Useful reminder from dxw about the potential for things to go wrong on WordPress sites – in this case, a change of ownership for a suite of plugins.

In August 2025 the new owner planted a backdoor in the purchased plugins and in 5–6 April 2026 the backdoor was weaponised, by planting malware in sites that had the plugins installed. On 7 April the WordPress Plugins Team permanently closed all essentialplugin plugins, and on 8 April, the day we opened the incident at dxw, WordPress pushed an update to the plugins which removed the malicious code.

Of course, things can go wrong with any technology platform and the key is staying vigilant. Sounds like the whole WordPress community mobilised pretty quickly to shut the threat down.