The Writing King Your Ethical Ghostwriter. Your Story, Done Right.

My Own Site Got Hit: Anatomy of a WordPress Supply-Chain Attack

TL;DR

A WordPress plugin vendor sold their entire catalog, and the buyer poisoned it, pushing malware to hundreds of thousands of sites. Mine was one of them. My host quarantined the payload and gave me three days to fix it. Deleting the file took a minute. Finding out how it got there took two days of forensics, and the trail ended at a supply chain sold to an attacker. Here is the whole incident, including the thirty-second clue that cracked it.

I have spent decades in cybersecurity, so I know how this sounds: my website got malware. Both my sites run WordPress on SiteGround, and one morning I got an email from their scanner. Malware detected, quarantined, fix this within three days or bad things happen. That is nearly a direct quote. My heart fluttered. This site is my business.

The prescribed fix was easy. The quarantined file was sitting right there; delete it and the alert clears. I deleted it immediately. And then I did not stop, because deleting the payload without understanding the entry is not remediation, it is housekeeping. If you do not know how it got in, it is coming back.

Two days of forensics

I spent the next two days investigating, working with an AI assistant as a research partner, a workflow I recommend to anyone doing solo incident response. The question was simple: what put that file there?

The answer turned out to be bigger than my site. A WordPress plugin vendor had sold their entire plugin catalog to a new owner, and the new owner poisoned it. Updates pushed through the legitimate update channel carried malware to every site running those plugins. Hundreds of thousands of installations received the infection through the front door, signed and delivered by the normal update mechanism. The episode is publicly documented, and reading the reports was an education: this was not a break-in. The attackers bought the supply chain.

My plugins did not appear on the published list of the sold catalog. That proved nothing, and I treated it as proving nothing. Lists compiled during an active incident are incomplete by nature.

Why supply chains are the attack that scales

Understand the economics and you understand why this attack class is growing. Breaking into one website earns an attacker one website. Poisoning a plugin vendor earns the attacker every site running that vendor’s code, delivered automatically, through a channel every site trusts by design. In this incident, one acquisition converted into a foothold on hundreds of thousands of sites simultaneously. No exploit development, no scanning for vulnerabilities, no defenses to defeat, because the update mechanism is not a defense, it is a welcome mat.

The purchase angle deserves more fear than it gets. We train ourselves to imagine attackers as intruders, but nothing requires intrusion when ownership is for sale. Small software vendors sell their products constantly, for retirement, for consolidation, for a payday, and the transaction transfers something no one prices correctly: the standing, trusted access to every installation. The buyer of a plugin catalog buys the update keys to every site running it. Due diligence flows one direction in those sales, toward the buyer. The users, whose sites are the actual asset changing hands, are never consulted and rarely notified.

Nobody broke in. The attackers bought the plugin vendor and pushed malware through the update channel every site trusts by design.
Share on X

The thirty-second clue

What cracked it was timestamps. One of my plugins had updated within the same thirty seconds as the infection landing on my server. Update completes, malware appears, thirty seconds apart. That is not coincidence, that is causation with a receipt. I proceeded on the basis that the plugin was poisoned, removed it, and moved to hardening.

Hardening: never again

Because I am a security guy, cleanup was not the end. I went through the whole site the way I used to go through enterprise systems after an incident. I removed every plugin that was not earning its place, on the reasoning that every plugin is a vendor relationship and every vendor relationship is supply-chain exposure. I hardened configurations across both sites.

Then I upgraded my host’s scanning to the premium tier, and the reason is worth understanding. The base scanner detects and notifies: you get the three-days-or-else email and you do the work. The premium tier quarantines automatically, no email, no three-day clock, plus a weekly scan report. I pay for the privilege of never getting that heart-flutter email again. Anything that drops malware into the site gets locked in a box before I ever hear about it. For a business that lives on its website, that is some of the cheapest insurance available.

Auditing your own supply chain

After the incident I formalized what I now do routinely, and what I recommend to anyone whose business depends on a website. Inventory your plugins and ask of each one: who owns this today, and is that who owned it when I installed it? Ownership changes are usually announced quietly, in changelog entries and transferred support addresses, and they are the single highest-value signal available. A plugin that changes hands is not necessarily compromised, but it has just re-rolled the dice on the only question that matters, which is whose code executes inside your site.

Then shrink the surface. Every plugin I removed during the hardening pass was a vendor relationship I no longer had to monitor. The plugin count on a typical WordPress site reflects accumulation, not need, and each entry on the list is a party you have granted code execution. Treat the list the way an enterprise treats vendor access, because that is precisely what it is.

Finally, assume the front door will fail anyway and position something behind it: server-side malware scanning with automatic quarantine, file-change monitoring, and backups that predate any compromise. My quarantine email was the system working. The premium upgrade was me deciding the system should work without needing me in the loop.

The lesson that transfers

Every breach, every near-breach, every breach I merely read about, I treat the same way: as a lesson, followed by whatever work it takes to make that class of incident impossible for me. That habit came from enterprise incident response and it applies at every scale. The supply-chain angle is the part most site owners never consider. You audit your own security and forget that every plugin author, every theme shop, every vendor in your stack can be bought, and their access to your site transfers with the sale. Trust is transitive, and attackers know it.

For more from this series, see the The Cybersecurity Hub: breaches, audits, and hard-won security lessons from four decades in the trenches.

The Guides That Get Your Book Written, Published, and Sold

Four short, practical guides on writing, publishing, and selling your book, plus the occasional note when there's something worth your time. No fluff, no daily inbox clutter. Drop your email and they're yours.

We use MailerLite to manage our list and send these emails. Your address is used only to send you what you signed up for. We will not sell it, share it, or use it for anything else, and you can unsubscribe anytime.

Frequently Asked Questions

What is a WordPress supply-chain attack?
An attack that compromises plugins or themes at the source so malware is delivered through legitimate update channels. In this incident, an attacker purchased an entire plugin catalog from its vendor and poisoned the updates, infecting hundreds of thousands of sites.
How do you trace where WordPress malware came from?
Correlate timestamps. Compare the infection time against plugin and theme update times, file modification dates, and access logs. In my case a plugin update landed within thirty seconds of the malware appearing, which identified the vector.
Is deleting the malware file enough to fix a hacked site?
No. Deleting the payload removes the symptom. Without identifying the entry vector, the site remains open to reinfection. Real remediation means finding the vector, closing it, and hardening the site against the same class of attack.

📁︎ Cybersecurity

🏷︎ WordPress Security🏷︎ Supply Chain Attack🏷︎ Malware🏷︎ Incident Response

📝 Disclaimer

The views and opinions expressed in this blog post are solely those of Richard Lowe and are based on personal experience and research. This content is for informational purposes only and should not be construed as professional legal, financial, accounting, or business advice. Always consult with qualified professionals before making important business or legal decisions. Richard Lowe is not a lawyer, accountant, or licensed professional advisor, and this content does not establish any professional relationship.