Anchor Hosting · Traffic Report
April 13–29, 2026
anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/
Viral Recap · 17 Days · Supply-Chain Attack

30 plugins, one buyer,
backdoors in all of them.

A blog post detailing how a single buyer planted backdoors in 30+ WordPress plugins drove 61,932 visits and 74,659 pageviews over 17 days — the biggest viral run in anchor.host history. TechCrunch, Golem.de, t3n, TechRadar, JPCERT, Gigazine, BFM TV, and a YouTube video at 1.4K visits all carried the story.

74,659
Pageviews
across 17 days · 61,932 unique visits
2:38
Avg time on page
158 seconds — long-form security read
1,194
HN points · 341 comments
submitted by speckx
19,715
Peak day visits
April 14 — day TechCrunch published
Sequence of Events

How the spike actually unfolded

Eastern Time. The post sat for four days after the X share, then Reddit picked it up at 1:35 AM, HN hit the front page eight hours later, and TechCrunch published a dedicated article the following afternoon — driving the largest single day of the run.

Apr 99:12 AM EST
Posted on X
@austinginder shares the writeup — modest reach for 4 days.
Apr 131:35 AM EST
Posted to r/Wordpress
Key-Refrigerator3774 posts to the 302K-subscriber community at 1:35 AM EST.
Apr 134:42 AM EST
Cross-posted to r/woocommerce
shiftification mirrors it to a 47K e-comm community.
Apr 139:14 AM EST
Submitted to Hacker News
speckx posts the link — Anchor isn't the submitter. HN front page within an hour.
Apr 136:59 PM EST
Day 1 closes at 14,430 visits
Largest single-day total in anchor.host history — at the time.
Apr 141:31 PM EST
TechCrunch picks it up
Zack Whittaker writes a dedicated article — drives the peak day at 19,715 visits.
Visits per hour · April 12 → April 28 EST
peak 19,715 · floor 180 · 17 hrs shown
HN front page · Apr 13 ↓ TechCrunch · Apr 14 ↓ 2,000 1,000 500
Apr 12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
April 2026 (EST)
By Platform

Where the traffic actually came from

Hacker News drove a quarter of all visits — but unlike most viral runs, direct visits dominated at 46%, the result of dozens of news outlets, plugin vendors, and WordPress communities pasting the link directly. The European tech press (Golem, t3n, BFM, Meneame) and Japanese outlets (JPCERT, Gigazine) carried the story aggressively.

Y Hacker News
Apr 13 · 9:14 AM EST
"Someone bought 30 WordPress plugins and planted a backdoor in all of them" — front page
1,194
Points
341
Comments
15,786
Visits driven
25%
Of all traffic
Submitted by speckx · item 47755629 · also reached hckrnews.com · news.hada.io (Korean HN) · brutalist.report
𝕏 X / Twitter
Apr 9 · 9:12 AM EST
@austinginder posts the original writeup — sat for 4 days before HN found it
17.2K
Views
84
Likes
59
Reposts
239
Visits via t.co
14 replies · 55 bookmarks · the X share alone barely moved traffic — but pinned the source for everyone who later searched for it
r/ Reddit · r/Wordpress
Apr 13 · 1:35 AM EST
First on Reddit — 8 hours before HN, in the right community
388
Upvotes
99%
Upvote ratio
89
Comments
302K
Subscribers
Posted by Key-Refrigerator3774 · the day's first amplifier
r/ Reddit · r/woocommerce
Apr 13 · 4:42 AM EST
Cross-posted to the e-commerce niche
53
Upvotes
97%
Upvote ratio
12
Comments
47K
Subscribers
Posted by shiftification · combined Reddit referrals: ~2,420 visits
The Long Tail

Top referrers — the press wave is the story

Thirty-plus sources sent meaningful traffic. European tech press dominated the long tail: Golem.de (1,500 visits), t3n.de (1,080), BFM TV (503), Meneame (438) — TechCrunch alone is buried in the 'direct' bucket because Apple News, RSS readers, and email forwards strip referrers. The YouTube video on this story drove 1,431 visits all by itself.

