Watching the WordPress plugin supply chain.

WP Beacon tracks every plugin on wordpress.org — its authors, committers, and releases — to flag ownership transfers, dormant-then-activated takeovers, and release patterns that match known attacks.

Active plugin hijacks

All audits →

Plugins where a malicious author still controls the wordpress.org distribution. Tap any card for the full audit, IOCs, and the steps the author can take to clear this label. Labels clear automatically once wp beacon scan-deltas confirms the hijack is gone from trunk.

Closed by wp.org · trunk uncleaned

Quick Page/Post Redirect Plugin — 70k+ installs

The original author intentionally weaponized wordpress.org distribution to seed an out-of-band update channel they controlled — and then served tampered builds through that channel after the wp.org-distributed code went…

Actor: anadnet — original wp.org plugin author. Self-implanted backdoor, no acquisition or account inheritance involv… Audit #13 · 12 IOCs · Read full report →

Closed by wp.org · trunk uncleaned

33 plugins — 180k+ active installs

Marketplace acquisition of an established 30-plugin portfolio used as a vehicle for a fleet-wide PHP-deserialization RCE backdoor with on-chain C2 resolution.

Actor: "Kris" — Flippa buyer of the WP Online Support / Essential Plugin portfolio (~33 plugins, six figures, early 2… Audit #4 · 15 IOCs · Read full report →

Closed by wp.org · trunk uncleaned

Scroll To Top — 20k+ installs

Update-checker hijack with active stored-XSS / RCE primitives served from a Panama-fronted C2.

Actor: Benjamin (wp.org @milkitall, GitHub tombenj, tomgolan@gmail.com) — operates the inherited @satrya SVN account Audit #12 · 11 IOCs · Read full report →

Closed by wp.org · trunk uncleaned

27 plugins — 5k+ active installs

SiteGuarding 27-plugin portfolio (2013-2020) — 15 plugins shipped siteguarding_tools.php v1.7 RCE backdoor INLINE in the plugin folder; 12 sibling plugins shipped phone-home guideline violations. wp.org closed all 27 in…

Actor: SiteGuarding (SafetyBis Ltd. — Cyprus HE 232905, dissolved 2016-01-11). 13-year operation, 27 plugins under @s… Audit #28 · 7 IOCs · Read full report →

Closed by wp.org · trunk uncleaned

Web Image Optimization X — 100 installs

Attacker-controlled side-channel update endpoint shipped under the cover of "license validation" — same operator (SiteGuarding) and same sibling-plugin pair as audit #25 (wp-advanced-math-captcha). Where the wp-advanced-…

Actor: SiteGuarding (cmsplughub.com C2; wp.org account @dalielsam, sole plugin) Audit #26 · 15 IOCs · Read full report →

Closed by wp.org · trunk uncleaned

Speedup Optimization — 100 installs

A previously-undocumented SiteGuarding burner, surfaced by the clean-on-closure hunt and closed in the same 2026-04-07 wave that took down the two documented burners.

Actor: SiteGuarding (SafetyBis Ltd.) Audit #42 · 3 IOCs · Read full report →

Closed by wp.org · trunk uncleaned

WP Install From Web — 100 installs

This is a previously-undocumented SiteGuarding supply-chain backdoor burner. It was surfaced by hunting for plugins that WP.org cleaned on closure — i.e. where a Plugin Review Team account force-pushed a code change at t…

Actor: SiteGuarding (SafetyBis Ltd.) Audit #43 · 3 IOCs · Read full report →

Closed by wp.org · trunk uncleaned

ByteDefense Security

A SiteGuarding security-branded front, surfaced by the clean-on-closure hunt. Unlike the documented closures that left malware in trunk, WP.org's plugin-master force-pushed a "Removing" commit at closure that stripped th…

Actor: SiteGuarding (SafetyBis Ltd.) Audit #44 · 3 IOCs · Read full report →

Closed by wp.org · trunk uncleaned

WP Google Core Web Vitals Fix

A SiteGuarding burner with a full remote-code-execution + persistence backdoor — Tier A. Surfaced by the closed-plugin blob scan (the new payload-decode scanner), which matched cmsplughub.com in the trunk that the old PH…

Actor: SiteGuarding (SafetyBis Ltd.) Audit #45 · 4 IOCs · Read full report →

Closed by wp.org · trunk uncleaned

Code Quality Control Tool

A SiteGuarding burner with an undisclosed wp-config.php persistence injection — Tier A. Surfaced by the closed-plugin blob scan, which matched safetybis.com in the trunk.

Actor: SiteGuarding (SafetyBis Ltd.) Audit #46 · 3 IOCs · Read full report →

Closed by wp.org · trunk uncleaned

Magex AI Bot Defender

A SiteGuarding burner that routes through the safetybis.com C2 — Tier B (undisclosed phone-home / proxy, no in-plugin RCE sink). Surfaced by the closed-plugin blob scan via siteguarding.com + safetybis.com references in…

Actor: SiteGuarding (SafetyBis Ltd.) Audit #47 · 3 IOCs · Read full report →

Closed by wp.org · trunk uncleaned

9 plugins — — active installs

Verdict: malicious — a previously-undocumented 2024 wave of nine SiteGuarding supply-chain burner plugins, each on its own throwaway wp.org account. This is a distinct third operational phase of the SiteGuarding operatio…

Actor: SiteGuarding (SafetyBis Ltd.) — 2024 burner wave Audit #48 · 3 IOCs · Read full report →

Top authors by install base

Full list →

The accounts with the biggest blast radius on wp.org. A new committer suddenly appearing under any of these is always worth a second look.

#	Author	Member since	Plugins	Installs
1	Syed Balkhi	2008-06-22	95	23.5M+
2	Automattic	2009-11-05	79	19.2M+
3	Yoast	2013-11-14	7	14.2M+
4	Elementor	2018-05-10	14	12.2M+
5	WordPress.org	2010-03-24	20	11.9M+
6	Rock Lobster Inc.	2025-09-17	6	11.1M+
7	LiteSpeed Technologies	2016-01-20	2	7M+
8	Brainstorm Force	2011-09-08	32	6.8M+
9	David Anderson / Team Updraft	2008-01-02	16	6.4M+
10	Google	2006-11-17	3	5.1M+

Recent closures

All closures →

Plugin	Author	Closed	Reason
Awesome Dokan: Ultimate Dokan Vendor Dashboard Experience	atplugins	3d ago	—
Shipping Manager For WooCommerce	wpsaad	3d ago	—
WPSAAD Addons for Dokan and Elementor	wpsaad	3d ago	—
Custom Product Type for WooCommerce – Add-Ons, Data, Options, Layouts, Booking & Appointments	wpsaad	3d ago	—
Variation Swatches for WooCommerce – Lite	stackwc	3d ago	—