WP Beacon
Coming soon
WP Beacon tracks every plugin on wordpress.org — its authors, committers, and releases — to flag ownership transfers, dormant-then-activated takeovers, and release patterns that match known attacks.
A WordPress plugin can sit dormant on wp.org for years with a small but loyal install base. When the original author moves on, the slug is for sale on Flippa, Codecanyon, or a quiet email. Whoever buys it inherits the auto-update channel into thousands of live sites — and most attacks don’t show up in scanners that look for vulnerable code, because the takeover itself is the vulnerability.
Patchstack and Wordfence catch CVEs in code. WP Beacon catches the shape of an attack: who owns the slug, when their account was created, when their domain was registered, when a quiet plugin suddenly cuts a release after years of silence.
Buyer purchased ~33 plugins via Flippa in May 2025, planted a dormant analytics-essentialplugin.com C2 with an Ethereum-RPC fallback channel, then waited. 22 of the 33 trunks still ship the declawed source today.
Confirmed maliciousAcquired in June 2024 from the original author. New owner registered widgetlogic.org as a fresh C2 domain, weaponized it two months later via an external JavaScript callback wired into the plugin’s settings page.
Original author wired a third-party update channel into the wp.org build in late 2020, then used it to serve a tampered 5.2.3 with a content-injection hook firing on logged-out page views — calling out to w.anadnet.com/bro/3/. The C2 went NXDOMAIN in 2021. Dormant for five years, but every install still polls the attacker-controlled endpoint.
Every signal below traces to a documented attack — nothing speculative. Each rule fires an event that can be triaged, audited, and (if confirmed) added to the public IOC catalog so the next scan catches the same shape across the rest of the corpus.
An established plugin gets a new SVN committer whose wp.org account was created <12 months before their first commit, with no post-handoff activity from the prior maintainer.
One committer joining many established plugins inside a short window — the portfolio-purchase signature behind the EssentialPlugin attack.
The plugin’s current wp.org author belongs to an account registered >180 days after the plugin’s earliest SVN commit. Catches ownership transfers from a single snapshot.
Plugin’s author URI or code-level callback points to a domain registered long after the plugin itself — the widgetlogic.org signature. RDAP-resolved.
A release after a long quiet period — dormancy then weaponization, the classic late-stage compromise pattern.
A plugin releases X.0N (two-segment) that PHP parses as higher than subsequent canonical X.0.N releases — defeating auto-update.
Trunk grep against the IOC catalog (domains, function names, callback URLs from prior audits). New high-signal patterns in a release fire as a delta.
One committer pushes the same changelog string across multiple plugins in a 14-day window — the decoy-commit pattern that disguised the EP rollout.
A plugin previously closed for security issues reopens — by acquisition, ownership transfer, or wp.org reactivation. The 6,000+ already-flagged plugins are the target pool.
Every read is from a public source: the wordpress.org plugin API, plugins.svn.wordpress.org, profiles.wordpress.org, and RDAP. No login, no scraping behind auth, no hidden inputs. The detector runs as a WordPress plugin against its own database, scheduled hourly via WP-Cron.
wp.org API + closed-plugin discovery + author profiles + author-URI domain extraction.
Per-plugin svn log, committer attribution, code-pattern fingerprinting, callback-domain harvesting.
Resolve registration dates for author URIs and code-level callback hosts. Feeds the domain-age rules.
Every detection rule against the latest snapshot. Dedup’d; already-audited events don’t re-fire.
Confirmed events become audits. Audits extract IOCs. IOCs feed back into the next scan.
The detector is running in production. The audit catalog has confirmed campaigns. The acquirers surface lists every legitimate plugin acquisition on wordpress.org — and now flags the malicious ones too. The full public explorer comes online when the data is solid enough to publish without footnotes.
Follow anchor.host for the launch announcement and a write-up of every confirmed campaign as the audits land.
WP Beacon
wpbeacon.io · launching soon