In early 2025, someone paid a six-figure sum on Flippa for a portfolio of 30 WordPress plugins. Normal plugins. WP Testimonial, WP Team Showcase, Countdown Timer Ultimate, WP FAQ. Small utilities that sit on hundreds of thousands of business websites, usually installed years ago and forgotten.
Then they planted a backdoor and waited eight months. On April 5, 2026, they activated it. If you run WordPress and had any of those plugins installed, your site was delivering spam to Google for roughly 48 hours before WordPress.org pulled the emergency lever.
What the attack actually did
The compromised plugins quietly downloaded a file called wp-comments-posts.php. One letter off from a real WordPress core file (wp-comments-post.php). That difference was the only visual tell.
The backdoor then wrote new code into wp-config.php, the file that holds your database credentials and the keys to your entire site. From there it pulled SEO spam from a command server and injected hidden links, redirects, and fake pages into your website. Only Googlebot saw the spam. You, logged into your admin panel, saw nothing.
The goal was black-hat SEO. Your website’s Google reputation gets used to rank casino, pharma, or whatever the buyer of that spam is selling. When Google notices, your rankings collapse. Recovery takes weeks.
WordPress.org pushed a forced update on April 7 to cut the backdoor’s phone-home. But the update did not clean wp-config.php. If you were hit, your site still has malicious code sitting in the most sensitive file on your server, and removing it requires a manual review you cannot outsource to a plugin.
Why this keeps happening
Most coverage framed this as a sophisticated attack. It was not. It was the WordPress plugin ecosystem doing exactly what it was designed to do, operated by someone with the wrong intent.
Plugins are written by strangers. They get sold. Ownership transfers are invisible to you. When a plugin you installed in 2022 changes hands in 2025, nobody tells you. The next auto-update pushes whatever the new owner ships, straight onto your live website, with full write access to your database.
That is the model. It works because most plugin authors are honest. It breaks the moment one of them is not, or sells to someone who is not. You find out when your rankings drop or when a customer asks why your site redirects to a pharmacy.
This specific attacker even solved the takedown problem. They routed their command server through an Ethereum smart contract instead of a normal domain, so authorities could not seize it. If WordPress.org had not acted within 48 hours, the spam would have kept flowing.
Why we do not build on WordPress
We looked at this tradeoff before we built a single client site. WordPress has real strengths, but the default answer to “who can push code to your live website” is “a rotating cast of contributors you have never met.” For a business website where a broken form or a blacklisted domain costs you leads every day, that is not an acceptable risk model.
Essential Web sites run on a stack where every piece of code is explicit, reviewed, and version-pinned. Updates go through us, not through a third party’s GitHub. There is no plugin marketplace. No auto-installed dependencies from unknown authors. When something changes on your website, we wrote the change.
That means less flexibility if you want to bolt on twenty features. It also means a plugin you installed in 2022 cannot become a backdoor in 2026, because there is no plugin.
What to do if you are on WordPress right now
Four checks, in this order:
- List every active plugin and check its “last updated” and “tested up to” fields. Plugins that have not been updated in a year, or that changed maintainer recently, are the highest risk.
- Review
wp-config.phpfor code that should not be there. If you cannot read PHP, ask someone who can. Do not trust a cleanup plugin to tell you it is clean. - Find out who is actually responsible for your updates. If the answer is “nobody” or “I think my developer does it,” that is the real problem, separate from this attack.
- Check Google Search Console for manual actions or unusual indexed URLs. Spam pages show up there before they show up anywhere else.
If your website is the top of your sales funnel, running it on plugins from strangers is a business decision, not a technical one. A subscription website with maintenance built in is one alternative. WordPress with a real operator actively maintaining it is another. Doing neither is the option the attacker was counting on.
More on what website maintenance actually means in practice: What happens to your website after launch.