Millions of WordPress sites just got hacked... again

Fireship| 00:05:16|Apr 16, 2026
Chapters7
Discusses how 31 WordPress plugins were compromised through a backdoor inserted after a portfolio was bought, turning routine updates into a security breach.

A massive WordPress supply-chain attack reveals how 31 plugins were compromised via a buyout, and Cloudflare’s Mdash attempts a safer, AI-driven replacement replacing plugins with sandboxed modules.

Summary

Fireship’s Code Report dives into a startling WordPress security incident where eight months of stealthy plugin compromises culminated in a 31-plugin supply-chain attack. The piece explains how attackers didn’t exploit a flaw in code but instead purchased the original plugins on Flippa for mid-six-figure sums, inserted a backdoor, and waited for the right moment to deploy malicious payloads. WordPress remains dominant, yet its plugin model—where PHP plugins run with full site privileges—creates inherent risk. Cloudflare’s Mdash project is highlighted as a potential path forward: a MIT-licensed, AI-generated JavaScript alternative, built on Astro, designed to isolate plugins with dynamic sandboxed workers and explicit binding permissions. The video also notes WordPress founder Matt Mullenweg’s controversial private-equity-related moves and the ongoing drama with WP Engine, framing a broader narrative about platform security, ecosystem governance, and the speed of AI-enabled replacements. Finally, Fireship showcases Warp—the sponsor—promoting its universal agent support to manage multiple coding agents from the terminal and improve developer workflows. The takeaway is clear: even trusted ecosystems can be exploited through supply-chain maneuvers, but new tooling may enable safer, sandboxed alternatives in the near future.

Key Takeaways

  • A 31-plugin supply-chain attack on WordPress arose after attackers bought the plugins on Flippa for mid-six figures and inserted a backdoor eight months earlier.
  • The backdoor allowed the attacker to pull additional payloads and sometimes modify core files like wp-config.php, with command-and-control managed via an Ethereum smart contract.
  • Mdash is Cloudflare’s MIT-licensed, AI-generated JavaScript alternative to WordPress plugins, designed to be compatible with WordPress APIs while sandboxing plugins in dynamic workers.
  • Mdash relies on bindings and manifest-based permissions so plugins can request only specific capabilities, reducing the risk of unrestricted data access.
  • Warp’s universal agent support is pitched as a productivity upgrade for developers, enabling multiple AI coding agents to run in a single terminal with better session management and notifications.
  • The video emphasizes that supply-chain compromises can be more effective than classic phishing because they ride the trust of standard update flows.
  • Despite the breach, the speaker remains skeptical that Mdash will replace WordPress soon, highlighting the rapid rise of AI-driven framework replacements as a larger trend.

Who Is This For?

Developers and site admins who rely on WordPress plugins, security engineers evaluating supply-chain risks, and readers curious about AI-assisted replacements for long-standing web frameworks.

Notable Quotes

""That means one minute your countdown timer ultimate plugin is converting sales on your website, then the next minute it becomes a remote control demon on your server that steals all your data and leaks photos of your wife's boyfriend to the Kiwi Farms.""
Illustrates the extreme risk when plugins run with full site privileges and how fast a compromise can escalate.
""The attacker didn't exploit a vulnerability. Instead, they legitimately acquired and took control of a portfolio of plugins by simply purchasing them for money from the original developer on Flippa... and they inserted a back door about 8 months ago.""
Key point about the supply-chain nature of the attack.
""Mdash locks each plugin down in its own sandbox with a dynamic worker... the plug-in only gets access to specific capabilities through bindings and only if it explicitly asks for them in the manifest.""
Describes how Cloudflare’s solution changes plugin security model.
""No, no, don't touch me there. This is my no square.""
Quirky line used to illustrate the sandboxing philosophy behind Mdash.

