Millions of WordPress sites just got hacked... again

Name: Millions of WordPress sites just got hacked... again
Uploaded: 2026-04-16T12:00:00.000000Z
Description: Fireship explains how a $100k Flippa acquisition turned 31 WordPress plugins into a dormant supply chain backdoor for 8 months. Attacker bought 31 WordPress plugins on Flippa for a mid-six-figure sum,…

Apr 16, 2026 · video · Source ↗

Summary based on the YouTube transcript and episode description.

Fireship explains how a $100k Flippa acquisition turned 31 WordPress plugins into a dormant supply chain backdoor for 8 months.

Attacker bought 31 WordPress plugins on Flippa for a mid-six-figure sum, then planted a backdoor that sat dormant for 8 months.
The attack bypassed normal suspicion because malicious code arrived via legitimate plugin updates from a trusted source.
Command-and-control domain was resolved through an Ethereum smart contract, letting the attacker rotate to a new domain instantly after discovery.
Payload modified wp-config.php, exposing database credentials and security keys on affected sites.
96% of WordPress vulnerabilities stem from its plugin system, which runs PHP with full server privileges and no sandboxing.
Cloudflare’s EmDash rewrites WordPress in AI-generated JavaScript on Astro, sandboxing each plugin in its own worker with capability-based bindings.
Matt Mullenweg vs. WP Engine lawsuit (defamation) is ongoing after dispute over 8% revenue demand for WordPress logo use.

2026-04-16 · Watch on YouTube