Popular WordPress redirect plugin found with years-old backdoor

Quick Page/Post Redirect was pulled from WordPress.org after researchers linked older installs to a dormant code-execution backdoor.

Quick Page/Post Redirect removed for review

A widely used WordPress redirect plugin has been temporarily removed from WordPress.org after a hidden backdoor was traced to versions distributed years ago. Quick Page/Post Redirect, used to manage page, post and custom URL redirects, has more than 70,000 active installations.

The issue was uncovered by Austin Ginder, founder of WordPress hosting provider Anchor, after security alerts surfaced on a dozen customer sites. It’s unclear whether the original developer inserted the code or the project was compromised.

External update channel raised the risk

Ginder found that official versions 5.2.1 and 5.2.2, released between 2020 and 2021, harbored a concealed self-update mechanism that contacted an external anandnet[.]com domain. That channel allowed code to be pushed outside the normal WordPress.org review process.

In March 2021, sites running those versions reportedly received a modified 5.2.3 build from the external server. The tampered package had a different hash from the WordPress.org version and introduced a passive backdoor designed to stay hidden.

Backdoor appears linked to SEO spam

The malicious code appears to have triggered only for logged-out visitors, helping it evade detection by administrators. It plugged itself into WordPress content rendering and fetched instructions from external Anandnet infrastructure—behavior consent with cloaked parasite or SEO spam-injection campaigns.

The bigger concern is the update mechanism itself. Even if the command-and-control (C2) subdomain is dormant, affected installs may still contain code that can accept arbitrary updates if the infrastructure becomes reachable again.

What site owners should know

Administrators using Quick Page/Post Redirect should audit installed versions, especially 5.2.1, 5.2.2 and externally delivered 5.2.3 builds. Security teams should compare plugin hashes, inspect outbound requests, and review indexed pages for injected spam.

The recommended mitigation is to remove the plugin altogether and replace it only with a clean WordPress.org copy of version 5.2.4 when it becomes available again. Until then, affected websites should treat the plugin as a supply-chain risk.