Hey all,
I’m a bit late to the party with this one - which is not like me! Although, to be fair, Namecheap have only just emailed me about it … which is why I’m posting here now.
A confirmed security incident has hit the WordPress ecosystem. I think the original report was made by ‘Anchor Host’ here on the 9th April.
A buyer on Flippa reportedly acquired ~30 existing plugins and quietly inserted malicious backdoor code into them. These weren’t obscure throwaways either, some had active user bases.
The issue is being tracked and discussed across the community, including on Reddit.
What actually happened
-
Plugins were legit at one point
-
Ownership changed hands
-
Malicious code was added in later updates
-
Sites that updated (or already had them installed) may now be exposed
This is a classic supply chain attack, not a random hack.
Why it matters
-
Even “trusted” plugins can become risky overnight
-
Updating plugins isn’t always safe if the source is compromised
-
Backdoors can persist even after deactivation
Who’s at risk
You may be affected if:
-
You use lesser-known or rarely updated plugins
-
You haven’t audited your plugin list in a while
-
You auto-update plugins without review
What to do right now
-
Check your installed plugins against the affected list
-
Delete (not just deactivate) anything compromised
-
Update everything else (core, themes, plugins)
-
Scan your site for malware/backdoors
-
Change all credentials (WP admin, DB, hosting)
-
Restore from a clean backup if anything looks off
Key takeaway
This isn’t about one bad plugin.
It’s a reminder that:
Plugin trust is not permanent. Ownership changes can be a significant risk.
Here’s the full plugin list from the post on Anchor Host:
Most commonly used (highest priority to check)
These are the ones I’d check first:
-
Meta Slider and Carousel with Lightbox
-
Popup Anything on Click
-
Post Grid and Filter Ultimate
-
WP Slick Slider and Image Carousel
-
WP Responsive Recent Post Slider
-
WP Logo Showcase Responsive Slider and Carousel
-
WP Team Showcase and Slider
-
WP Testimonial with Widget
-
WP Featured Content and Slider
-
WP Blog and Widgets
Why these matter:
-
Sliders, grids, and testimonials are everywhere
-
These plugins tend to rack up installs because they solve common design needs
Moderately common (worth checking soon)
-
Blog Designer for Post and Widget
-
Product Categories Designs for WooCommerce
-
Woo Product Slider and Carousel with Category
-
Portfolio and Projects
-
Post Category Image with Grid and Slider
-
SlidersPack – All in One Image Sliders
-
SP News And Widget
Typically used on:
-
content-heavy blogs
-
WooCommerce stores
-
agency-built sites
Lower usage (still affected, but less widespread)
-
Accordion and Accordion Slider
-
Album and Image Gallery Plus Lightbox
-
Audio Player with Playlist Ultimate
-
Countdown Timer Ultimate
-
Featured Post Creative
-
Footer Mega Grid Columns
-
Hero Banner Ultimate
-
HTML5 VideoGallery Plus Player
-
Preloader for Website
-
Responsive WP FAQ with Category
-
Styles for WP PageNavi – Addon
-
Ticker Ultimate
-
Timeline and History Slider
These are more niche or replaceable plugins.
Alternatives to switch to …
Replace sliders / carousels (biggest risk category)
Affected examples:
-
WP Slick Slider and Image Carousel
-
Meta Slider and Carousel with Lightbox
-
SlidersPack – All in One Image Sliders
-
WP Logo Showcase / Team / Testimonial sliders
Safer alternatives:
-
Smart Slider 3
-
MetaSlider (the well-known one, not the compromised variant)
-
Elementor (built-in carousel widgets)
Reality check:
Most sites don’t need a dedicated slider plugin anymore. Page builders handle this cleanly.
Replace grids / post displays
Affected examples:
-
Post Grid and Filter Ultimate
-
WP Blog and Widgets
-
WP Featured Content and Slider
Safer alternatives:
-
GenerateBlocks
-
Kadence Blocks
-
Native WordPress Query Loop (built-in block editor)
Cleaner, faster, fewer dependencies.
Replace popups
Affected:
- Popup Anything on Click
Safer alternatives:
-
Popup Maker
-
Convert Pro
Replace WooCommerce display add-ons
Affected:
-
Product Categories Designs for WooCommerce
-
Woo Product Slider and Carousel
Safer alternatives:
-
WooCommerce native blocks
-
Kadence WooCommerce Blocks
Woo has improved a lot - most of this is now built-in.
Replace galleries / media plugins
Affected:
-
Album and Image Gallery Plus Lightbox
-
HTML5 VideoGallery Plus Player
Safer alternatives:
-
Envira Gallery
-
NextGEN Gallery
Replace “misc UI fluff” (accordions, FAQs, etc.)
Affected:
-
Accordion and Accordion Slider
-
Responsive WP FAQ
-
Timeline / Ticker / Preloader plugins
Safer alternatives:
-
Spectra
-
Kadence Blocks
-
Native Gutenberg blocks
These should never need standalone plugins in 2026.
The real takeaway
Most of the compromised plugins exist to patch gaps that WordPress has already solved.
So the safest strategy isn’t just “replace plugin A with plugin B”…
It’s:
Use fewer plugins. Use bigger ecosystems. Use native blocks where possible.
In closing …
If a plugin is doing something visual (sliders, grids, popups), there’s a good chance you don’t need it anymore. Modern block builders and WooCommerce already cover most of this - with far less risk.
Moral of the story : stay alert people (more alert than me … lol).
If you need any help with any of this stuff, just holler!
- Rohan
)
