Hackers infect thousands of WordPress sites with malware plugins

Ostensibly a blogging platform, WordPress has quietly become one of the foundational pillars of the modern web, used as the basic format for millions of websites run by single users to massive corporations. But that ubiquity has made WordPress an easy target for hackers and scammers.

Web hosting and service provider GoDaddy reports that a new infection is spreading quickly across WordPress implementations, loading up plugins that present users with fake Chrome messages that trick visitors into downloading and installing malware.

Over 6,000 WordPress-based sites have been loaded up with these bogus plugins, which might also appear as messages from Facebook, Google Meet, or Captcha verification pages.

The “ClearFake” system has been around since at least 2023, according to BleepingComputer, but a new variant called “ClickFix” is spreading via a series of malicious plugins. These plugins have innocuous names like “Google SEO Enhancer” and “Quick Cache Cleaner,” the kind of thing that might attract anyone who’s trying to optimize their website for more traffic or better performance.

But it might not even be a matter of spreading the fake plugins. GoDaddy’s research indicates that at least some infections come from stolen administrator logins and automated installation tools. It would be easy enough to toss a database of compromised logins and passwords at a decently popular WordPress site and see if you can get in.

If you’re using WordPress as a base for a website, make sure your administrator accounts are using strong and unique passwords, and maybe give your plugins a once-over. If you’re just a regular user who browses the web, remember to be on the lookout for bogus installation messages and scary-sounding warnings, and never trust any download prompt that randomly pops up as you’re browsing.