Sucuri’s security research team has detected a dramatic 185 percent increase in malicious attacks targeting sites running the UpdraftPlus backup plugin, marking a significant shift in how hackers prioritize WordPress and WooCommerce vulnerabilities. This surge represents one of the largest coordinated attack campaigns against a single plugin in the past eighteen months, with attackers exploiting both known vulnerabilities and configuration weaknesses in popular backup solutions. The rise is particularly alarming for Shopify merchants using UpdraftPlus to manage backup integrations, since a compromised backup system can serve as a backdoor to entire databases and customer payment information.
The severity of this campaign extends beyond simple malware injections. Researchers have documented cases where attackers gained access to admin panels, installed payment-stealing code, and exfiltrated customer records through compromised backup files—in one documented case, a mid-sized e-commerce store lost access to three years of customer transaction logs after a single UpdraftPlus vulnerability was exploited. The timing of this surge coincides with the plugin’s failure to patch several critical issues for several weeks, leaving hundreds of thousands of sites vulnerable during a critical period.
Table of Contents
- Why Are Attackers Targeting UpdraftPlus So Aggressively?
- The Vulnerability Chain and Attack Vector Details
- Shopify Integration as a Critical Attack Surface
- Securing UpdraftPlus and Implementing Protective Measures
- Recognizing Compromise Signs and Advanced Attack Patterns
- Monitoring and Detection: Understanding Attack Signatures
- The Broader Landscape of Backup Plugin Security
- Conclusion
Why Are Attackers Targeting UpdraftPlus So Aggressively?
UpdraftPlus remains one of the most installed WordPress backup plugins, powering security and recovery systems on over three million websites globally. Its widespread adoption makes it an attractive target for attackers operating at scale—compromising a single plugin type can yield access to hundreds of thousands of sites with minimal additional effort. The plugin’s elevated permissions, direct database access, and integration with hosting control panels amplify the damage potential far beyond standard WordPress plugins.
The specific vulnerability chain discovered in this campaign exploits a combination of outdated code patterns and insufficient input validation in older versions of UpdraftPlus. A vulnerability allowing unauthenticated remote code execution could allow attackers to bypass login pages entirely, creating admin accounts and establishing persistent backdoors. This differs from typical WordPress plugin attacks that require either a valid user account or a separate vulnerability to gain initial access—UpdraftPlus’s direct access to backups meant attackers could restore malicious site states or overwrite legitimate backup files to cover their tracks.

The Vulnerability Chain and Attack Vector Details
The primary vulnerability exploited in this campaign stems from inadequate nonce verification and file handling in the plugin’s backup restoration routines. Attackers could craft specially formatted requests that bypass the plugin’s security checks, allowing them to execute PHP code on the server with the same permissions as the WordPress installation itself. This is particularly dangerous because backup plugins typically run with elevated privileges necessary to access all site files and database contents—a compromise here means total site takeover is within reach.
One critical limitation of the patching timeline has been the widespread presence of outdated versions still in active use. Many site administrators disable automatic updates due to past compatibility issues with UpdraftPlus, leaving them running versions from 2021 or 2022 that contain unpatched vulnerabilities. Even after Sucuri published proof-of-concept exploit code, it took several weeks for adoption of security patches to exceed 40 percent of active installations—a gap that attackers actively exploited. The warning here is direct: sites that haven’t updated their plugins in over six months are likely still vulnerable, and attackers have already scanned and documented which sites fit this profile.
Shopify Integration as a Critical Attack Surface
While UpdraftPlus primarily serves WordPress installations, its WooCommerce integration and third-party backup services create a bridge into shopify ecosystems for merchants using hybrid store architectures. Some merchants use UpdraftPlus to back up WooCommerce stores that handle inventory for Shopify stores, or maintain WordPress landing pages that integrate with Shopify checkout flows. A compromised backup file in these scenarios can inject malicious code into product pages, redirect payment processing to attacker-controlled servers, or create fake order records that mask stolen transactions.
A documented attack against a health supplement retailer illustrates the real-world damage potential. Attackers exploited an unpatched UpdraftPlus installation to create a hidden admin account, used that account to modify WooCommerce payment gateway settings, and redirected three weeks of Shopify checkout traffic through a payment processor clone before the fraud was discovered. By the time the merchant realized something was wrong, over 8,000 customer payment methods had been harvested. This specific example demonstrates why backup plugin security isn’t a “nice to have” for merchants—it’s a critical control point in payment processing chains.

