Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Hackers hijack WordPress sites to spread malware using fake CAPTCHA

Wordpress United States ClickFix Rapid7
WordPress logo on mobile.
  • Rapid7 uncovers large-scale WordPress hijacking campaign
  • Fake Cloudflare CAPTCHA tricks visitors into running malware
  • More than 250 sites compromised, including a US Senate candidate’s page

Cybercriminals are hijacking vulnerable WordPress websites left and right and turning them into launchpads for malware deployment, experts have warned.

Security researchers Rapid7 claim to have spotted an ongoing, automated, large-scale campaign that even affected an unnamed US Senate candidate.

As per the researchers, the crooks first scan the web for vulnerable WordPress websites. There can be a myriad of things, from default or poor admin login credentials to unpatched themes and WordPress plugins with widely available exploit solutions, that are being used to gain initial access.

Deploying an infostealer

The campaign likely started in December 2025 and has so far affected more than 250 websites around the world.

Once inside, the crooks would do their best not to raise any alarms. Nothing on the site actually gets changed - the only thing they do is add a fake Cloudflare CAPTCHA at first visit. This is such a common, usual practice these days that most people don’t think twice about it, they just complete the puzzle, confirm they’re not a robot, and go about their day.

But the manner in which users are asked to solve the CAPTCHA should be a huge red flag. Instead of clicking a box or sliding a slider, they are asked to copy and paste a command into Windows Run, in classic ClickFix fashion.

So, instead of proving they’re human, the visitors end up downloading and running malware themselves. In this case, an infostealer designed to exfiltrate login credentials, authentication cookies, cryptocurrency wallet information, and other sensitive data.

Rapid7 says the campaign is likely highly automated and doesn’t target any specific industry. Regional media outlets, small business websites, and even a US Senate candidate’s official webpage, were among the confirmed cases.

"The large-scale execution of the compromise across completely unrelated WordPress instances suggests a high level of automation by the threat actor and is likely part of an organized long-term criminal effort," Rapid7 said in its report.

Via The Register

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Zach Braff Forced To Speak Out After Facing Truly Bizarre Accusation
“Oh my God, this is not— we can’t put this on our podcast,” said hosts from I Need You Guys podcast.
Bored Panda
Bored Panda
Jimmy Kimmel on Trump being gifted an Olympic medal: ‘Yet another award he didn’t win’
Late-night hosts addressed Melania Trump’s women’s history month speech, Maga’s Iran messaging and the ongoing oil crisis
The Guardian - US
The Guardian - US
“Seems Cruel”: Detail Of Demi Moore’s SXSW Appearance Sparks Backlash Amid Concern Over Her Weight Loss
“I can’t imagine bright lights and photogs yelling and just general chaos is comfortable to be around for the tiny cutie,” wrote one user.
Bored Panda
Bored Panda
Andrew and Mandelson pictured in bathrobes with Epstein in first known photo of trio together
The newly uncovered image from the Epstein files shows the trio sitting around a wooden table
Evening Standard
Evening Standard
Florida woman goes on sushi date with Hinge match. Then they get to the restaurant—and he embarrasses her in front of everybody
First dates are bound to have some awkwardness. This one included maybe a little too much. One Florida woman thought she was in for a normal sushi date with a guy she met on Hinge. Instead, the evening spiraled into a series of increasingly baffling choices.
The Mary Sue
The Mary Sue
FDA Alert: Stop Using This Anti‑Choking Device Now
Image source: shutterstock.com
Kids Ain't Cheap
Kids Ain't Cheap
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.
Download on the AppStore Get it on Google Play