# Anatomy of a WordPress Supply Chain Attack **Date:** 2026-04-21 **Author:** Dan Maby **Categories:** Security & Privacy, WordPress > On 7 April 2026, the update infrastructure for a popular WordPress plugin was breached, and a compromised version was pushed through the official update channel to every site that checked for updates. One of those sites was a client's site we host at Blue 37. Here is what happened, what we found, and what it is making us change. [Security & Privacy](https://blue37.com/blog/category/security-privacy) | [WordPress](https://blue37.com/blog/category/wordpress) [View on blue37.com](https://blue37.com/blog/2026/04/anatomy-of-a-wordpress-supply-chain-attack) --- On 7 April 2026, the update infrastructure for a popular WordPress plugin called Smart Slider 3 Pro was breached. For a window of roughly six hours, the plugin's official update channel distributed a malicious version to every site that checked for updates. One of those sites was a client's site that we host and manage at Blue 37. This is the story of what happened, how we found it, and what it is making us think about the plugin model that powers a huge percentage of the web. ## The attack Smart Slider 3 Pro is a commercial WordPress plugin made by Nextend. It sits behind the same update infrastructure most commercial plugins use: a vendor-controlled server, a licence key, and automatic updates pushed to customers as new versions are released. When the vendor's publishing pipeline is compromised, every site on their customer list becomes a delivery target. That is exactly what happened. The attacker pushed version `3.5.1.35` through the official channel. Sites that checked for updates during the distribution window received the malicious build and installed it as they would any routine security patch. Patchstack, a security research firm, has published a detailed technical breakdown of the attack and its indicators of compromise. Their [full malware analysis](https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/) is recommended reading if you run WordPress at any scale. ## What the malware did The compromised plugin dropped a set of must-use plugin files into the site's filesystem. Must-use plugins load on every request before the standard plugin system, which makes them an effective persistence layer. Two distinct backdoor families were installed. The first was a remote administration layer exposed through a REST endpoint disguised to look like a WooCommerce reporting route. It offered four modes: reconnaissance, arbitrary PHP execution via `eval()`, shell command execution, and silent admin login without a password. Authentication used an HMAC derived from the site's WordPress salts, so rotating the salts would invalidate it. The second was more sophisticated. Its authentication token was stored in the database rather than derived from the salts, meaning salt rotation would not disable it. It registered a twice-daily scheduled event that rewrote its own file from a base64 blob kept in `wp_options`, so deleting the file alone would not remove it. It filtered the admin user listing to hide its own rogue account, and it phoned home to a command and control domain on first activation to register the site. Patchstack documented the first family when the attack became public. The second predated their reporting by several days and had different triggers and different option names. Whether it was a separate actor or a staged component of the same toolkit was not conclusively established during our investigation. The shared C2 domain suggests the same hands. ## How we noticed, and how late The malware was dormant at first. The site rendered correctly, returned HTTP `200` status code, and passed the visual regression checks we run after every update. Our monitoring had nothing to flag. The site received the compromised update at 22:00 on 7 April. The malware activated at 00:42 on 8 April. The visible front end damage was discovered at 07:38 on 8 April, and we had the server offline within four minutes. From compromise to takedown was 9 hours and 42 minutes. That is not catastrophic, but it is longer than we would like. We are being open about that because we want to discuss the lessons learned from the incident. ## Why our monitoring missed it Our update cadence runs every six hours across the servers we manage. After each update batch, visual regression tests render a set of key pages and compare them against a known-good baseline. The idea is straightforward: if an update breaks something visible, we catch it before a human does. The technique is useful for the thing it was designed for. It does nothing for malware that does not render differently. Nothing about the initial compromise was visually observable, because the malware did not want to be seen. Dormant backdoors are the whole point of the attack. We also run [file integrity monitoring](https://en.wikipedia.org/wiki/File_integrity_monitoring) to detect unexpected writes to files. However, in this incident the file integrity monitoring flagged these changes as a