Hackers hijack WordPress sites to spread malware using fake CAPTCHA

1. Pro
2. Security

Hackers hijack WordPress sites to spread malware using fake CAPTCHA News By Sead Fadilpašić published 11 March 2026

A ClickFix attack can come in all shapes and sizes

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter

Sign up for breaking news, reviews, opinion, top tech deals, and more.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

• Rapid7 uncovers large-scale WordPress hijacking campaign
• Fake Cloudflare CAPTCHA tricks visitors into running malware
• More than 250 sites compromised, including a US Senate candidate’s page

Cybercriminals are hijacking vulnerable WordPress websites left and right and turning them into launchpads for malware deployment, experts have warned.

Security researchers Rapid7 claim to have spotted an ongoing, automated, large-scale campaign that even affected an unnamed US Senate candidate.

As per the researchers, the crooks first scan the web for vulnerable WordPress websites. There can be a myriad of things, from default or poor admin login credentials to unpatched themes and WordPress plugins with widely available exploit solutions, that are being used to gain initial access.

Article continues below You may like

• Hackers exploiting WordPress membership plugin bug to create admin accounts
• More than 40,000 WordPress sites affected by new malware flaw - find out if you're affected
• Hackers use 'Blue Screen of Death' malware to target victims

Deploying an infostealer

The campaign likely started in December 2025 and has so far affected more than 250 websites around the world.

Once inside, the crooks would do their best not to raise any alarms. Nothing on the site actually gets changed - the only thing they do is add a fake Cloudflare CAPTCHA at first visit. This is such a common, usual practice these days that most people don’t think twice about it, they just complete the puzzle, confirm they’re not a robot, and go about their day.

But the manner in which users are asked to solve the CAPTCHA should be a huge red flag. Instead of clicking a box or sliding a slider, they are asked to copy and paste a command into Windows Run, in classic ClickFix fashion.

So, instead of proving they’re human, the visitors end up downloading and running malware themselves. In this case, an infostealer designed to exfiltrate login credentials, authentication cookies, cryptocurrency wallet information, and other sensitive data.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Rapid7 says the campaign is likely highly automated and doesn’t target any specific industry. Regional media outlets, small business websites, and even a US Senate candidate’s official webpage, were among the confirmed cases.

"The large-scale execution of the compromise across completely unrelated WordPress instances suggests a high level of automation by the threat actor and is likely part of an organized long-term criminal effort," Rapid7 said in its report.

Via The Register

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS WordPress Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Hackers exploiting WordPress membership plugin bug to create admin accounts    More than 40,000 WordPress sites affected by new malware flaw - find out if you're affected    Hackers use 'Blue Screen of Death' malware to target victims    50,000 WordPress site affected in major plugin security flaw - here's how to stay safe    These fake Chrome extensions will crash your browser so that hackers can sneak in - here's how to stay safe    The silent DNS malware that’s redefining email and web-based cyberattacks    Latest in Security This 'fascinating' Microsoft Excel security flaw teams up spreadsheets and Copilot Agent to steal data    HPE warns of dangerous security flaw which could allow Aruba OS password resets    Asus routers hijacked to power dangerous cybercrime proxy network - here's what we know    Russian hackers target HR departments with vicious new 'BlackSanta' malware    ‘These actions are unprecedented and unlawful’: Anthropic sues Pentagon over “supply chain risk” designation — claims free speech and due process violations    Watch out Microsoft Teams users - hackers are spreading a dangerous new phishing scam, here's what we know    Latest in News Quordle hints and answers for Thursday, March 12 (game #1508)    NYT Strands hints and answers for Thursday, March 12 (game #739)    NYT Connections hints and answers for Thursday, March 12 (game #1005)    Intel's new Core Ultra 200S Plus CPUs promise a big boost for PC gamers    How to watch Sunny Nights on TVNZ+ (it's *FREE*)    Why does the MacBook Air M5 keyboard look different? Blame your iPhone    LATEST ARTICLES

1. 1The Nintendo Switch 2 has a new worst accessory in the Virtual Boy — the best place for it is on your shelf
2. 2OpenAI reportedly building a GitHub alternative after saying Microsoft-owned platform is 'not yet meeting our expectations'
3. 3Burson's Stellar headphone amps promise head-fi heaven in spacecraft-inspired Star Wars style
4. 4'Creating a fully keyboard-accessible site...isn’t free; it requires a lot of work and knowledge': Microsoft is making it easier to build complex websites without a mouse
5. 5'The fastest desktop gaming processors Intel has ever built': new Arrow Lake Refresh CPUs are priced to sell, and AMD should be worried