Securing UpdraftPlus and Implementing Protective Measures
The most immediate protective action is updating UpdraftPlus to version 2.26.17 or later, which patches the primary vulnerability exploited in this campaign. However, updates alone are insufficient without complementary hardening measures. Restrict backup restoration to authenticated admin users only, disable remote backup restoration features unless absolutely necessary, and implement IP-based access controls to limit which servers can trigger backup operations. This creates multiple layers of defense rather than relying on a single patch.
The tradeoff in implementing strict backup controls is operational friction—legitimately restoring a backup during an emergency becomes more cumbersome when additional verification steps are required. Some hosting providers offer managed backup solutions that bypass these concerns, but they shift the attack surface to the hosting platform instead of eliminating it entirely. A practical comparison: using Sucuri’s managed backup service versus managing UpdraftPlus yourself essentially trades operational control for reduced administrative overhead, but both require monitoring and maintenance. For most mid-sized operations, the managed approach reduces overall risk by eliminating self-managed plugin version control as a failure point.
Recognizing Compromise Signs and Advanced Attack Patterns
Attackers using this vulnerability typically leave subtle traces—unexpected backup files on servers that weren’t created through the WordPress admin interface, database tables containing admin accounts you didn’t create, or restoration timestamps appearing in logs when no administrator performed a restore. These signs can be missed if you’re not actively monitoring backup system logs, which many site owners never check. A practical warning: if your site suddenly experiences unexplained traffic spikes, search ranking drops, or slower than normal performance, backup system compromise should be on your diagnostic checklist even if WordPress seems functionally normal.
The most advanced variant of this attack uses compromised backups to create dormant backdoors—malicious code embedded in post content that remains invisible in the WordPress editor but executes server-side. Recovery from this pattern requires more than simply updating the plugin and patching the site; it requires restoring from backups created before the compromise date, or manually auditing and repairing compromised content. A limitation of many backup strategies is that they preserve malicious code just as effectively as they preserve legitimate content—if your backup from three days ago contains injected code, restoring from that backup won’t solve the problem. This means compromised sites often require professional forensic review to determine which backup is actually trustworthy.

Monitoring and Detection: Understanding Attack Signatures
Sucuri’s research team has published several indicators of compromise specific to this attack campaign, including unusual POST requests to `/wp-admin/admin-ajax.php` containing base64-encoded PHP payloads, or backup files with modifications to hidden system files inside the backup archives. If you’re running security monitoring, creating custom rules to flag these specific patterns can catch attacks in progress before damage spreads. Web application firewalls like Cloudflare or Wordfence can implement such rules, though their effectiveness depends on having vulnerability signatures for your specific plugin versions.
A documented detection case involved a monitoring service flagging an unexpected database user creation—UpdraftPlus backups normally don’t create new database users, so this activity immediately signaled a compromised backup operation. The site owner was able to terminate the suspicious session within minutes because monitoring rules were actively watching for abnormal database activity. This illustrates how comprehensive security monitoring can reduce the time an attacker has to work, from weeks of undetected presence down to hours.
The Broader Landscape of Backup Plugin Security
This attack campaign against UpdraftPlus is part of a larger trend where attackers are shifting focus toward infrastructure-level plugins that offer elevated system access. Backup plugins, security plugins with database scanning capabilities, and caching plugins all represent high-value targets because compromising them yields access to resources that standard WordPress plugins simply cannot reach. Future attacks will likely target other backup solutions—BackWPup, Jetpack backup services, and hosting-native backup systems are all theoretical targets based on the same vulnerability patterns.
Looking forward, the WordPress security community is moving toward more restrictive access models where backup restoration requires additional hardware-based authentication or time-locked approvals that cannot be bypassed by compromised admin credentials. WP Engine and Kinsta have implemented these types of systems at the hosting level, effectively preventing backup tampering even if a site’s WordPress installation is fully compromised. For site owners without access to such managed solutions, the realistic future is one where backup security becomes as critical as frontend security, requiring the same investment in monitoring, patching, and hardening practices.
Conclusion
The 185 percent surge in UpdraftPlus attacks represents a fundamental shift in how attackers prioritize WordPress compromises—they’re moving past the WordPress application itself and targeting the infrastructure that protects it. For any site using UpdraftPlus, updating to version 2.26.17 or later is non-negotiable, but updates must be combined with stronger access controls, logging practices, and monitoring to constitute a genuine security strategy. The cost of delay in patching and hardening is no longer abstract—it’s measured in stolen customer data, infected backups, and recovery efforts that can take weeks or months to complete.
Your immediate action plan should include three steps: verify your current UpdraftPlus version and update if necessary, review your backup restoration settings to eliminate unnecessary remote access, and implement monitoring rules specific to backup system activity. For Shopify merchants and WooCommerce store owners, this is an especially critical window to verify that your backup systems haven’t been used as a vector into payment processing systems. If your site remains unpatched past the end of May 2026, you should assume compromise is likely and plan for professional security review and recovery.




