Five-Year WordPress Plugin Backdoor Discovery Shocks Security Community
Security researchers discovered a sophisticated backdoor embedded within the Quick Page/Post Redirect WordPress plugin on April 30, 2026. The malicious code, which remained undetected for approximately five years, grants attackers the ability to inject arbitrary code into any WordPress site running the compromised plugin. The backdoor affects more than 70,000 active WordPress installations globally, making this one of the most widespread plugin-based supply chain attacks in WordPress history.
The Quick Page/Post Redirect plugin, designed to help website administrators manage URL redirections and page forwarding, has been a popular choice among WordPress users since its initial release. The plugin's legitimate functionality masked the presence of the backdoor code, which was carefully crafted to avoid detection by standard security scanning tools. The malicious code was embedded deep within the plugin's core files, disguised as routine redirect processing functions.
Initial analysis suggests the backdoor was introduced through a compromised developer account or malicious update pushed to the WordPress.org plugin repository. The timing coincides with a period of increased supply chain attacks targeting open-source software repositories. Security researchers noted that the backdoor code was professionally written, indicating this was likely the work of experienced threat actors rather than opportunistic hackers.
The discovery came to light when multiple WordPress security firms began investigating unusual network traffic patterns from sites running the plugin. Cross-referencing these patterns led to the identification of the hidden backdoor functionality. The CISA Known Exploited Vulnerabilities catalog is expected to include this threat once a formal CVE identifier is assigned.
WordPress.org administrators immediately removed the plugin from the official repository upon confirmation of the backdoor. However, existing installations remain vulnerable until site administrators take manual action to remove or replace the plugin. The WordPress security team has issued emergency notifications to all registered users of the affected plugin, urging immediate remediation.
Massive WordPress Site Exposure Spans Multiple Industries
The backdoor affects all versions of the Quick Page/Post Redirect plugin installed across more than 70,000 WordPress sites worldwide. This includes small business websites, e-commerce platforms, corporate blogs, and personal sites that rely on the plugin for URL management and redirect functionality. The plugin's popularity among WordPress users means the affected sites span virtually every industry sector, from healthcare and finance to education and retail.
Site administrators running WordPress installations with the Quick Page/Post Redirect plugin are at immediate risk of unauthorized code execution. The backdoor provides attackers with the ability to inject malicious scripts, steal sensitive data, modify website content, or use compromised sites as launching points for further attacks. E-commerce sites face particular risk, as the backdoor could be exploited to harvest customer payment information or inject malicious code into checkout processes.
WordPress hosting providers have begun scanning their managed installations to identify affected sites. Major hosting companies including WP Engine, SiteGround, and Bluehost have started automated detection and notification processes for their customers. However, self-hosted WordPress sites and those managed by smaller hosting providers may not receive immediate notification, leaving administrators unaware of their exposure.
The five-year duration of the backdoor's presence means that affected sites may have been compromised multiple times without detection. Log analysis from several affected sites reveals suspicious activity patterns dating back years, suggesting the backdoor has been actively exploited by threat actors. Organizations using affected sites for business-critical operations should assume potential data compromise and initiate incident response procedures.
Immediate WordPress Plugin Removal and Security Hardening Required
WordPress administrators must immediately deactivate and delete the Quick Page/Post Redirect plugin from all installations. The removal process requires accessing the WordPress admin dashboard, navigating to the Plugins section, and selecting 'Deactivate' followed by 'Delete' for the Quick Page/Post Redirect plugin. Site administrators should also verify complete removal by checking the /wp-content/plugins/ directory via FTP or file manager to ensure no residual files remain.
After plugin removal, administrators should conduct comprehensive security audits of their WordPress installations. This includes reviewing user accounts for unauthorized additions, checking file integrity against clean WordPress core files, and analyzing server logs for suspicious activity patterns. The Microsoft Security Response Center recommends implementing additional monitoring for sites that may have been compromised through supply chain attacks.
Organizations should immediately change all WordPress administrative passwords, revoke and regenerate API keys, and review database contents for unauthorized modifications. Security plugins such as Wordfence, Sucuri, or iThemes Security should be installed to provide ongoing monitoring and malware detection capabilities. These tools can help identify any persistent threats that may have been installed through the backdoor.
For sites requiring redirect functionality, administrators should migrate to alternative plugins such as Redirection, Safe Redirect Manager, or Simple 301 Redirects after thorough security vetting. Before installing any replacement plugin, verify the developer's reputation, review recent update history, and check for security audit reports. WordPress.org's plugin repository now includes enhanced security screening, but additional due diligence remains essential for business-critical installations.
