Skip to main content
SharkofPot
SharkofPot
  1. News/

Hundreds of thousands of WordPress sites just got hacked

·1089 words·6 mins
News Software Security
Table of Contents

Status: Confirmed / Supply Chain Attack
Date: April 7, 2026

When did this attack happen?
#

This was a staged operation that lasted over a year:

  • Early 2025: An attacker purchased the Essential Plugin company and its 31 plugins on the Flippa marketplace.
  • August 8, 2025: The attacker released version 2.6.7 of the plugins. This update was disguised as a fix for WordPress 6.8 compatibility, but it contained the hidden backdoor.
  • April 5 to April 6, 2026: The malware was triggered. For 6 hours and 44 minutes, the plugins downloaded malicious payloads to thousands of active sites.
  • April 7, 2026: The WordPress security team discovered the threat and banned all 31 plugins from the official directory.
  • April 15 to April 16, 2026: Security experts finished an audit and released the full technical details to the public. This is when the story became global news.

How did it happen?
#

The attacker used a business deal instead of a technical exploit to gain access.

The attacker bought trusted plugins on a marketplace. This let them send updates directly to hundreds of thousands of sites. Because the updates came from a trusted source, they did not look suspicious.

A backdoor was added to the code but left off for 8 months. This helped the update pass security scans and spread to more sites without being caught.

The malware used a decentralized Ethereum smart contract for instructions. Instead of a normal web address that is easy to block, the code checked the blockchain. This let the attacker move their server location instantly.

The malware used cloaking to stay hidden. This is a technique where a website shows different content to search engines than it shows to human visitors. When the site owner or a customer visited the page, the malware did nothing, so everything looked normal. However, when the Google search bot visited the site, the malware showed hidden spam and malicious links. This allowed the hacker to use the site for illegal activity while keeping the owner completely unaware of the hack.

Which plugins were affected?
#

If you have any of these plugins installed, remove them immediately. The WordPress repository has permanently closed all of them:

  • Audio Player with Playlist Ultimate (audio-player-with-playlist-ultimate)
  • Accordion and Accordion Slider (accordion-and-accordion-slider)
  • Album and Image Gallery Plus Lightbox (album-and-image-gallery-plus-lightbox)
  • Blog Designer – Post and Widget (blog-designer-for-post-and-widget)
  • Countdown Timer Ultimate (countdown-timer-ultimate)
  • Featured Post Creative (featured-post-creative)
  • Footer Mega Grid Columns – For Legacy / Classic / Old Widget Screen (footer-mega-grid-columns)
  • Hero Banner Ultimate (hero-banner-ultimate)
  • Video gallery and Player (html5-videogallery-plus-player)
  • Meta Slider and Carousel with Lightbox (meta-slider-and-carousel-with-lightbox)
  • Portfolio and Projects (portfolio-and-projects)
  • Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions (popup-anything-on-click)
  • Post grid and filter ultimate (post-grid-and-filter-ultimate)
  • Preloader for Website (preloader-for-website)
  • Post Category Image With Grid and Slider (post-category-image-with-grid-and-slider)
  • Product Categories Designs for WooCommerce (product-categories-designs-for-woocommerce)
  • WP responsive FAQ with category plugin (sp-faq)
  • Styles For WP Pagenavi Addon – Better design for post pagination (styles-for-wp-pagenavi-addon)
  • Slider a SlidersPack – Image Slider, Post Slider, ACF Gallery Slider (sliderspack-all-in-one-image-sliders)
  • WP News and Scrolling Widgets (sp-news-and-widget)
  • Post Ticker Ultimate (ticker-ultimate)
  • Timeline and History slider (timeline-and-history-slider)
  • Product Slider and Carousel with Category for WooCommerce (woo-product-slider-and-carousel-with-category)
  • Trending/Popular Post Slider and Widget (wp-trending-post-slider-and-widget)
  • WP Testimonial with Widget (wp-testimonial-with-widget)
  • WP Featured Content and Slider (wp-featured-content-and-slider)
  • WP Blog and Widgets (wp-blog-and-widgets)
  • WP Responsive Recent Post Slider/Carousel (wp-responsive-recent-post-slider)
  • Team Carrusel and Team Grid Showcase plus Team Carousel (wp-team-showcase-and-slider)
  • WP Slick Slider and Image Carousel (wp-slick-slider-and-image-carousel)
  • WP Logo Showcase Responsive Slider and Carousel (wp-logo-showcase-responsive-slider-slider)

Note: This list covers the known “Essential Plugin” portfolio. If you notice any other plugin on your site that was permanently closed on April 7, 2026, it is highly likely it was part of this same supply chain attack. Treat any plugin closed on that specific date as a security risk and remove it at once.

Why deleting the plugin isn’t enough
#

The scariest part of this attack is that the damage persists even after the “Essential Plugin” is gone. Because the malware sat dormant for 8 months, it had plenty of time to dig deep into your site’s foundation.

When the backdoor was activated in early April, it didn’t just run code, it modified your site’s core configuration and injected a massive block of malicious PHP into your wp-config.php file.

The injected code is designed to:

  • Serve SEO Spam: It detects when a search engine bot (like Googlebot) visits and shows it thousands of fake pharmaceutical or gambling links.
  • Stay Invisible: It checks the “User Agent”, if you are a regular visitor or the site admin, you see a perfectly normal site. You won’t even know you’re hacked unless you check your search console.
  • Resist Takedowns: It uses a blockchain-based “Command and Control” system. By querying an Ethereum smart contract, the hacker can move their spam server to a new address instantly, making it impossible for security companies to block the source.

WordPress Security is a Trade-off
#

The April 2026 attack exposes the fatal flaw in the WordPress ecosystem: blind trust. We are told that “updates” keep us safe, but lately, updates have become the primary weapon for supply chain attacks.

The danger exists because of how WordPress is built. When you install a plugin, it does not run in a sandbox. It gains the same high-level permissions as the WordPress core itself.

A plugin can read your database, modify your wp-config.php, and create new administrator accounts.

The system is designed to trust the developer implicitly. When you click “Update”, WordPress replaces your old files with new ones from the repository without any manual code review from you.

Hackers have realized that buying a trusted plugin is easier than bypasssing a firewall. They are leveraging the update system to deliver malware directly to your server. In modern WordPress, the Update button is no longer just a security fix, it is a potential entry point for the next supply chain attack.

Disclaimer
All product names, logos, brands, and registered trademarks listed in this article are the property of their respective owners. Their use in this guide is for identificational purposes only and does not imply endorsement by SharkofPot, nor does it imply that SharkofPot is affiliated with or sponsored by these companies.