Hey Reader,

This week is geared to my people on WordPress or even those considering WordPress as their website platform. I have something I want you to think about for a second.

If you fit in that group I mentioned, you've probably added a plugin to your WordPress site because it solved a problem. It could be a countdown timer, a testimonial slider, or maybe a fancy image gallery. You found it, it had good reviews, it worked, and you moved on.

But here's the thing about plugins that most people don't think about... they're code that lives inside your website and runs every single time someone visits it. And not all of that code has good intentions.

Let me tell you what just happened — and it's WILD!

A security researcher recently discovered that someone purchased an entire portfolio of 30+ WordPress plugins through a public marketplace called Flippa.

These were legit plugins. Some of them had been around for nearly a decade. Established reputations. Real install bases.

The new owner's very first update to one of those plugins, Countdown Timer Ultimate, planted a backdoor. Not a sloppy one either. A sophisticated one that sat completely dormant for eight months before being activated.

It was designed to inject hidden spam into your site that only search engines could see, meaning you'd have no idea it was there while your SEO was quietly being destroyed.

To make it even harder to shut down, the malware routed its commands through a blockchain smart contract, which means even if someone took down the main server, the attack could just point to a new one instantly.

WordPress.org eventually caught it and closed all 31 plugins from that author in a single day. But the damage had already been done on the affected sites.

This is called a supply chain attack, and it's happening more frequently in the WordPress plugin space.

Here's what this means for you as a business owner with a WordPress site.

Plugins can change hands without any notice to you. A plugin you've trusted for years can be sold to someone with completely different intentions, and you'd have no way of knowing unless you're actively watching. WordPress.org has no formal process for flagging plugin ownership transfers. No alert, no review, no notification.

Free doesn't mean safe, and popular doesn't mean vetted. The plugins in this attack were free, widely used, and had been functioning legitimately for years. That history was actually part of what made them such effective targets.

Updates can introduce problems, not just fix them. The backdoor was hidden inside a routine update with a changelog that said nothing more than "Check compatibility with WordPress version 6.8.2." Without someone actively reviewing what changed in that code, there's no way to know.

So what should you do?

Before installing any plugin, spend some time researching. Check who developed it, whether the plugin is actively maintained, when it was last updated, and whether there's any recent community conversation about it.

If a plugin hasn't been updated in over a year or has suddenly changed ownership, those are flags worth paying attention to.

And be selective. Every plugin you add is another piece of code you're responsible for. Ask yourself whether you actually need it or whether something you already have can do the job.

Now, if you're one of my hosting or care plan clients, I just want you to take a breath, because this is exactly what I'm watching for on your behalf.

Security monitoring is part of what I do for you. I run plugin updates, I watch for alerts, and when something looks off — a plugin getting closed by WordPress.org, a suspicious update, anything that raises a flag — I'm on it, and I'll let you know. You shouldn't have to keep up with threat reports and security blogs to know your site is safe. That's my job, not yours.

Also, if you are running on a framework like Kadence, the platform I build client sites on, you wouldn't need these types of plugins because the platform has them.

If you've been thinking about getting that kind of coverage or service but haven't made the move yet, this is probably a good time to consider it. Hit reply, and I'll tell you more about what's included.

In the meantime, go check your plugins. If you have anything from a company called "Essential Plugin" or "WP Online Support," remove it now.

Oh, and one more thing before I go!

Tomorrow — Wednesday, April 15th at 6:30 PM CST — I'm doing a free live session called "Your Website Isn't Converting. Here's Why."

It's hosted through Black Business Boom and we're going to dig into what's actually stopping your website from turning visitors into leads, find what's costing you sales, and figure out how to fix it fast — without a full redesign.

If you've ever looked at your website analytics and thought, "people are coming, so why isn't anything happening?" — this one's for you.

Save your spot at boominu.com/bb8 — it's free and it's tomorrow, so don't sleep on it!