April 28, 2026

30 WordPress Plugins Hacked

Apple Podcasts podcast player iconSpotify podcast player iconPocketCasts podcast player iconCastamatic podcast player iconGoodpods podcast player iconRSS Feed podcast player iconAmazon Music podcast player icon
Apple Podcasts podcast player iconSpotify podcast player iconPocketCasts podcast player iconCastamatic podcast player iconGoodpods podcast player iconRSS Feed podcast player iconAmazon Music podcast player icon

Check Your WordPress Site NOW!

A bundle of WordPress tools known as the “Essential Plugin” suite—covering features like countdown timers, popup builders, and testimonial widgets—was sold on the marketplace Flippa to a buyer identified only as “Kris.”

He bought the suite, and eight months later he used the backdoors he created to compromise thousands of sites.

Full story here.

Key Takeaways

  • A total of 31 WordPress plugins were quietly compromised after being sold to a malicious buyer. The injected malware stayed inactive for eight months before spreading across thousands of websites.
  • Well-known podcasting plugins like PowerPress, Yoast SEO, and Seriously Simple Podcasting were not impacted. The affected plugins were mostly general-purpose utility tools.
  • If your site uses anything from the “Essential Plugin” suite, it’s important to review it immediately and check for signs of compromise.
  • Every plugin you install introduces third-party code to your site. The more plugins you rely on, the more ongoing attention your site needs to remain secure.
  • Regardless of this incident, the best defense is simple: keep all plugins updated and remove anything you’re not actively using.



This podcast uses the following third-party services for analysis:

OP3 - https://op3.dev/privacy

Join the School of Podcasting - Grow Your Podcast