1.2 Million WordPress Sites Were Hacked, and Not One Plugin Was Outdated

On June 12, 2026, attackers compromised a CDN signing key belonging to Awesome Motive, the company behind OptinMonster, TrustPulse, and PushEngage. They appended malicious JavaScript directly to the legitimate, CDN-hosted scripts that 1.2 million WordPress sites load on every page view.

No plugin vulnerability. No outdated software. The plugins were fully up to date, and the attack still worked.

How it actually worked

This wasn't a smash-and-grab. The payload was built to be invisible to anyone but a real, logged-in admin:

1. Malicious code was appended to the legitimate, minified JS files on the CDN, the original functionality stayed intact
2. The payload checked for navigator.webdriver, window._phantom, window.__nightmare, and zero-dimension windows, if it detected a scanner or headless browser, it stayed completely dormant
3. It checked for /wp-admin/ in the URL, the admin toolbar in the DOM, and wordpress_logged_in_ cookies before activating
4. It pulled auth tokens and nonces directly from the page DOM and the wpApiSettings.nonce object
5. Using the stolen nonce, it silently created a new admin account (developer_api1 or a dev_ prefixed username)
6. It installed a self-hiding backdoor plugin (content-delivery-helper or database-optimizer) that doesn't even show up in the WordPress plugin list
7. Harvested data was sent to tidio.cc, a domain built to be confused with the legitimate tidio.com

OptinMonster and TrustPulse were compromised for just 25 minutes. PushEngage stayed compromised for nearly 50 hours.

Why "update your plugins" didn't save anyone

This is the part that should bother every WordPress dev: standard security advice says keep plugins updated, use strong passwords, run a security plugin. This attack walked straight through all three.

• Plugins were on their latest versions
• Admin passwords were irrelevant since the attacker used stolen nonces, not credentials
• Security plugins didn't flag anything because the code came from a trusted, allowlisted CDN domain

A vulnerability means the plugin code has a bug. A supply chain attack means the delivery mechanism for otherwise-legitimate code was compromised. You can't patch your way out of that.

And this isn't a one-off. Same structural pattern as Polyfill.io (2024), XZ Utils (2024), and tj-actions/changed-files (2025). Different ecosystem, identical root cause.

How to check if you were affected

# Check for rogue admin accounts
wp user list --role=administrator --field=user_email | grep -i "customer1usx"
wp user list --role=administrator --field=user_login | grep -E "^dev_|^developer_api"

# Check the filesystem for hidden backdoor plugins
ls -la wp-content/plugins/ | grep -E "content-delivery|database-optimizer"

If either of those return a hit, your site was compromised, full recovery steps (in the correct order) are in the article.

Three defenses that would have stopped this cold

• Subresource Integrity (SRI): pins a cryptographic hash to external scripts, a tampered file fails the hash check and never executes
• Content Security Policy (CSP): a proper connect-src directive would have blocked the exfiltration request to tidio.cc even after the malicious script ran
• Vendor diversity: OptinMonster, TrustPulse, and PushEngage all share one company's CDN infrastructure, one compromised key took down all three simultaneously

I wrote up the full attack chain, the four-step compromise check, the five-step recovery process, and working SRI/CSP examples here:

🔗 https://devencyclopedia.com/blog/wordpress-cdn-supply-chain-attack-2026

What's your take, should "vendor concentration" be a standard line item in security audits now?

Comments

[Marouane K]

Hi dev_encyclopedia, sorry to hear about the recent WordPress hack. Are you struggling to keep your plugins up-to-date? Clypify can help you automate content publishing and reduce the risk of security breaches. Free plan at clypify.com — no card needed.