A social engineering attack is spreading fast — and it’s targeting WordPress sites and their visitors.
—
What is ClickFix?
ClickFix is a type of social engineering attack where cybercriminals display a convincing fake CAPTCHA page — styled to look exactly like a Cloudflare verification screen — and trick users into executing malicious commands on their own computers.
The attack is deceptively simple and increasingly common. Multiple websites I’ve reviewed during security audits in 2025 have been injected with this technique.
—
How the Attack Works (Step by Step)
**Step 1: A WordPress site gets hacked.**
The attacker finds a vulnerability — an outdated plugin, weak credentials, or an unpatched theme — and injects a malicious JavaScript snippet into the site’s code.
Step 2: A fake CAPTCHA popup appears.
Every visitor to the compromised site now sees a popup using the Cloudflare orange/white color scheme, the Cloudflare logo, and professional-looking text: “Verifying you are human. This may take a few seconds.”
Step 3: The user is given “verification steps.
The popup instructs the visitor to:
1. Press Win+X to open PowerShell/Terminal as Administrator
2. Paste a “verification code” (already copied to their clipboard by the malicious script)
3. Press Enter
Step 4: Malware is silently executed.
That “verification code” is a PowerShell command that connects to a remote server and downloads malware — typically an infostealer, a Remote Access Trojan (RAT), or ransomware — all without triggering a browser warning.
—
Why It Works So Well
– Cloudflare’s real CAPTCHA is a trusted, familiar interface
– Non-technical users don’t question system prompts that look “official”
– The clipboard is pre-loaded — there’s no suspicious URL visible
– PowerShell commands run at system level, bypassing many browser protections
—
How to Protect Yourself (As a User)
The golden rule: No legitimate website will ever ask you to open PowerShell or Terminal.
– If you see this popup: close the tab immediately
– Never paste clipboard content into PowerShell unless you know exactly what it contains
– If you already ran the command: disconnect from the internet and run a full antivirus scan
– Report the website to Google Safe Browsing: safebrowsing.google.com/safebrowsing/report_phish/
—
How to Protect Your WordPress Site (As a Site Owner)
If your site is showing this popup to visitors, your site has been compromised. Here’s what to do immediately:
1. **Run a malware scan** — Wordfence, Sucuri SiteCheck, or MalCare
2. **Check for injected scripts** — Review functions.php, header.php, and any recently modified files
3. **Update everything** — WordPress core, all plugins, all themes
4. **Change all credentials** — Admin passwords, FTP, hosting panel, database
5. **Enable a WAF** — Cloudflare (the real one) or Sucuri can block many injection attempts
6. **Harden your site** — Disable file editing, limit login attempts, use two-factor authentication
If you’re unsure, reach out to a WordPress Security specialist. The cleanup is straightforward if caught early.
—