Questions This Video Answers

  • How does a WordPress plugin supply chain attack work and how can it be prevented?
  • What is Mdash and how does it change WordPress plugin security?
  • Why are Ethereum smart contracts mentioned in the context of malware command-and-control?
  • Can WordPress be made secure without abandoning plugin ecosystems?
  • What is Warp and how does its universal agent support help developers?
WordPress securityPlugin supply chain attackFlippa marketplaceBackdoor malwarewp-config.phpEthereum smart contractCloudflare MdashAstro CMSAI-generated codeWarp (sponsor)
Full Transcript
Eight months ago, some galaxyrained hacker quietly penetrated the back door of more than 30 WordPress plugins, and no one noticed until now. Somehow, this massive collection of different WordPress plugins for silly UI updates was instantly turned into malware with a crazy supply chain attack. That means one minute your countdown timer ultimate plugin is converting sales on your website, then the next minute it becomes a remote control demon on your server that steals all your data and leaks photos of your wife's boyfriend to the Kiwi Farms. WordPress remains the most popular website builder in the world, but many people have argued that WordPress's plug-in architecture is fundamentally insecure and a brand new slot fork has emerged to replace it. In today's video, we'll find out how the latest brutal exploit occurred and take a look at this new project from Cloudflare that hopes to terminate WordPress from the timeline. It is April 16th, 2026, and you're watching the code report. I actually love WordPress and have built many failed side projects with it, but the WordPress ecosystem has experienced a wild couple of years. Its founder, Matt Mullenweg, spurred out on private equity last year because the Silver Lake owned WP Engine was drinking his milkshake by making money hosting WordPress. So, naturally, he demanded that they pay him 8% of their revenue for using his logo. Now, as you all know, I'm a huge fan of private equity because they make every product better, like Hooters, for example. But WP Engine refused to pay the king as royalty. that made Mullenweg spur out even harder and he said a bunch of stuff that eventually led to WP Engine filing a defamation lawsuit against him. They're still fighting each other in court to this day and the lore goes way deeper. But the bigger problem for WordPress is that it's been experiencing a wave of new vulnerabilities and 96% of those are a direct result of its plug-in system. The core problem is that a WordPress plug-in is basically just a PHP script that plugs straight into your site and starts running with full privileges. There's no sandbox or isolation. It can touch your database, your files, and your private parts. And when you install a plugin, you're basically just hoping a stranger knows how to handle every edge case, exploit, and bad input perfectly. What's crazy, though, is that this most recent attack on 31 WordPress plugins was actually not the result of bad code. It's not your fault. It was something far scarier. In this case, the attacker didn't exploit a vulnerability. Instead, they legitimately acquired and took control of a portfolio of plugins by simply purchasing them for money from the original developer on Flippa in a deal with the sales price estimated to be in the mid6 figures. After the original developer was bought out, the new buyer had control of the code and they inserted a back door about 8 months ago and it's just been sitting there dormant in production waiting for the right moment. Then when the moment was right, the malicious logic activated which reached out to a remote server, pulled down additional payloads and in some cases modified core files like wpconfig.php which includes sensitive data like your database connection and security keys. And apparently the command and control domain was resolved through an Ethereum smart contract. So once the exploit became known, the attacker could quickly update the smart contract to point to a new domain at any time. That's pretty clever. But the core issue here is that everything was delivered through a normal plug-in update from a trusted source. And so it bypassed the usual suspicion of a normal fishing attack. And now WordPress did step in and remove the plugins. But damage was already done inside the system. It turning what looked like routine maintenance into a full-blown supply chain compromise. Luckily though, if you're considering using WordPress today, Cloudflare recently created a new project called Mdash, which takes all that old crappy PHP code and turns it into something even crappier, AI written JavaScript code. This project actually doesn't use any original WordPress code and is MIT licensed, but it's designed to be fully compatible with the original WordPress APIs. And under the hood, it's based on the awesome Astro project for its content management system. What makes this project special though is that it doesn't let plugins run wild with full access. Mdash locks each plugin down in its own sandbox with a dynamic worker. The framework itself doesn't hand over your data directly. Instead, the plug-in only gets access to specific capabilities through bindings and only if it explicitly asks for them in the manifest. It's kind of like telling the plugin, "No, no, don't touch me there. This is my no square." Pretty cool, but will mdash actually kill WordPress once and for all? The answer is probably not. and definitely not anytime soon. But the craziest thing to me is how quickly developers can roll out complete replacements for frameworks that have been around forever. And that's made possible by modern AI coding tools like Warp, the sponsor of today's video. If you're viaxing with Claude Code, Codeex, Gemini CLI, and Open Code at the same time, but keep losing track of all your agents, you need to check out Warp's new universal agent support, which turns your terminal into an agent command center. Vertical tabs let you group your agent sessions together and quickly see useful metadata like get branch, work tree, and pull request status, which means your terminal finally has object permanence. And the tab configs let you save your ideal setup and reopen it instantly in the future. The best part though is that you can get notifications from your coding agents in Warp and on your desktop whenever they need attention instead of checking on them every 30 seconds like a helicopter parent. So, if you already have an agent you like or you want to try running multiple agents at once, I'd highly recommend checking out Warp for free at the link below. But this has been the Code Report. Thanks for watching and I will see you in the next one.

More from Fireship

Get daily recaps from
Fireship

AI-powered summaries delivered to your inbox. Save hours every week while staying fully informed.

Get Started