On April 7, 2026, the WordPress security team took a massive and rare step: they permanently shut down 31 different plugins owned by a single developer group.
If you find that your site was running one of the “Essential Plugin” tools or you have spotted suspicious behavior, you must act fast. Here is what to do.
1. The Immediate Clean-up #
The first step is removing the entry point.
- Delete the plugin: Do not just deactivate it. Delete the entire folder via your WordPress dashboard or FTP. These plugins are dead. They will never be safe to use again in their current form.
- Scrub
wp-config.php: This is the most important step. Open yourwp-config.phpfile and look for a massive block of code that does not belong there. It is usually around 6KB. Delete that block entirely. - Check for
wp-comments-posts.php: Look in your root directory for a file namedwp-comments-posts.php. Note the ’s’ at the end of “comments”. This is a fake file created by the malware to look like a core WordPress file. Delete it immediately. - Create a backup first: Before you start deleting anything, take a backup of the infected site. It sounds counterintuitive, but it gives you evidence of what happened and a rollback point if something breaks during cleanup. Just never restore from it.
- Check file modification timestamps: Run a command like find
/your/site -newer wp-config.php -type fto surface any files modified during the attack window. A scanner may miss these.
2. Reset Your Credentials #
Once the site is clean, you need to make sure the hacker can’t go back.
- Change Admin Passwords: Force a password reset for every administrator account on the site.
- Look for unfamiliar admin accounts: Go to Users → All Users and look for any unfamiliar accounts with the Administrator role. This is especially critical for victims of these plugins, as the malware created hidden admin accounts that survive plugin deletion.
- Update Salt Keys: Go to the official WordPress Salt Tool to generate new security keys. Paste these into your
wp-config.php. This will log everyone out of the site. It also kicks out any hackers with active sessions. - Rotate Database Credentials: Change your database password via your hosting panel and update it in
wp-config.php. - Notify your host: Your hosting provider may have server-level logs showing exactly what the attacker accessed. Managed WordPress hosts often have security teams who can assist directly.
3. Repair Your SEO #
Since this hack used cloaking to show spam to Google, your search rankings are likely in trouble.
- Check your Sitemaps in Google Search Console: Attackers often submit fake sitemaps with thousands of spam links to get them indexed faster.
- Fetch as Google: Use Google Search Console to “Inspect” your URL. If Google still sees pharma or gambling links, your cleanup was not thorough enough.
- Request Re-indexing: Once you are 100% sure the code is gone, click “Request Indexing.” This tells Google to look at your real content again.
4. Scan for Other “Sleepers” #
Supply chain attacks often come in waves. If you were hit by this one, you might be a target for others.
- Install a Security Scanner: Use a tool like Wordfence or MalCare to run a deep server side scan. They will check if any other files like
index.phpor your theme files were modified. - Check your database: Attackers sometimes hide persistence in the database itself, specifically in the
wp_optionstable underactive_pluginsorcron. A database scan is just as important as a file scan. - Check your Cron Jobs: Sometimes malware schedules itself to re-infect your site every 24 hours. A good reputable security plugin will help you find and kill these scheduled tasks.