WordPress Plugin Supply Chain Attack: 1.2M Sites Hit

A supply chain attack on Awesome Motive's CDN has planted backdoors in WordPress plugins including OptinMonster, affecting up to 1.2 million sites as of June 2026.

Keep your website visible and reliable

Try Uptrue Free

WordPress Plugin Supply Chain Attack Is Hitting 1.2 Million Sites Right Now

Someone didn't hack your site directly. They hacked the delivery system that sends code to your site — and that's a much harder problem to spot.

What Happened: The Attack Explained

A supply chain attack hit several popular WordPress plugins in June 2026, reportedly through infrastructure controlled by Awesome Motive, a company behind some of WordPress's most widely used plugins. OptinMonster — a lead generation plugin installed on approximately 1.2 million WordPress sites — is among those confirmed to be involved, according to reporting from Bleeping Computer, The Hacker News, and Security Affairs.

A supply chain attack means the plugin itself wasn't broken into directly. Instead, attackers tampered with scripts being served through the CDN — the content delivery network — that distributes plugin code to sites. Think of it like someone poisoning the water supply rather than breaking into individual houses.

The result? Hidden backdoors were planted inside plugin scripts. A backdoor is a secret entry point that lets an attacker access your site without a password, without your knowledge, and often without leaving an obvious trace.

This is as serious as it gets for WordPress security.

Who Is Affected

If your site runs OptinMonster, or any other plugin distributed through Awesome Motive's CDN, you may be affected. The 1.2 million figure comes from OptinMonster's active install count alone — and multiple plugins appear to be involved, according to Infosecurity Magazine.

We could not confirm the full list of affected plugins from the available source material. No official statement from Awesome Motive has been verified at the time of writing, 16 June 2026.

Do you have OptinMonster or other Awesome Motive plugins installed on your site right now?

If you're not sure which plugins you're running, log into your WordPress dashboard, go to Plugins → Installed Plugins, and look for: OptinMonster, WPForms, MonsterInsights, All in One SEO, or WP Mail SMTP. These are all Awesome Motive products. That does not confirm each is compromised — but they share the same CDN infrastructure.

What to Do Right Now

1. Deactivate OptinMonster immediately. Don't just update it — deactivate and delete it until a clean version is confirmed. Go to Plugins → Installed Plugins → Deactivate → Delete.

2. Check your other Awesome Motive plugins. Until there's an official confirmation of which plugins are clean, treat any Awesome Motive plugin as suspect. Monitor them closely at minimum.

3. Change your WordPress admin password. If a backdoor was active on your site, an attacker may have already accessed it. Change your admin password now at Users → Profile → New Password.

4. Check for unknown admin accounts. Go to Users → All Users and look for any accounts you don't recognise. Delete anything suspicious immediately.

5. Ask your host to check server logs. This is a conversation worth having with your hosting provider. Ask them whether they can see any unusual outbound requests or login attempts in the past two weeks.

6. Don't wait for your client to call you. If you manage sites for others and any of them run these plugins, contact them today. Don't wait for something to visibly break — backdoors are specifically designed to be invisible.

What Is Still Unclear

Honestly, there is a lot we don't know yet. The full list of affected plugins hasn't been confirmed from the available sources. It's not clear whether the backdoors were actively exploited or simply planted for later use. The exact window of infection — how long the compromised scripts were being served — has not been confirmed in the source material we have.

We also don't know whether updating to a newer plugin version is sufficient, or whether sites that loaded the tampered scripts during the infection window remain compromised even after an update. That's a critical question, and no official answer exists yet.

Watch Bleeping Computer and Security Affairs for updates. Both have been tracking this story closely.

Can Uptrue Detect This?

Not the backdoor itself — no uptime monitor can scan your plugin files. But here's where monitoring still helps. Backdoors often get used. When they do, they can cause unusual server behaviour: slow response times, unexpected redirects, or brief outages as attackers probe what they have access to.

Uptrue monitors your site's response time, uptime, and SSL certificate status continuously. If your site starts behaving strangely — going down, slowing dramatically, or returning unexpected responses — you'll know within minutes rather than finding out when a client rings. Right now, across the 439 sites tracked by Uptrue's live tracker, 90 are showing degraded performance. Some of that may be coincidence. Some may not be.

A security incident this size is exactly why passive monitoring matters. You can't always see what's wrong inside your site. You can always see when it stops behaving normally.

Set up monitoring at uptrue.io — it takes about two minutes.


FAQ

What is a supply chain attack on a WordPress plugin? A supply chain attack means hackers tampered with the systems that deliver plugin code to your site, rather than attacking your site directly — so even a legitimate, updated plugin can carry malicious code.

Is OptinMonster safe to use right now? As of 16 June 2026, a supply chain attack involving OptinMonster has been reported by multiple security outlets; we recommend deactivating and deleting it until Awesome Motive issues a confirmed clean version.

What is a backdoor in WordPress? A backdoor is hidden code that gives an attacker access to your site without needing your password — it runs silently and is designed not to trigger visible errors or warnings.

How do I know if my WordPress site has been compromised? Check your Users list for unknown admin accounts, look for new or modified files in your plugins folder, ask your host to review server logs, and watch for unusual slowdowns or redirects that you didn't set up.

Does updating the plugin fix the problem? Possibly not on its own — if your site loaded the compromised scripts during the infection window, the backdoor may already be present in your site's environment. Updating removes the bad plugin version but doesn't clean up anything already installed on your server.


Sources

  1. Bleeping Computer – OptinMonster WordPress plugin hacked in CDN supply chain attack
  2. The Hacker News – Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors
  3. Security Affairs – Supply Chain Attack Hits Popular WordPress Plugins Through Awesome Motive CDN
  4. Infosecurity Magazine – Attackers Hijack Popular WordPress Plugins to Deploy Backdoors
ShareX / TwitterLinkedIn
Get weekly reliability reports
Uptime rankings, incident summaries, and response time trends — every Monday.

Monitor your website - and your AI citations

Uptrue TeamWebsite Monitoring Platform