false positive. This is a gap we are working to close. We are evaluating alternative file integrity monitoring solutions, which would flag unexpected writes to must-use plugin directories and core files, and indicator-of-compromise subscription feeds that would alert us when a published compromise affects a plugin on any site we manage. Visual regression stays in the stack; it simply cannot be the last line of defence. ## The uncomfortable part about plugins This was not a bug in WordPress. It was an architectural consequence of how WordPress plugins work. Every plugin shares the same PHP runtime, the same database connection, and the same filesystem as WordPress itself. A plugin is code that runs with the full authority of the host. There is no capability manifest, no permission prompt, no sandbox. When you install a plugin, you are installing a partner for your database, your server, and anything they can reach. When the plugin's supply chain is trustworthy, this model is fine. When it is not, the blast radius is the entire site. And the database is where the blast hurts most. WordPress's relational store holds user records, hashed passwords, option values, serialised arbitrary data, and, in many configurations, session tokens and commerce records. A backdoor with database access has everything that matters in one place. We have worked in the WordPress ecosystem for a long time. We will continue to do so. But it is worth saying plainly: the shared-everything model is an inherited choice from the early 2000s, and it is the single biggest reason events like this keep happening. ## Where the architecture differs This site, blue37.com, runs on SvelteKit with pages generated at build time. Most of the other sites we build today, whether in [Astro](https://astro.build), [Svelte](https://svelte.dev), or Next.js, follow a similar pattern: content is compiled into static files, API calls happen at the edge in isolated runtimes, and there is no PHP process waiting to execute whatever a plugin drops on disk. There is no shared public database for compromised code to query, because there is no database behind the public pages. The attack surface of a static site is orders of magnitude smaller. Content updates go through a git commit, reviewed and versioned, rather than through a privileged process reaching out to a vendor's update server on a schedule. This is not a recommendation to rebuild every WordPress site on Astro tomorrow. [WordPress](https://wordpress.org/) has strengths, especially for content editors who value its workflow, that static stacks are still catching up with. It's also not an _"WordPress is inherently insecure"_ argument. But the architectural difference is worth naming. An attack with _this_ shape: a persistent server-side backdoor, live database access, and a self-resurrecting payload phoning home from the running site, is not possible on a Svelte site served from a CDN, because the server-side conditions for it do not exist. Supply chain risk does not disappear: a [compromised npm dependency](https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager) can still ship malicious JavaScript through a build, and that is a real class of attack to defend against. But the damage is bounded by what a browser can do, not by what a PHP process with database credentials can do. That is a meaningful difference. ## What we have changed The site was rebuilt from a clean backup taken before the compromised update landed, on a fresh server, with Smart Slider updated to the patched `3.5.1.36`. We verified the rebuild against Patchstack's published indicators of compromise and confirmed it was clean. Admin passwords have been rotated, user privileges reduced to the minimum each user actually needs, and two-factor authentication required for users with elevated access. Not that any of this would have stopped the attack, but following the principle of least privilege is a good habit to have. On our end, we are reviewing our monitoring stack. The update cadence and visual regression checks are staying. File integrity monitoring is being enhanced. We are also subscribing to an IOC feed so that the next time a plugin we manage shows up in a vulnerability disclosure, we know early and can take action. ## The honest conclusion [Supply chain attacks are hard](https://www.cloudflare.com/en-gb/learning/security/what-is-a-supply-chain-attack/). The defender has to trust a chain of parties they have no direct visibility into, and a single compromise upstream ends up on thousands of sites before anyone notices. No amount of on-site monitoring will make that problem disappear. What can change is how quickly a compromise is detected on our side, how contained the damage is when it is, and how we think about attack surface when we choose the stack for a new project. All three are moving in the right direction. If you run a WordPress site and want to talk about what monitoring and update policy look like in practice, or if you are thinking about whether a static stack makes sense for your next build, [get in touch](/contact).