Millions of WordPress Sites Just Got Hacked... Again
Why It Matters
Enterprises relying on WordPress now face heightened supply‑chain risk, and adopting sandboxed platforms like Mdash could be essential to protect data and reputation.
Key Takeaways
- •Supply‑chain hack compromised 31 WordPress plugins via purchased ownership.
- •Backdoor lay dormant eight months before activating remote payloads.
- •Attack used Ethereum smart contract to switch command‑and‑control domains.
- •Cloudflare’s Mdash sandbox isolates plugins, limiting full‑system access.
- •Developers can replace WordPress with AI‑generated frameworks quickly.
Summary
The video reports a massive supply‑chain compromise affecting 31 WordPress plugins, discovered after eight months of silent back‑door activity. The attacker bought the plugins on Flippa, inserted malicious code, and later activated it, turning ordinary updates into a weapon.
Unlike typical vulnerabilities, the breach relied on legitimate ownership transfer, allowing the attacker to push updates that fetched additional payloads and even altered core files such as wp‑config.php. Command‑and‑control was routed through an Ethereum smart contract, enabling rapid domain changes.
The host mentions Matt Mullenweg’s clash with WP Engine and notes that 96 % of recent WordPress issues stem from its plugin architecture, which runs PHP with full privileges. The exploit illustrates how a trusted update can bypass user suspicion.
In response, Cloudflare introduced Mdash, an MIT‑licensed, sandboxed replacement that runs plugins in isolated workers and grants only explicit capabilities. While not an immediate death knell for WordPress, the incident accelerates interest in sandboxed, AI‑generated alternatives and forces site owners to reassess plugin risk.
Comments
Want to join the conversation?
Loading comments...