Cybersecurity researchers have discovered that an attack targeting Awesome Motive’s infrastructure may have exposed many WordPress sites using some of its popular plugins, including OptinMonster, TrustPulse and PushEngage.
This technique, known as a supply chain attack, allows hackers to infect several sites at once by compromising a trusted vendor rather than attacking each site individually.
According to analyses published by Sansec and relayed by several specialized media outlets, the malicious code made it possible, among other things, to:
- Create hidden administrator accounts;
- Install backdoors;
- Remotely take control of WordPress sites;
- Execute malicious commands without the owners’ knowledge.
Several security reports also indicate that the compromised infrastructure may have affected other products using the same external resources or shared libraries. As a precaution, administrators of sites using solutions from the Awesome Motive ecosystem should review all of their plugins and monitor the official communications from the vendors concerned.
Among the Awesome Motive products that warrant a preventive check are notably:
- WPForms
- MonsterInsights
- WP Mail SMTP
- SeedProd
- AIOSEO
- UserFeedback
- Pretty Links
- RafflePress
- SearchWP
- AffiliateWP
Important: at this time, these latter products have not all been confirmed as compromised. They are simply associated with the same software ecosystem and warrant an additional security check until the investigations are complete. Administrators should follow the official advisories published by the vendors and security researchers.
References : https://securityaffairs.com/193616/malware/supply-chain-attack-hits-popular-wordpress-plugins-through-awesome-motive-cdn.html and https://thehackernews.com/2026/06/popular-wordpress-plugin-scripts.html
Why is this type of attack so dangerous?
Cybercriminals frequently use compromised servers to send spam, host malware, mine cryptocurrency or take part in distributed denial-of-service (DDoS) attacks.
In a shared hosting environment, a single infected site can quickly consume an excessive amount of CPU, memory or bandwidth. The result is often visible quickly:
- Extremely slow websites;
- 500 or 503 errors;
- Temporary server outages;
- Suspension of the hosting account by the provider;
- Degraded performance for all other sites hosted on the same server.
DDoS attacks are particularly problematic. They involve using thousands of compromised systems to generate a massive volume of traffic toward a target. An infected WordPress site can thus become, without its owner’s knowledge, a participant in an attack targeting another business or organization.
What to do if your WordPress site is compromised?
If you suspect that a malicious script or a hacker has compromised your site, it’s important to act quickly.
1. Contact your host and contact us: support@zaa.cc
2. Restore a clean backup
Your host can restore your site to an earlier date. Since it’s hard to determine the entry point of malware or a script, if the infection is significant, the fastest and safest method is often to restore a backup from before the compromise.
3. Change all passwords
With our help, immediately change:
- WordPress accounts;
- The FTP/SFTP account;
- The hosting;
- Your site’s cPanel;
- The database;
- The associated email accounts;
- The API keys used by the site.
A REMINDER ABOUT PASSWORDS
Choose a unique password of 16 to 24 random alphanumeric characters, with special characters, for each site, computer, account, etc. This is where a password manager makes your life easier! Use a password manager, such as LastPass, 1Password, BitWarden or Google Password Manager for your personal credentials and those of your organization. To share your passwords, some managers let you share passwords. You can also use a service such as Password Pusher. In any case, never store your organization's passwords in Drives (Google, iCloud, DropBox, SharePoint, etc.).
4. Remove backdoors
Ask your host to scan your site. Even after removing the visible malware, hackers often leave hidden access points that let them come back later. A full inspection of the files by your host is generally needed to make sure no backdoor remains.
5. Update WordPress, themes and plugins
Install the latest versions of all site components and remove unused plugins.
6. Strengthen security
Among the recommended best practices:
- Enable multi-factor authentication (MFA);
- Limit administrator access;
- Disable unused accounts;
- Install a web application firewall (WAF);
- Perform automated backups;
- Carry out periodic security audits.
Conclusion
The recent attack targeting OptinMonster, TrustPulse and PushEngage shows once again that even the most popular solutions can become an infection vector when targeted by a supply chain attack.
For businesses, the best defense remains a combination of rigorous updates, frequent backups, active monitoring and an incident response plan. The sooner a compromise is detected, the smaller the financial, operational and reputational impacts will be.
FAQ — WordPress attack and your site’s security
How can I tell if my WordPress site has been hacked?
Several signs may indicate a compromise:
- Your site is suddenly slower than usual;
- Unknown pages or links appear;
- Administrator users you didn’t create are present;
- Your host reports unusual activity;
- Your site redirects to another site;
- Google or your antivirus displays a security warning;
- Spam emails appear to be sent from your domain.
If you notice one of these symptoms, a security check is necessary.
Is my site at risk even if I don’t use OptinMonster, TrustPulse or PushEngage?
This attack mainly targets sites using the affected plugins. However, cybercriminals regularly target WordPress in various ways. Even if you don’t use these plugins, it’s important to keep WordPress, your themes and your plugins up to date.
My site seems to be working normally. Could I still be infected?
Yes. Some malware is designed to stay invisible for weeks or months. A compromised site may appear to work normally while being used to send spam, host malicious code or take part in DDoS attacks.
What is a DDoS attack?
A DDoS (Distributed Denial of Service) attack involves overwhelming a server or website with a massive volume of traffic in order to make it inaccessible.
Hackers often use thousands of compromised devices or sites to generate this traffic. An infected site can thus be used, without its owner’s knowledge, in an attack targeting another organization.
Can a compromised site affect the other sites on the same server?
Yes. In a shared hosting environment, an infected site can consume a large amount of server resources, which can slow down or destabilize the other sites hosted on the same infrastructure.
Should I change my passwords if my site is compromised?
Absolutely. You should immediately change:
- WordPress passwords;
- FTP or SFTP access;
- Hosting panel access;
- Database passwords;
- The email accounts associated with the site.
Can I simply delete the compromised plugin?
Not necessarily. If a hacker has already exploited the flaw, they may have installed backdoors or created hidden administrator accounts. A full site analysis is still recommended even after the plugin has been removed.
Does restoring a backup always fix the problem?
Often, but not always. If the backup was made after the compromise, it may already contain the malicious code. It’s important to restore a clean backup and verify that the initial flaw has been fixed.
How much does it usually cost to clean a hacked WordPress site?
The cost varies depending on the severity of the infection, the number of sites affected and the time required for analysis. Acting quickly is generally far less expensive than a compromise that remains active for several weeks.
How can I prevent this type of attack?
Best practices include:
- Keeping WordPress up to date;
- Updating themes and plugins regularly;
- Using multi-factor authentication (MFA);
- Performing automatic backups;
- Limiting administrator accounts;
- Installing a web application firewall (WAF);
- Carrying out periodic security audits.
What should I do if I think my site has been compromised?
Don’t panic and don’t delete files at random. First back up the site, then have the files, the database and the server logs analyzed to pinpoint the source of the problem and the corrective actions to take.