Referrer
Visits
01
(direct / no referrer) · DMs, RSS, link previews, Apple News
28,547
02
news.ycombinator.com · Hacker News
15,786
03
www.google.com · search
1,818
04
www.golem.de · German tech news
1,501
05
www.reddit.com
1,452
06
www.youtube.com · video coverage of the story
1,431
07
t3n.de · German tech press
1,081
08
android-app://com.reddit.frontpage
930
09
statics.teams.cdn.office.net · Microsoft Teams shares
796
10
www.jpcert.or.jp · Japan CERT advisory
637
11
www.bfmtv.com · French TV / news
503
12
m.facebook.com · FB mobile
446
13
www.meneame.net · Spanish HN-equivalent
438
14
l.facebook.com · FB link wrapper
400
15
lm.facebook.com · FB Lite
363
16
www.techradar.com · covered the story
346
17
app.usepanda.com · designer news reader
320
18
gigazine.net · Japanese tech blog
265
19
t.co · X / Twitter
239
20
www.linkedin.com
220
21
android-app://com.google.android.gm · Gmail
204
22
l.threads.com · Meta Threads
204
23
hckrnews.com · HN aggregator
194
24
mainwp.com · WP plugin vendor
190
25
android-app://com.slack
181
26
go.bsky.app · Bluesky
170
27
dou.ua · Ukrainian dev community
159
28
news.hada.io · Korean HN
156
29
facebook.com
143
30
mail.google.com · Gmail web
133
In the Replies

Notable comments along the way

The HN thread quickly pivoted to a broader supply-chain anxiety — npm dependencies, cryptocurrency-funded attacks, and the FAIR decentralized package manager all came up. The dev community sees this as an inflection point, not an outlier.

B
bradley13
news.ycombinator.com · 18 replies
HN
Whenever I look at a web project, it starts with "npm install" and literally dozens of libraries get downloaded. The project authors probably don't even know what libraries their project requires, because many of them are transitive dependencies. There is zero chance that they have checked those libraries for supply chain attacks.
news.ycombinator.com · 18 replies
C
chromacity
news.ycombinator.com · 22 replies (top thread)
HN
We've built our existing tech stacks and corporate governance structures for a different era. If you want to credit one specific development for making things dramatically worse, it's cryptocurrencies — they monetize attacks that previously had no profit motive.
news.ycombinator.com · 22 replies (top thread)
I
iugtmkbdfil834
news.ycombinator.com
HN
The prevailing wisdom has thus far been: "don't re-invent the wheel". I am absolutely not suggesting everyone should be rolling their own crypto, but there must be a healthy middle ground between that and a library that lets you pick font color.
news.ycombinator.com
S
spankalee
news.ycombinator.com · fair.pm
HN
I really wish that the FAIR package manager project had been successful. FAIR has a very interesting architecture, inspired by atproto, that I think has the potential to mitigate some of the supply-chain attacks we've seen recently. There's no central package repository — anyone can run one.
news.ycombinator.com · fair.pm
Audience

Who actually showed up

More desktop than phone for this one — sysadmins and developers reading at work. Germany #2 by country (driven by the Golem.de + t3n coverage), and Japan #5 thanks to JPCERT + Gigazine.

Top countries

  • 🇺🇸 United States 18,093 29.2%
  • 🇩🇪 Germany 6,762 10.9%
  • 🇬🇧 United Kingdom 3,992 6.4%
  • 🇨🇦 Canada 2,799 4.5%
  • 🇫🇷 France 2,179 3.5%
  • 🇮🇳 India 2,103 3.4%
  • 🇯🇵 Japan 1,963 3.2%
  • 🇦🇺 Australia 1,852 3.0%
  • 🇪🇸 Spain 1,809 2.9%
  • 🇳🇱 Netherlands 1,797 2.9%

Devices & browsers

  • 🖥️ Desktop51%
  • 📱 Phone49%
  • ▭ Tablet1%
  • Chrome59%
  • Safari24%
  • Firefox11%
  • Edge6%

For context: anchor.host averages ~2,186 visits per day over the prior 30 days. This single post brought in ~28× a normal day's site traffic over 17 days, with a peak of 19,715 visits in a single day on Apr 14 — the day TechCrunch published.