What happened
OptinMonster has disclosed a security incident in which an attacker briefly served a tampered version of the JavaScript file that OptinMonster embeds on customer sites. The malicious file was delivered from OptinMonster’s CDN for approximately a few hours on June 12, 2026 (UTC). OptinMonster’s account and customer-data systems were not breached — the issue was limited to the script delivered to sites.
How this could affect your site
A site could only be affected if both of these were true during that window:
- OptinMonster was active on the site, and
- A WordPress administrator was logged in while a page loaded.
The malicious code only ran for logged-in admins. When it ran, it attempted to create a hidden administrator account and install a concealed backdoor plugin that could give an attacker control of the site. Regular visitors to your site were never at risk, and no visitor or customer data was targeted by this.
What we’re doing
A small number of our client sites use OptinMonster. We are reviewing each of those sites directly — checking the server filesystem and running server-side scans, since the backdoor is designed to hide from the WordPress dashboard.
As of now, we have found no indication that any of our clients’ sites were affected. We are reaching out individually to the clients who use OptinMonster, and we will follow up directly if anything changes.
What you need to do
Nothing at this time. We are handling the verification on your behalf. If we find anything that requires attention on your site, we will contact you directly with specifics.
If you have any questions or notice anything unusual on your site, reach out to us anytime.