Hackers Are Buying WordPress Plugins and Turning Them Against You

Last week, a security researcher caught something that most site owners never would.

A WordPress plugin business went up for sale on Flippa in late 2024. Ten years old, 30+ plugins, hundreds of thousands of active installs across the web. Revenue had slipped and the founders wanted out. A buyer paid six figures for the portfolio.

The buyer’s first update to the codebase was a backdoor.

He buried it in a routine changelog entry that read “Check compatibility with WordPress version 6.8.2.” Then he waited eight months. On April 5, 2026, it activated simultaneously across every site running any of the plugins, injecting hidden spam into search results, invisible to anyone visiting the sites. WordPress.org identified and closed every affected plugin in a single day. They pushed an automatic update to every site running them, but the update only disabled the backdoor going forward. Sites that already had been compromised were still infected.

Every business running WordPress is now facing an uncomfortable question. How many of your plugins have changed hands without you knowing?

Plugin ownership is a blind spot most organizations don’t know they have

When a WordPress plugin changes hands, sites running it receive no notification. The owner gets full commit access on day one, the same access the original developers built over years of legitimate work, with no additional review and no disclosure to users. The trust transfers silently and completely.

This exact playbook ran in 2017, when a buyer acquired a plugin with 200,000 installs for $15,000, injected spam, and went on to compromise nine more plugins the same way. Documented, repeatable, and still wide open nine years later. The knowledge to pull it off is completely public. A YouTube search for "WordPress hack tutorial" returns videos with hundreds of thousands of views.

What’s changed is how easy the acquisition has become. Flippa and similar marketplaces have made it straightforward to buy established plugins with large, trusting install bases.

Most organizations have no clear picture of how many plugins are running across their websites. Fewer still know who currently owns them. Every plugin installation extends trust not just to the original developer, but to every future owner of that code. Plugins and open marketplaces have created a wide open door. Most people click install and never think about it again.

Cloudflare saw this coming

On April 1, 2026, Cloudflare announced EmDash, a new open-source CMS they’re calling the spiritual successor to WordPress. The timing looked like a joke, but the lead engineer confirmed it wasn’t. “Name is a joke but the project is real.”

The motivation was plugin security. Cloudflare’s own research found that 96% of WordPress security issues originate in plugins. The root cause is architectural. Every WordPress plugin runs with direct access to the site’s database and files, with no protection in between. One bad plugin and everything’s exposed. EmDash runs plugins in sandboxed environments, confined to defined boundaries, unable to reach anything beyond their scope.

It’s a v0.1 beta with no ecosystem yet. But Joost de Valk, who built Yoast SEO, the most widely installed plugin in WordPress history, has said he plans to build on it.

WordPress was designed for a different kind of web

It’s worth saying plainly that WordPress is a remarkable piece of software. It democratized publishing at a scale that wasn’t previously possible. The plugin ecosystem made it infinitely extensible, accessible to people who’d never written a line of code. It’s the same democratizing promise AI coding tools are making today.

But a website that drives revenue, holds customer data, or represents a publicly traded company is infrastructure, not just a blog. At that level, the same openness that made WordPress so powerful becomes a liability. Last week’s attack required no technical sophistication - just a marketplace listing, a purchase, and eight months of waiting. There’s no security update that can address that sequence of events.

What a different architecture actually changes

Matic is a Contentful partner, so we have skin in the game. But here’s what we’ve seen in practice. Moving to a headless CMS like Contentful removes this method of attack entirely.

In Contentful, content lives in a structured API layer, completely decoupled from the presentation layer. Because the CMS sits behind that API, a compromised third-party integration can’t reach across and affect the site. The plugin acquisition attack that made last week’s breach possible simply has no way of happening in this model.

One of our clients, a publicly traded energy company, was breached though their WordPress site shortly after going public. It happened through a plugin. The cleanup cost more than migration would have. 

Budget is always a consideration when switching platforms. But migrations look expensive until a breach makes them look cheap.

The question worth asking

A well maintained WordPress site with minimal, actively monitored plugins is a fine choice for plenty of use cases.

But for organizations where the website is doing real work, generating pipeline, holding customer data, representing the company publicly, the conversation is worth having. How many plugins are active across your online properties? When did you last review who owns them? And what would it look like if one of those ownership transfers went the same direction as last week’s?

Think about it, before the next incident forces you to.

We help organizations evaluate CMS infrastructure and get them migrated when it will provide the most value and security, in partnership with Contentful. Let’s talk.