According to security research published by Anchor Hosting, a WordPress security researcher has uncovered a thirteen-year-long backdoor operation hidden across forty-four plugins and nineteen separate developer accounts, all controlled by a single operator. The discovery began when the researcher decoded a seven-kilobyte compressed file flagged by WordPress dot org's review team. The binary turned out to be a dropper that installed remote-access malware on websites running a math-captcha plugin with six thousand active installations. Tracing the malware's infrastructure revealed a coordinated operation using multiple identities: SiteGuarding and SafetyBis, a Cyprus shell company dissolved in twenty-sixteen but still operating as a live command-and-control domain in twenty-twenty-six. The campaign spans three waves from twenty-thirteen through twenty twenty-six, using increasingly sophisticated evasion techniques—from inline backdoors to compressed binary files to randomly-named archives. The backdoor itself is a four-hundred-eighty-two-line PHP tool providing remote file access and code execution. Notably, the operator deployed an updated version in April twenty-twenty-six, just one day after WordPress dot org closed the accounts, showing the operation remains active. The researcher estimates the backdoor infected hundreds of thousands of websites through these plugins alone. The complete investigation and indicator list are published on WP Beacon.

Listen to this story

Hear this and more stories in a personalized audio briefing.

Open The Chonkerton