The Quick Page/Post Redirect Plugin — installed on more than 70,000 WordPress sites — contained a dormant backdoor for approximately five years that allowed attackers to silently run SEO spam operations and execute arbitrary code on affected installations. The backdoor was discovered by Austin Ginder, founder of managed WordPress hosting provider Anchor, after 12 sites in his fleet triggered security alerts.
WordPress Quick Page Post Redirect Backdoor: What We Know So Far
The backdoor was introduced in versions 5.2.1 and 5.2.2 of the plugin, released in 2020–2021. It implemented a hidden self-update mechanism that phoned home to an external domain, anadnet[.]com, which the attacker operated as a covert command-and-control channel.
The malicious code hooked into WordPress’s the_content filter and was deliberately designed to remain invisible to site administrators: it activated only for logged-out users, ensuring that anyone with an admin session reviewing their own site would see nothing unusual. This passive evasion strategy allowed the backdoor to operate undetected across tens of thousands of installations for years.
In February 2021, WordPress.org removed the plugin from its repository. In March 2021, sites that still had the plugin installed received a tampered version 5.2.3 pushed through the backdoor’s self-update mechanism, which introduced a more refined passive backdoor payload. Sites running any of the affected versions (5.2.1, 5.2.2, or 5.2.3) should be treated as compromised.
According to Ginder, the backdoor “was renting Google ranking on seventy thousand websites back to whoever was operating that backchannel in 2021.” In practice, this means the attacker used affected sites to host and serve SEO spam — fake pages and redirect chains that inflated rankings for third-party domains — while site owners had no visibility into the manipulation.
No CVE has been assigned at the time of writing. No vendor advisory is available; it is not yet established whether the backdoor was introduced by the plugin author or an attacker who gained commit access. Monitor the WordPress.org plugin page and the Wordfence vulnerability database for CVE assignment and further analysis.
Why the WordPress Quick Page Post Redirect Backdoor Matters
The five-year gap between introduction and discovery is the most significant aspect of this incident. It demonstrates that supply chain attacks on WordPress plugins can achieve years of undetected persistence when the malicious update mechanism is designed to be passive and user-conditional.
The affected plugin’s self-update capability — which bypassed WordPress’s native update infrastructure entirely — gave the attacker persistent, renewable control: even if the initial payload was removed from a site, the backdoor could re-push new code via the anadnet[.]com update channel. This is a design pattern that security teams should recognise as a high-risk indicator in any plugin performing out-of-band update fetches.
The SEO spam operation, while financially motivated rather than directly destructive, had secondary consequences for site owners: search engine penalties, ranking degradation, and potential placement on blocklists for serving spam content. Any site running affected versions since 2020 should audit its search console data for unexplained ranking shifts or new indexed pages that the site owner did not create.
WordPress Quick Page Post Redirect Backdoor: What You Should Do Now
-
Identify exposure. Check your WordPress installations for the Quick Page/Post Redirect plugin (slug:
quick-pagepost-redirect-plugin). Run:wp plugin list --status=active,inactive,must-use | grep quick-pagepostto enumerate via WP-CLI. -
Deactivate and remove immediately. Do not wait for a patched version. Deactivate and delete the plugin:
wp plugin deactivate quick-pagepost-redirect-plugin && wp plugin delete quick-pagepost-redirect-plugin. There is no safe version currently available on WordPress.org. -
Audit for indicators of compromise. Search the site’s files for references to
anadnet[.]com:bash
grep -r "anadnet" /path/to/wordpress/ --include="*.php"
Also checkwp-content/plugins/quick-pagepost-redirect-plugin/for any unexpected PHP files or modified timestamps. -
Check
the_contenthooks. Review any active hooks onthe_contentfilter for unexpected callbacks. The backdoor registered itself there. Use a plugin like Query Monitor in a staging environment, or auditfunctions.phpand active plugins directly. -
Review Search Console for SEO anomalies. Log into Google Search Console and check for pages indexed under your domain that you did not create. If you find spam pages, submit a removal request and monitor for penalties. Consider filing a Google Search Console spam report.
-
Rotate credentials on affected sites. Because the backdoor had arbitrary code execution capability via the self-update mechanism, treat affected installations as fully compromised. Rotate all WordPress admin passwords, database credentials, and any API keys stored in
wp-config.php.
Detection and Verification Checklist
- [ ] WP-CLI plugin list confirms
quick-pagepost-redirect-pluginis present or absent - [ ]
grep -r "anadnet" /path/to/wordpress/returns no results - [ ] Plugin directory timestamp on
quick-pagepost-redirect-plugin/has been reviewed - [ ] No unexpected callbacks registered on
the_contentfilter - [ ] Google Search Console shows no spam-indexed pages under your domain
- [ ] WordPress admin passwords and
wp-config.phpcredentials rotated - [ ] Plugin version confirmed not 5.2.1, 5.2.2, or 5.2.3 (remove entirely; no clean version yet available)
Featured image: Alt text should include “WordPress Quick Page Post Redirect backdoor” for SEO alignment.
Sources: BleepingComputer, Wordfence Intelligence, WPScan
For any query contact us at contact@cipherssecurity.com
Thank you for reading this post, don't forget to subscribe!
Leave feedback about this