Originally published at https://monstermegs.com/blog/wordpress-supply-chain-attack/ In April 2026, the WordPress community faced one of the most calculated security incidents it has seen in years – a WordPress supply chain attack that quietly compromised more than 30 plugins installed on over 400,000 websites worldwide. Unlike most plugin vulnerabilities that stem from coding errors, this attack was deliberate and patient. An attacker purchased an established plugin portfolio, injected a hidden backdoor into a routine update, then waited eight months before activating it. By the time security researchers caught on, thousands of sites had already been serving hidden SEO spam to Google without their owners knowing. The WordPress Supply Chain Attack That Hit 400,000 Sites The incident centres on a plugin portfolio known as Essential Plugin – a collection of 31 WordPress plugins that had built a significant user base over several years.…