WordPress plugin security breach: hacker bought 30 plugins, hid 8 months, used Ethereum smart contracts to bypass domain blocks

WordPress plugin security is under scrutiny after a hacker reportedly bought a WordPress plugin portfolio and implanted backdoors across 30+ plugins. The attacker hid the payload for about 8 months, with the first malicious update posted on 2025-08-08 (changelog only said “compatibility update”). The backdoor code was injected into wp-config.php after a staged activation window in early April 2026 (first callback around 2026-04-05/06; full wp-config.php writes by 2026-04-06 11:06 UTC). It then performed Googlebot-targeted spam links and exposed an unprotected REST API path that could enable remote code execution. Most notably for WordPress plugin security defenses, the command-and-control (C2) infrastructure avoided traditional blocking. Instead of relying on a fixed domain, the attacker embedded the C2 resolution logic into an Ethereum smart contract and queried updated pointers via public RPC nodes. This can make DNS blacklists and domain takedowns ineffective until the contract itself changes. In response, WordPress.org reportedly shut down the affected Essential Plugin author accounts and disabled 30+ plugins in a single day (2026-04-07), confirmed by security researcher Austin Ginder. While no zero-days were claimed, the core issue highlighted is supply-chain trust: the WordPress ecosystem allows buyers to assume plugin update permissions without strong review or user notification when ownership changes.