A rich hacker just penetrated 31 WordPress plugins...
Key Takeaways
WordPress plugin security vulnerability and CloudFlare's EmDash alternative
Full Transcript
Eight months ago, some galaxy brain hacker quietly penetrated the back door of more than 30 WordPress plugins, and no one noticed until now. As somehow, this massive collection of different WordPress plugins for silly UI updates was instantly turned into malware with a crazy supply chain attack. That means one minute, your countdown timer ultimate plugin is converting sales on your website, and then the next minute, it becomes a remote control demon on your server that steals all your data and leaks photos of your wife's boyfriend to the Kiwi Farms. WordPress remains the most popular website builder in the world, but many people have argued that WordPress's plugin architecture is fundamentally insecure, and a brand new slot work has emerged to replace it. In today's video, we'll find out how the latest brutal exploit occurred and take a look at this new project from Cloudflare that hopes to terminate WordPress from the timeline. It is April 16th, 2026, and you are watching The Code Report. I actually love WordPress and have built many failed side projects with it, but the WordPress ecosystem has experienced a wild couple years. Its founder, Matt Mullenweg, sperged out on private equity last year because the Silver Lake-owned WP Engine was drinking his milkshake by making money hosting WordPress. So, naturally, he demanded that they pay him 8% of their revenue for using his logo. Now, as you all know, I'm a huge fan of private equity because they make every product better, like Hooters, for example, but WP Engine refused to pay the king his royalty. That made Mullenweg sperg out even harder, and he said a bunch of stuff that eventually led to WP Engine filing a defamation lawsuit against him. They're still fighting each other in court to this day, and the lore goes way deeper, but the bigger problem for WordPress is that it's been experiencing a wave of new vulnerabilities, and 96% of those are a direct result of its plugin system. The core problem is that a WordPress plugin is basically just a PHP script that plugs straight into your site and starts running with full privileges. There's no sandbox or isolation. It can touch your database, your files, and your private parts. And when you install a plugin, you're basically just hoping a stranger knows how to handle every edge case, exploit, and bad input perfectly. What's crazy though, is that this most recent attack on 31 WordPress plugins was actually not the result of bad code. >> It's not your fault. >> It was something far scarier. In this case, the attacker didn't exploit a vulnerability. Instead, they legitimately acquired and took control of a portfolio of plugins by simply purchasing them for money from the original developer on Flippa in a deal with a sales price estimated to be in the mid six figures. After the original developer was bought out, the new buyer had control of the code and they inserted a back door about eight months ago and it's just been sitting there dormant in production waiting for the right moment. Then, when the moment was right, the malicious logic activated which reached out to a remote server, pulled down additional payloads, and in some cases modified core files like wp-config.php which includes sensitive data like your database connection and security keys. And apparently, the command and control domain was resolved through an Ethereum smart contract. So, once the exploit became known, the attacker could quickly update the smart contract to point to a new domain at any time. That's pretty clever, but the core issue here is that everything was delivered through a normal plugin update from a trusted source. So, it bypassed the usual suspicion of a normal fishing attack. Now, WordPress did step in and remove the plugins, but damage is already done inside the system and turning what looked like routine maintenance into a full-blown supply chain compromise. Luckily though, if you're considering using WordPress today, Cloudflare recently created a new project called m- which takes all that old crappy PHP code and turns it into something even crappier, AI written JavaScript code. This project actually doesn't use any original WordPress code and is MIT licensed, but it's designed to be fully compatible with the original WordPress APIs. And under the hood, it's based on the awesome Astro project for its content management system. What makes this project special though, is that it doesn't let plugins run wild with full access. m- locks each plugin down in its own sandbox with a dynamic worker. The framework itself doesn't hand over your data directly. Instead, the plugin only gets access to specific capabilities through bindings and only if it explicitly asks for them in the manifest. It's kind of like telling the plugin, "No, no, don't touch me there. This is my no-no square." Pretty cool, but will M dash actually kill WordPress once and for all? The answer is probably not and definitely not anytime soon. But, the craziest thing to me is how quickly developers can roll out complete replacements for frameworks that have been around for forever. And that's made possible by modern AI coding tools like Warp, the sponsor of today's video. If you're vibe maxing with Claude Code, Codex, Gemini CLI, and open code at the same time, but keep losing track of all your agents, you need to check out Warp's new universal agent support, which turns your terminal into an agent command center. Vertical tabs let you group your agent sessions together and quickly see useful metadata like Git branch, work tree, and pull request status, which means your terminal finally has object permanence. And the tab configs let you save your ideal setup and reopen it instantly in the future. The best part though is that you can get notifications from your coding agents in Warp and on your desktop whenever they need attention. Instead of checking on them every 30 seconds like a helicopter parent. So, if you already have an agent you like or you want to try running multiple agents at once, I'd highly recommend checking out Warp for free at the link below. This has been the Code Report. Thanks for watching and I will see you in the next one.
Original Description
Warp is the agentic development environment born out of the terminal. Download Warp for free today at → https://go.warp.dev/fireship
Someone spent $100k buying a massive collection of WordPress plugins and planted a backdoor in all of them. Naturally, CloudFlare stepped in with EmDash: a slop-forked WP alternative that promises to fix plugin security for good.
#coding #programming #wordpress
🔖 Topics Covered
- Wordpress plugin hack - https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/
- EmDash
Want more Fireship?
🗞️ Newsletter: https://bytes.dev
🧠 Courses: https://fireship.dev
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
Social Discovery Group’s Announcement: A Communication That Raises Questions About Transparency and…
Medium · Cybersecurity
Adobe Producer Spoofing: A PDF Metadata Forgery Case Study
Dev.to · Iurii Rogulia
Today's the Deadline: Three Separate CISA Patch Orders Just Collided on the Same Weekend
Dev.to · Fabio Baensch
How Anthropic Could Have Prevented the “Claude Gift Fraud” With Security 101
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI