Security researchers found that one hacker controlled hidden malware inside 44 different WordPress plugins for 13 years without getting caught. This discovery shows how vulnerable popular open-source software can be to patient, careful attacks.

WordPress plugins are small programs that extend what WordPress, a popular website building tool, can do. According to the WPScan vulnerability database, multiple plugins under the "Essential Plugin" name contained secret backdoors—hidden doors that let hackers control websites after they were installed. All 44 plugins were controlled by the same person.

One example involved the Quick Page/Post Redirect plugin, installed on over 70,000 websites. Bleeping Computer reported in April 2026 that hackers had hidden malware inside five years before anyone noticed. For five years, the infection did nothing obvious. Then, when activated, the hidden code could inject more malware into those 70,000 websites. No alarm went off. No warning appeared. This kind of stealth is what makes the attack so effective—regular security checks completely miss it.

Why Are WordPress Plugins Such Easy Targets

WordPress plugins are a tempting target. The official WordPress plugin store has tens of thousands of programs, many created by single developers working alone. Sometimes developers sell their plugins or hand them over to someone else, but this change often happens quietly with no public announcement. Once a hacker plants malware in a popular, trusted plugin, every site that installs it becomes infected. A plugin with 70,000 active installations means 70,000 potential entry points into websites and their hosting systems.

The attacker could have taken over existing plugins one at a time over many years, or bought plugins that already had big user bases. Both methods have been used before. The WordPress plugin store does not always make it clear when plugin ownership changes hands, and the platform's automatic security scanning has historically missed threats that human researchers later uncovered. In this case, a researcher manually examining code found the attack—the platform's own tools did not catch it.

This problem is not unique to WordPress. Other major software repositories—npm for JavaScript programmers, PyPI for Python, RubyGems for Ruby—all work the same way. A piece of software with a real history and real users carries automatic trust that hackers know how to exploit. This WordPress case is part of a larger pattern of supply-chain attacks that security teams have been fighting since 2020, when SolarWinds, a major software company, was hacked in a way that compromised thousands of government and business customers through a fake software update.

Other Recent Attacks of This Type

The WordPress discovery is one of several related security breaches announced recently. These separate cases show how many different ways hackers use hidden backdoors.

The US government agencies CISA and NSA both attributed a piece of malware called BRICKSTORM to Chinese-linked hackers targeting VMware and Windows computers. CISA published details in February 2026 about how BRICKSTORM let hackers stay hidden inside systems for years. Reuters reported in December 2025 that the US and Canada blamed this malware on Chinese operators targeting critical infrastructure like power grids. The Chinese government denied these allegations. In April 2026, CISA released information about a different malware called FIRESTARTER that forensic investigators had discovered.

Separately, in February 2026, powerful US lawmakers formally asked the British government for answers about reports that Britain had ordered Apple to create a hidden backdoor into its encrypted messaging. This is not a hack—it is a government demanding that a company build secret access into its own products. But the same word "backdoor" applies, and it raises the same question: who should have the power to spy on encrypted communications.

These incidents are not connected to each other. What they share is proof that "backdoor" now means three completely different threats: criminals hiding code in software, governments forcing companies to create secret access points, and hostile governments sneaking malware into critical infrastructure. Each problem needs its own solution.

What Website Owners Should Know

If you run a WordPress site, or manage many of them, you should care about where your plugins come from. Instead of assuming the official plugin store is fully secure, you can use tools that analyze plugin code for suspicious patterns. You can also watch your website's internet traffic to spot unusual connections—that is how hidden malware eventually reveals itself when it tries to communicate with hackers. And if you can find out who owns a plugin and whether that ownership has changed, that information is worth investigating.

The fact that this backdoor hid for 13 years should change how organizations approach security. Most companies update passwords and patch software once a year. A backdoor that only wakes up every few years and does not make noise will avoid getting caught. The researcher who found this one almost certainly did so by carefully reading the actual code—which is why having open-source software available for anyone to inspect remains important, even when it takes more than a decade to catch a problem.