On April 7, attackers hijacked the official update servers for Smart Slider 3 Pro — a WordPress plugin with over 800,000 active installations — and pushed a poisoned version containing a full remote access toolkit. If your site auto-updated to version 3.5.1.35 during a six-hour window, attackers may already have admin access, your database credentials, and a backdoor that survives plugin removal. Here’s exactly what happened, how to check if you’re compromised, and how to clean your site.
What happened to Smart Slider 3 Pro
This wasn’t a vulnerability in the plugin’s code. Attackers went after something more valuable: Nextend’s update infrastructure itself. They gained access to the servers that distribute plugin updates and swapped in a fully weaponized build — version 3.5.1.35 — through the official update channel.
Any WordPress site running Smart Slider 3 Pro that updated between the malicious release and its detection roughly six hours later received the backdoored version automatically. The free version of Smart Slider 3 is not affected — only the Pro edition.
This is what’s known as a supply chain attack: instead of hacking your site directly, attackers compromise the trusted source you download updates from. You didn’t do anything wrong. You just updated your plugin — exactly what every security guide tells you to do.
What the malware actually does
The backdoored version isn’t subtle. Patchstack’s analysis reveals a multi-layered attack kit designed for long-term access:
- Hidden admin account — the malware creates a rogue administrator (username like “wpsvc_a3f1”) and hides it from the WordPress user list by tampering with admin filters. You won’t see it in your Users dashboard without checking the database directly.
- Unauthenticated remote execution — a backdoor baked into the plugin lets attackers execute arbitrary PHP and OS commands via crafted HTTP headers. No login required.
- Credential theft — the malware steals your WordPress admin email, database name, plaintext username and password, site URL, and PHP version. All of it gets sent to a command-and-control server at
wpjs1[.]com. - Multi-layer persistence — even if you delete the plugin, the malware survives through three separate mechanisms: a fake “caching” file in the
mu-pluginsdirectory (which WordPress loads automatically), injected code in your active theme’sfunctions.php, and stored credentials in the database.
This isn’t a drive-by defacement. It’s a toolkit built for persistent, silent access.
How to check if your site is compromised
Only one version is affected: Smart Slider 3 Pro 3.5.1.35. If you’re on any other version, you’re fine. Here’s how to check:
Step 1: Check your plugin version
Go to wp-admin > Plugins and find Smart Slider 3 Pro. If it says 3.5.1.35, your site was likely compromised during the six-hour window. If it says 3.5.1.34 or 3.5.1.36, you’re safe.
Step 2: Look for unknown admin accounts
Go to wp-admin > Users and filter by Administrator role. Look for any account you don’t recognize — especially usernames like “wpsvc_a3f1”. But remember, the malware hides this account from the admin UI. For a thorough check, run this SQL query in phpMyAdmin or your database tool:
SELECT * FROM wp_users WHERE user_login NOT IN ('your_known_admin_usernames');
Step 3: Check the mu-plugins directory
Using your hosting file manager or FTP, navigate to wp-content/mu-plugins/. This is a special WordPress directory — files here load automatically on every page. Look for any file you didn’t put there, especially anything pretending to be a caching component.
Step 4: Inspect your theme’s functions.php
Open your active theme’s functions.php file and scroll to the bottom. Look for unfamiliar code blocks — the malware injects a backdoor here that persists even if you remove the plugin.
How to clean your site — step by step
If you found signs of compromise, here’s the full cleanup procedure based on the official advisory:
- Update Smart Slider 3 Pro to version 3.5.1.36 — this removes the malicious plugin code
- Delete the hidden admin account — find and remove the rogue user from your database
- Remove malicious database entries — in your
wp_optionstable, delete these rows:_wpc_ak,_wpc_uid,_wpc_uinfo,_perf_toolkit_source, andwp_page_for_privacy_policy_cache - Clean wp-config.php — open this file in your site root and remove the line
define('WP_CACHE_SALT', '<token>');if it exists - Scan the mu-plugins directory — delete any suspicious files from
wp-content/mu-plugins/ - Check your theme’s functions.php — remove any injected code blocks you don’t recognize
- Change ALL admin passwords — every administrator account, not just the compromised one
- Reset database credentials — update your database password in both your hosting panel and
wp-config.php - Run a full malware scan — use Wordfence or Sucuri SiteCheck for a comprehensive sweep
Don’t skip steps 7 and 8. The malware exfiltrated plaintext credentials — changing the plugin doesn’t un-steal your passwords.
