This WordPress plugin was hijacked — are you safe?

What you need to know

This post explains a recent case where a popular WordPress plugin was hijacked. It outlines how the attack happened and what risks it introduced. You will learn to identify signs of compromised plugins.

We will also explore how such incidents affect site security. Finally, we offer tips to protect your website. The goal is to help you stay informed and secure.

What is a WordPress plugin

A WordPress plugin is a software add-on that extends website functionality. Plugins handle features like SEO, contact forms, caching, and more. While useful, they can also introduce vulnerabilities.

If a plugin is poorly coded or abandoned, it becomes an easy target. Users often install them without checking security details. This makes plugin security a critical issue.

Why plugins get targeted

Plugins control major functions of websites. Hackers target them to gain wide access quickly. Many plugins are built by small developers with limited oversight.

If these plugins are not maintained, attackers can exploit old code. Sometimes developers sell or abandon them, opening doors to malicious buyers. This creates serious security concerns for site owners.

Signs of a hijacked plugin

A hijacked plugin may behave strangely or install updates without notice. It may redirect visitors, slow down your site, or send spam emails. You might see strange admin users or unexpected file changes.

Security plugins may flag it as suspicious. If the plugin’s page or changelog suddenly changes, it could be a red flag. Quick attention to such signs is important.

Recently hijacked plugin revealed

Gravity Forms plugin is installed on over five million WordPress sites. In July 2025, threat actors briefly compromised downloadable versions 2.9.11.1 and 2.9.12, injecting malware that enabled remote code execution, metadata collection, and creation of unauthorized administrator accounts.

The compromise was limited to manual downloads and Composer installs, as the official Gravity Forms API and auto‑update system remained secure.

How the takeover happened

The attackers compromised the plugin distribution (e.g., a ZIP file on the developer’s site). They then released a seemingly normal update to build trust.

Days later, they inserted harmful code in a follow-up version. Manual downloads or Composer installs during that narrow window were affected.

What the hackers changed

The compromised plugin ZIP included malicious files that opened remote code execution paths, metadata harvesting, and unauthorized admin account creation. The malware was disguised within the package and delivered only during manual downloads or composer installs.

Even the plugin description and version history were rewritten. This made it harder for users to trace the attack’s origin.

Hidden malware in updates

The malicious update appeared harmless at first. It included small feature improvements to delay suspicion. Buried in the code were external calls to untrusted domains.

These injected malware into pages or redirected users. Many victims only discovered it after visitor complaints. Malware scanning tools later confirmed the infections.

What this means for users

Site owners using the plugin unknowingly exposed their visitors to danger. Visitors could have landed on phishing pages or downloaded malware. This damages trust and can lead to blacklisting by search engines.

Site performance and rankings may also drop. Recovering from such attacks takes time and effort. Many affected users had to clean and rebuild their sites.

How websites were affected

Some websites began redirecting traffic to adult or scam pages. Others faced performance issues due to background scripts. Admins noticed strange users and plugin settings.

Several hosts flagged the sites for abuse and suspended them. Repeated infections occurred if the plugin was not removed completely. These issues lasted even after the plugin was deleted.

Data and security concerns

In some cases, the hijacked plugin collected visitor data. IP addresses, form entries, and login credentials were exposed. If the plugin had access to e-commerce tools, customer data was at risk.

This opens sites to legal and privacy issues. Websites using cached or shared hosting faced even wider infection. Regular data backups proved essential for damage control.

Spotting suspicious plugin behavior

Keep an eye on unusual plugin updates or changes in ownership. Watch for sudden changes in descriptions, features, or author names. Review update notes and avoid auto-updating unknown plugins.

If your site behaves oddly, audit the most recent plugin changes. Use security tools that alert you to file or behavior anomalies. Regularly compare plugin code to trusted versions.

Updating plugins securely

Only update plugins after reading the changelog and checking reviews. Avoid auto-updates for lesser-known plugins. Stick to those with strong community support or from verified developers.

Before updating, take a full backup of your site. Test updates in a staging environment when possible. Use plugin monitors to detect unauthorized changes.

Using trusted plugin sources

Always install plugins from the official WordPress repository. Avoid downloading plugins from unknown third-party sites. Premium plugins should come directly from the developer.

Check the last update date and support response times. Ratings and active install counts can signal quality. Reliable sources reduce the chance of installing compromised code.

Backup and restore options

Regular backups are your first line of defense. Use automated backup plugins or hosting-level tools. Store backups in a secure off-site location.

Test the restore process to ensure it works under pressure, back up both your files and database. In the event of a plugin hijack or malware, quick restoration limits the damage.

Worried scammers might hijack your PC using PayPal tricks? Explore scammers now using PayPal to hijack your PC?

Steps to protect your site

Audit your installed plugins and remove unused ones. Enable two-factor authentication for admin users. Use a firewall plugin to block suspicious activity.

Schedule regular scans for malware and vulnerabilities. Review plugin ownership changes when notified. Staying proactive is the best way to avoid plugin-related threats.

Think your password is enough to protect your accounts? Explore why your passwords are useless without MFA & 2FA.

Did this help you understand how to spot and prevent plugin hijacking on your WordPress site? Share your thoughts.

Read More From This Brand:

• Chrome and Edge users targeted by malicious extensions and how to stay safe online
• Bluetooth earbuds could be a backdoor for hackers to access your phone
• May 2025 Data Breach Exposes 184 Million Login Credentials Across Major Platforms

Don’t forget to follow us for more exclusive content right here on MSN.

If you like this story, you’ll LOVE our Free email newsletter. Join today and be the first to receive stories like these.

This slideshow was made with AI assistance and human editing.