Cybersecurity

WordPress Plugin Backdoor: 70,000+ Sites At Risk For Years

May 2, 2026 1 min read by Ciro Simone Irmici
WordPress Plugin Backdoor: 70,000+ Sites At Risk For Years

A popular WordPress redirect plugin, used by over 70,000 sites, contained a hidden backdoor for five years, allowing code injection and putting websites and users at risk.

Running a website, especially one powered by WordPress, comes with its own set of responsibilities. Imagine building your digital presence, only to find out years later that a seemingly innocuous tool you installed was quietly compromising your entire site. This isn't a hypothetical scenario; it's the reality for over 70,000 WordPress site owners who unknowingly used a popular plugin harboring a five-year-old dormant backdoor.

The Quick Take

  • The implicated plugin is named "Quick Page/Post Redirect".
  • Over 70,000 active WordPress installations were affected.
  • A malicious backdoor was secretly embedded in the plugin five years ago.
  • This backdoor allowed attackers to inject arbitrary code onto affected websites.
  • Immediate action, including deactivation and deletion, is crucial for site owners.

What's Happening

Security researchers recently uncovered a critical vulnerability within a widely used WordPress plugin called "Quick Page/Post Redirect." This plugin, designed to manage URL redirections on websites, had a hidden backdoor integrated into its code approximately five years ago. This wasn't a flaw in the original design, but rather a deliberate addition that remained dormant, effectively allowing unauthorized access to tens of thousands of websites without the owners' knowledge.

The backdoor's functionality is particularly concerning: it allowed an attacker to inject arbitrary code directly into a user's WordPress site. This means a malicious actor could have potentially taken full control of the site, altered content, redirected visitors to malicious pages, or even installed malware. The long duration of this vulnerability – five years – highlights the insidious nature of such hidden threats and the potential for widespread, long-term compromise.

Why It Matters

For everyday users and small business owners, WordPress is often the platform of choice due to its ease of use and extensive plugin ecosystem. However, this incident underscores a critical security blind spot: the reliance on third-party plugins. Even reputable-looking plugins can become vectors for compromise, especially when they change hands or are intentionally tampered with, as appears to be the case here.

The practical implications are significant. A compromised website isn't just an inconvenience; it can lead to severe data breaches, loss of customer trust, SEO penalties, and even blacklisting by search engines. Visitors to an affected site could be exposed to phishing scams, malware downloads, or other malicious content, tarnishing the site's reputation and potentially harming its audience. This silent, long-term threat emphasizes that security isn't just about patching visible vulnerabilities, but also about maintaining constant vigilance over every component of your digital infrastructure.

What You Can Do

If you manage a WordPress website, taking proactive steps now is essential:

  • Check Your Plugins: Immediately review your installed plugins and determine if "Quick Page/Post Redirect" is among them.
  • Deactivate and Delete: If you find the "Quick Page/Post Redirect" plugin, deactivate it immediately and then delete it from your WordPress installation. Simply deactivating is not enough; the malicious code remains on your server until deleted.
  • Find an Alternative: If you still require a redirection plugin, search for reputable, well-maintained alternatives with strong security track records and frequent updates. Look for plugins with high ratings, many active installations, and recent update dates.
  • Regularly Audit Plugins & Themes: Make it a habit to audit all your installed plugins and themes. Remove any that are unused or no longer maintained. Less code means a smaller attack surface.
  • Keep Everything Updated: Ensure your WordPress core, all plugins, and themes are always updated to their latest versions. Updates often contain critical security patches.
  • Implement Regular Backups: Maintain regular, secure backups of your entire WordPress site (files and database). This allows for quick restoration in case of compromise.

Common Questions

Q: What is a "dormant backdoor"?

A dormant backdoor is malicious code embedded within software that remains inactive or hidden for an extended period, only to be activated later by an attacker. This makes it difficult to detect immediately after its introduction.

Q: How could this go undetected for so long?

Backdoors can evade detection through various methods, such as obfuscation, being hidden within legitimate code, or by being designed to only activate under specific, rare conditions. In this case, the plugin's popularity and the acquisition by a malicious entity likely contributed to its long-term stealth.

Q: Are my visitors at risk if I used this plugin?

Potentially, yes. If your site was compromised via this backdoor, attackers could have injected malicious scripts that affected your visitors, such as redirecting them to scam sites, attempting to install malware, or stealing sensitive information entered on your site. Cleaning your site thoroughly and monitoring for suspicious activity is crucial.

Sources

Based on content from BleepingComputer.

Key Takeaways

  • See the article for key details.
Original source
BleepingComputer
Read Original
Ciro Simone Irmici
Ciro Simone Irmici
Author, Digital Entrepreneur & AI Automation Creator
Written and curated by Ciro Simone Irmici · About TechPulse Daily

Related Articles

Patch Tuesday May 2026: AI Secures Your Software Faster
Patch Tuesday May 2026: AI Secures Your Software Faster Cybersecurity · May 13, 2026
AI Develops Zero-Day 2FA Bypass: A New Cyber Threat
AI Develops Zero-Day 2FA Bypass: A New Cyber Threat Cybersecurity · May 12, 2026
Mac Malware Delivered via Google Ads and Claude.ai Chats
Mac Malware Delivered via Google Ads and Claude.ai Chats Cybersecurity · May 11, 2026
Millions Download Fake Android Apps Stealing Money on Google Play
Millions Download Fake Android Apps Stealing Money on Google Play Cybersecurity · May 9, 2026
Ransomware Defenses: Why Your Backups Might Not Be Enough
Ransomware Defenses: Why Your Backups Might Not Be Enough Cybersecurity · May 8, 2026
Anti-DDoS Firm Accused of Attacking Brazilian ISPs
Anti-DDoS Firm Accused of Attacking Brazilian ISPs Cybersecurity · May 7, 2026

More from Cybersecurity

Patch Tuesday May 2026: AI Secures Your Software FasterAI Develops Zero-Day 2FA Bypass: A New Cyber ThreatMac Malware Delivered via Google Ads and Claude.ai ChatsMillions Download Fake Android Apps Stealing Money on Google PlayRansomware Defenses: Why Your Backups Might Not Be Enough

View all Cybersecurity articles →