⚠️ Critical WordPress Security Alert

Malicious backdoors discovered in dozens of plugins affecting thousands of websites worldwide.

Security researchers have uncovered a widespread supply-chain attack targeting WordPress plugins, silently giving attackers full access to affected websites.

🔍 What Happened?

A recent investigation revealed that multiple WordPress plugins were compromised and distributed with hidden backdoors. These backdoors allow attackers to:

  • Execute remote code on your server
  • Create unauthorized admin accounts
  • Inject spam, malware, or phishing content
  • Completely take over your website

This is not a typical vulnerability – this is a deliberate supply-chain compromise, meaning even legitimate plugin downloads may have been infected.

🧨 List of Compromised Plugins

If you are using any of the following plugins, you must act immediately:

  • accordion-and-accordion-slider
  • album-and-image-gallery-plus-lightbox
  • audio-player-with-playlist-ultimate
  • blog-designer-for-post-and-widget
  • countdown-timer-ultimate
  • featured-post-creative
  • footer-mega-grid-columns
  • hero-banner-ultimate
  • html5-videogallery-plus-player
  • meta-slider-and-carousel-with-lightbox
  • popup-anything-on-click
  • portfolio-and-projects
  • post-category-image-with-grid-and-slider
  • post-grid-and-filter-ultimate
  • preloader-for-website
  • product-categories-designs-for-woocommerce
  • sp-faq
  • sliderspack-all-in-one-image-sliders
  • sp-news-and-widget
  • styles-for-wp-pagenavi-addon
  • ticker-ultimate
  • timeline-and-history-slider
  • woo-product-slider-and-carousel-with-category
  • wp-blog-and-widgets
  • wp-featured-content-and-slider
  • wp-logo-showcase-responsive-slider-slider
  • wp-responsive-recent-post-slider
  • wp-slick-slider-and-image-carousel
  • wp-team-showcase-and-slider
  • wp-testimonial-with-widget
  • wp-trending-post-slider-and-widget

🛡️ Immediate Action Plan

Step 1: Remove Suspicious Plugins

  • Deactivate and delete any plugin listed above
  • Do NOT just disable — fully remove them

Step 2: Scan Your Website

  • Run a full malware scan
  • Check for unknown admin users
  • Review modified files and timestamps

Step 3: Reset Everything

  • Change all passwords (WordPress, cPanel, FTP, database)
  • Regenerate salts in wp-config.php

Step 4: Restore from Backup

  • Restore a clean backup BEFORE infection date
  • Verify integrity before going live

⚡ Why Hosting Security Matters More Than Ever

This incident highlights a critical reality: your hosting environment is your last line of defense.

At UnderHost Managed WordPress Hosting, we go beyond basic hosting:

  • 🛡️ Real-time malware detection and isolation
  • 🔄 Daily automated backups with multiple restore points
  • ⚡ Hardened Nginx + PHP-FPM stack for security and performance
  • 🔐 Server-level firewall and exploit protection
  • 📡 Global infrastructure across secure datacenters

Even if a plugin is compromised, our infrastructure helps contain and mitigate the damage before it spreads.

💾 Backup Is Your Safety Net

If your site gets compromised and you don’t have backups — recovery becomes nearly impossible.

Protect your data with:
Backup Hosting Solutions | Business Backup Plans | Cold Storage Backup

Use code KEEPSAFE to get 15% OFF all backup plans.

🚀 Secure Your WordPress with UnderHost

Don’t Wait Until It’s Too Late

Migrate your WordPress site to a secure, managed environment today.

Explore WordPress Hosting →

📞 Need Immediate Help?

If you suspect your website has been compromised, contact our team immediately via @CustomerPanel.

We can:

  • Clean infected websites
  • Restore backups safely
  • Harden your server against future attacks

This article is based on recent security disclosures reported by TechCrunch regarding compromised WordPress plugins affecting thousands of websites worldwide.