleries, marketing tools, templates, and SEO tools.
...This backdoor, which had been in place for months, was inactive until recently, when it was activated and silently connected to the external infrastructure to obtain a file called wp-comments-posts.php, which injects malware into wp-config.php.
The owners of the affected websites did not notice any changes to their sites. It is a stealthy malware program, capable of remaining undetected. Depending on the instructions it receives, it can post spam links, redirect users, or create fake pages.
According to an analysis by PatchStack, a WordPress security platform, published on April 15, the backdoor only works if analytics.essentialplugin.com returns chained malicious content.
WordPress quickly disabled or updated the affected plugins. However, some developers pointed out that this action does not delete the main wp-config file, which is responsible for connecting websites to their databases.
Furthermore, WordPress indicates that although one known location of the vulnerability is a file called wp-comments-posts.php, which is similar to the original wp-comments-post.php file, the malware may be hidden in other files.
If you have a website and use EssentialPlugin plugins, the best precaution is to temporarily disable them. It's essential to conduct a thorough audit, verify the developer's identity, and ensure the plugins are properly updated. Be wary of plugins that have changed ownership.
There is currently no official statement from EssentialPlugin regarding this issue. However, the number of installations is estimated to be between 20,000 and 60,000.