WordPress supply chain attacks are getting worse
Smart Slider isn’t an isolated incident. Supply chain attacks on WordPress plugins have become a pattern in 2026:
| Attack | Date | Impact | Method |
|---|---|---|---|
| Smart Slider 3 Pro | April 2026 | 800K+ installs | Compromised update server |
| Gravity Forms | 2026 | ~1M installs | Compromised vendor infrastructure |
| Essential Plugin / Countdown Timer | 2026 | Thousands of sites | Plugin purchased, then backdoored |
| AccessPress Themes | 2021-2022 | 93 plugins/themes | Compromised developer accounts |
The pattern is consistent: attackers aren’t finding bugs in plugin code anymore. They’re targeting the infrastructure that delivers updates — because one compromised update server can infect thousands of sites in hours.
WordPress’s auto-update system, designed to keep sites patched and secure, has become the attack vector itself. The trust model assumes that an update from the official channel is safe. These attacks prove it isn’t always.
How to protect your WordPress site going forward
You can’t prevent every supply chain attack, but you can limit your exposure:
- Delay auto-updates by 24-48 hours — give the security community time to catch poisoned releases before your site installs them. WordPress lets you control this via the
auto_update_pluginfilter. - Use a web application firewall (WAF) — services like Wordfence, Sucuri, or Cloudflare can block suspicious requests even if a backdoor is installed.
- Monitor your admin accounts — set up alerts for new user registrations, especially at the administrator level.
- Keep daily backups stored off-server — if you get hit, a clean backup from before the attack is your fastest recovery path. Services like UpdraftPlus or your hosting provider’s backup tool work well.
- Audit your plugins regularly — remove any plugin you’re not actively using. Every installed plugin is attack surface.
The free version of Smart Slider 3 was not affected this time. But the broader lesson applies to every WordPress plugin: automatic trust in updates is a liability.
Check your Smart Slider version right now. If you’re on 3.5.1.35, follow the cleanup steps above immediately. Bookmark TechDaily360 for breaking security alerts — we’ll cover major WordPress vulnerabilities as they happen.
Frequently asked questions
1. Is the free version of Smart Slider 3 affected?
No. Only Smart Slider 3 Pro version 3.5.1.35 is affected. The free version available on WordPress.org was not compromised. If you’re running the free edition, no action is needed.
2. How do I know if my site was hacked?
Check your Smart Slider 3 Pro version in wp-admin > Plugins. If it shows 3.5.1.35, you’re likely compromised. Also look for unknown admin accounts, unexpected files in wp-content/mu-plugins/, and unfamiliar code in your theme’s functions.php file.
3. I updated to 3.5.1.36 — am I safe now?
Updating removes the malicious plugin code, but it doesn’t clean up the persistence mechanisms. The malware installs backdoors in your theme files, mu-plugins directory, and database. Follow the full cleanup checklist above — updating the plugin alone isn’t enough.
4. What is a supply chain attack?
A supply chain attack targets the trusted delivery system rather than the end product. Instead of finding a bug in the Smart Slider code, attackers compromised the servers that distribute updates. When your site auto-updated, it received the malicious version from what appeared to be the official source.
5. What data was stolen?
The malware exfiltrates your site URL, WordPress admin email, database name, plaintext admin username and password, PHP version, WordPress version, and a list of installed persistence methods. All of this was sent to the attacker-controlled domain wpjs1[.]com.
6. Should I stop using auto-updates?
Not entirely — unpatched plugins are still the #1 WordPress attack vector. Instead, delay auto-updates by 24-48 hours. This gives the security community time to flag compromised releases while still keeping your site reasonably current.
7. Can Wordfence or Sucuri detect this backdoor?
Yes. Both Wordfence and Sucuri have updated their malware signatures to detect the Smart Slider 3 Pro backdoor. Running a full scan with either tool will flag the malicious files and database entries. However, manual cleanup following the steps above is still recommended for completeness.
8. Is Joomla affected too?
Yes. The supply chain compromise also impacted the Joomla version of Smart Slider 3 Pro 3.5.1.35. Joomla users should follow the Joomla-specific advisory from Smart Slider’s documentation.