Thousands of WordPress Sites Hacked in “ClickFix” Campaign

Hackers are actively breaching WordPress sites to install malicious plugins and distribute fake browser updates, which secretly conceal data-stealing software.

Since 2023, a campaign named ClearFake has infected compromised sites, displaying banners with fake browser updates. In 2024, a new variant emerged — ClickFix, mimicking error messages from software with seemingly integrated “fixes.” These so-called “fixes” trigger PowerShell scripts that download and install malware.

Recently, ClickFix has been used to create fake notifications in popular services such as Google Chrome, Google Meet, and Facebook. Additionally, hackers have replaced CAPTCHA prompts to deceive users into performing these “updates.”

Last week, GoDaddy reported that over 6,000 WordPress sites had been hacked to install fake plugins, used to deliver these fraudulent notifications. Security researcher Denis Sinegubko explained that the plugins disguise themselves as harmless, even copying the names of legitimate extensions such as Wordfence Security and LiteSpeed Cache.

The attackers also create plugins with fictitious names, including Universal Popup Plugin, SEO Booster Pro, and Custom CSS Injector. These plugins inject malicious JavaScript scripts into the websites’ HTML code, leading to the display of counterfeit notifications.

An analysis of web server logs reveals that hackers are using stolen administrator credentials for automated logins. The breach is executed through a single POST request, bypassing the standard login page, indicating the prior acquisition of login credentials.

While the cause of the data leak remains unclear, researchers speculate that the credentials may have been obtained through phishing attacks, brute-force methods, or malware. If site administrators detect fake notifications, it is strongly recommended they immediately review the plugin list, remove any suspicious entries, and change their passwords to unique ones.