20,000 WordPress sites hijacked overnight: what just happened

What actually happened

In early 2025, a company called Essential Plugin (formerly WP Online Support) sold its entire portfolio of 31 WordPress plugins on the Flippa marketplace. Reportedly for six figures. Those plugins were sitting on roughly 400,000 installs across 15,000+ paying customers.

On 8 August 2025, the new owners pushed an update to one of them, Countdown Timer Ultimate version 2.6.7. Buried in that release were 191 lines of malicious code. The changelog just said “WordPress version compatibility.” Nobody looked twice.

Then it sat there. Quiet. For eight months.

On 5 and 6 April 2026, the backdoor activated. By 7 April, WordPress.org had permanently pulled all 31 plugins from the directory. On 8 April they pushed a forced auto-update, but it only disabled the phone-home. The injected code is still sitting on affected sites unless owners clean it manually.

Austin Ginder of Anchor Hosting, the researcher who uncovered it, called this the “second hijack in as many weeks.”

This wasn't a hack in the traditional sense. No firewall got breached. No password got guessed. The bad actors bought their way in through a legitimate business sale, and WordPress had no system in place to flag it.

The genius (and evil) bit

Most malware is noisy. It pops up spam, redirects visitors to dodgy sites, or defaces the homepage. You notice within hours.

This one was quiet. The injected code only served its payload to Googlebot. When you logged in and checked your site, everything looked normal. When a customer visited, everything looked normal. But when Google crawled the same pages, it saw spam links, cloaked content, and redirects pointing at unrelated businesses paying for shady SEO services.

The attackers also created hidden admin accounts with names like “wpsvc_a3f1,” invisible from the standard WordPress user list. And they planted persistence in three separate locations, including directly inside wp-config.php, so removing one copy didn't kill the infection.

For the business owner, it looked like nothing was wrong. Meanwhile Google was quietly downgrading the site for serving spam. Rankings slid. Traffic dried up. Months of SEO work unravelled in silence.

Most small business owners won't care about the technical detail. PHP deserialization attacks and Ethereum-routed command-and-control aren't exactly dinner-table talk. What they will care about is losing Google rankings they've spent years building, for reasons they can't see.

Why this will happen again

The WordPress plugin ecosystem runs on trust. And trust can be bought.

WordPress has no notification system when a plugin changes ownership. No mandatory code review when a plugin is sold. No enhanced vetting when new developers get commit access to code running on millions of sites. You install a plugin from a trusted developer, and three years later it quietly changes hands, and nobody tells you.

This isn't a one-off. Patchstack, Wordfence, and Sucuri have all been tracking this pattern for months. Plugins get sold, the new owners wait, and months later the payload activates. Austin Ginder's point about “the second hijack in as many weeks” should worry anyone running a WordPress site.

Until WordPress.org fixes the plugin handover process, and there's no indication they will soon, this will keep happening.

The cost to small businesses

If you run a roofing company, a locksmith, a property maintenance firm, or any small service business, your WordPress site probably relies on 10 to 20 plugins for basic functionality. Forms. SEO. Galleries. Sliders. Cookie banners. Booking widgets.

Any one of those plugins could be sold tomorrow without your knowledge. You have no way to monitor code changes. You're not going to read diffs every time a plugin updates. Nobody is.

And if your site does get compromised, the cost isn't just the cleanup bill. It's months of lost rankings and enquiries that went to a competitor instead. For a local trade business where the top three Google results earn most of the calls, a silent SEO hit can cost thousands in missed work before anyone even notices.

“Free WordPress plus free plugins” stops looking free pretty quickly.

The alternative

Fair warning before I go further: we build static sites with Next.js, so you can accuse me of being biased here if you want. I'll try to be straight about it anyway.

A static site has no database. No admin panel. No PHP running live. No plugins. Your pages are pre-built once at deployment and served as plain HTML from a CDN. There's no plugin supply chain to attack because there are no plugins.

That gives you a dramatically smaller attack surface. Not unhackable, nothing on the internet is, but there's simply far less to go wrong. No logins to brute-force. No database to inject into. No third-party code quietly changing hands behind your back. And as a bonus, static sites load faster and cost less to host.

Static isn't the right fit for everyone. If you need complex user accounts, a large eCommerce catalogue, or daily content updates from non-technical staff, WordPress may still be the better tool for the job. We've covered this honestly in our WordPress vs Next.js comparison.

But for 90% of small business sites, a few pages showcasing your services, some photos of your work, and a way for customers to get in touch, a static site is almost always the safer and faster choice.

What to do if you're on WordPress right now

First, don't panic. But do audit your plugins this week.

Check whether any of the plugins in your admin dashboard came from Essential Plugin or WP Online Support. If they did, assume the site is compromised until proven otherwise. A forced update won't necessarily clean the injected code. You'll likely need someone to audit wp-config.php, the theme files, and the user list manually.

Longer term, keep your plugin footprint as small as you can, use Wordfence or Patchstack for monitoring, and run Google Search Console so you get an early warning if Google starts seeing something on your site that you can't.

And if you're tired of playing whack-a-mole with plugin security, it might be worth considering a rebuild. A properly built static site will outlive three or four WordPress overhauls, and it won't wake you up at 2 a.m. because a plugin you installed in 2022 just got sold.

The bottom line

The April 2026 plugin backdoor wasn't clever hackers breaking in. It was an ordinary business transaction that WordPress had no system to police. 20,000+ sites are still carrying the fallout, and the underlying problem hasn't been fixed.

If your business depends on Google finding you, it's worth asking whether the platform you're running on gives you the level of control you actually need.

If you're weighing up a rebuild, I build Next.js static sites for trade and small business clients across Halifax and West Yorkshire from £295. Happy to have a chat about whether it's the right move for you, no pressure either way. Get in touch whenever suits.