Popular WordPress Redirect Plugin Concealed Five-Year Backdoor, Affecting 70,000+ Sites

A popular WordPress redirect plugin with more than 70,000 installations contained a hidden backdoor for five years, enabling attackers to inject arbitrary code into affected websites. The security vulnerability, discovered by Austin Ginder, founder of WordPress hosting provider Anchor, represents one of the longest-running backdoors in recent WordPress plugin history.

Discovery of the Backdoor

Ginder uncovered the malicious code after 12 infected sites on his hosting platform triggered security alerts. The Quick Page/Post Redirect plugin, a basic utility available on WordPress.org for several years, had been compromised with a hidden self-update mechanism pointing to a third-party domain, anadnet[.]com.

"The actual mechanism was cloaked parasite SEO," explained Ginder. "The plugin was renting Google ranking on seventy thousand websites back to whoever was operating that backchannel in 2021."

Technical Analysis of the Vulnerability

The backdoor was particularly insidious because it remained dormant for years while maintaining the ability to execute arbitrary code on demand. The attack vector worked through several phases:

1. Initial Compromise: Official plugin versions 5.2.1 and 5.2.2, released between 2020 and 2021, included a hidden self-updater mechanism that pointed to the external domain.

2. Silent Update: In February 2021, the malicious self-updater was removed from subsequent versions on WordPress.org, but before code reviewers could detect it, sites running the compromised versions silently received a tampered 5.2.3 build from the external server.

3. Passive Backdoor: This modified version introduced a passive backdoor that only triggers for logged-out users, effectively hiding its activity from site administrators. The backdoor is hooked into the 'the_content' filter and fetches data from the 'anadnet' server.

4. Persistent Threat: The real danger lies in the update mechanism itself, which remains present on affected sites and enables arbitrary code execution. While currently dormant because the malicious command-and-control subdomain doesn't resolve, the domain remains active.

Impact on WordPress Sites

The compromised plugin affects a significant portion of the WordPress ecosystem. With over 70,000 installations, the backdoor potentially exposed thousands of websites to:

• SEO spam operations
• Content injection
• Potential data theft
• Website defacement
• Further malware distribution

The passive nature of the backdoor made it particularly difficult to detect, as site administrators would only see normal behavior when logged into their WordPress dashboards.

Response and Mitigation

WordPress.org has temporarily pulled the Quick Page/Post Redirect plugin from the directory pending security review. The recommended solution for impacted users is to:

1. Immediately uninstall the plugin
2. Replace it with a clean version of version 5.2.4 from WordPress.org (once it becomes available again)
3. Monitor websites for any unusual activity

Ginder included a direct message to whoever is behind the backdoor, urging them to "do the right thing now and publish a static update manifest that forces all affected installs to automatically upgrade to the clean WordPress.org version, effectively removing the backdoor from previously compromised sites."

Broader Implications for WordPress Security

This incident highlights ongoing challenges in the WordPress plugin ecosystem:

• The difficulty of detecting backdoors in widely-distributed plugins
• The potential long-term impact of compromised plugins
• The need for more rigorous review processes for plugins with large user bases

WordPress site administrators should regularly audit their installed plugins, keep them updated, and consider implementing additional security measures like file integrity monitoring and web application firewalls.

For those needing redirect functionality, several alternative plugins are available on WordPress.org, including the popular "Redirection" plugin, which has a strong security track record and regular updates.

The discovery serves as a reminder that even seemingly simple plugins can introduce significant security risks if not properly vetted and maintained.