Over 6,000 WordPress Sites Hacked to Install Plugins Pushing Infostealers: The ClearFake and ClickFix Campaigns

🎧 Listen to Our Podcast on Your Favorite Platforms! 🎧

Subscribe:  Youtube | Spotify | Amazon 

The WordPress ecosystem has seen a significant increase in cyber threats in recent years. The alarming breach of over 6,000 WordPress sites is a recent example, underscoring the urgent need for enhanced website security. Two malware campaigns, ClearFake and ClickFix, are central to this attack, which injects harmful plugins that display fake system errors and software update prompts to lure unsuspecting users into installing malware.

This article provides an in-depth look at these hacking campaigns, explores the methods threat actors use to deploy malware, and offers actionable steps for WordPress site owners to protect their sites.


Table of Contents

  1. The Rise of Infostealers in WordPress
  2. ClearFake: The First Wave of Fake Browser Update Malware
  3. Introduction of ClickFix: Evolving the Threat
  4. How ClickFix Mimics System Errors
  5. How Threat Actors Exploit WordPress Plugin Vulnerabilities
  6. The Role of Malicious Plugins in ClearFake and ClickFix
  7. The Malicious Plugin List
  8. Using Binance Smart Chain for Script Injection
  9. Automated Site Breaches Using Stolen Credentials
  10. Steps to Detect and Remove Malicious Plugins
  11. Impact on Website Owners and Users
  12. How WordPress Security Firms Are Responding
  13. The Role of GoDaddy Security in Tackling ClickFix
  14. Preventive Measures for WordPress Site Owners
  15. Resetting Passwords and Strengthening Login Security
  16. How Technijian Can Help Protect WordPress Sites
  17. Conclusion: Building a More Secure WordPress Environment
  18. Frequently Asked Questions (FAQ)

1. The Rise of Infostealers in WordPress

Information-stealing malware, or infostealers, are notorious for their ability to extract sensitive data like login credentials, payment information, and personal identification details. These data breaches have escalated globally, especially with the popularity of open-source platforms like WordPress.


2. ClearFake: The First Wave of Fake Browser Update Malware

The ClearFake campaign, first noted in 2023, targeted WordPress sites by displaying fake browser update notifications. Once a user engaged with these prompts, they inadvertently installed infostealers designed to steal browser-stored data.


3. Introduction of ClickFix: Evolving the Threat

In 2024, a new campaign named ClickFix surfaced, utilizing similar tactics to ClearFake but with an added level of sophistication. Instead of browser updates, ClickFix exploits fake system errors and software issues that appear to offer “fixes.” However, these so-called fixes are PowerShell scripts that deliver malicious software, ultimately compromising user data.


4. How ClickFix Mimics System Errors

ClickFix overlays emulate error messages in popular software interfaces, such as Google Chrome, Google Meet, Facebook, and even CAPTCHA forms. These overlays appear legitimate, prompting users to download a solution that, in reality, contains malware.


5. How Threat Actors Exploit WordPress Plugin Vulnerabilities

Threat actors have developed techniques to exploit vulnerabilities within WordPress plugins, creating malicious plugins that mimic legitimate software. Often named similarly to popular plugins, these are embedded with scripts that install infostealers under the guise of updates or functionality enhancements.


6. The Role of Malicious Plugins in ClearFake and ClickFix

According to cybersecurity research, compromised WordPress plugins serve as the primary vehicle for distributing ClearFake and ClickFix malware. GoDaddy’s security team has reported that the threat actors are installing these malicious plugins to display fake alerts. These fake plugins resemble well-known names to avoid detection by administrators.


7. The Malicious Plugin List

Below is a list of plugins identified as malicious in this campaign. They masquerade as legitimate plugins to fool site administrators:

  • LiteSpeed Cache Classic
  • MonsterInsights Classic
  • Wordfence Security Classic
  • Search Rank Enhancer
  • SEO Booster Pro
  • Quick Cache Cleaner
  • Admin Bar Customizer

8. Using Binance Smart Chain for Script Injection

One of the more sophisticated tactics employed by the threat actors involves injecting JavaScript stored on the Binance Smart Chain (BSC). When users visit a compromised website, the JavaScript loads from the BSC, triggering either ClearFake or ClickFix overlays.


9. Automated Site Breaches Using Stolen Credentials

The attackers have streamlined the hacking process by automating logins using previously stolen credentials. This allows them to bypass the WordPress login page and directly access the backend via a single POST request, then install the malicious plugin.


10. Steps to Detect and Remove Malicious Plugins

  1. Review Installed Plugins: Regularly check the plugins in use on your WordPress site. Look out for any unfamiliar plugins.
  2. Update Passwords: Immediately change all admin passwords if a breach is suspected.
  3. Audit User Roles: Limit admin access and use two-factor authentication for additional security.
  4. Use Security Plugins: WordPress security plugins can alert you to changes in your site files.

11. Impact on Website Owners and Users

For site owners, these attacks can lead to reputational damage, lost traffic, and potentially financial losses due to penalties or fines for data exposure. Users risk having their sensitive information stolen, which can lead to identity theft and financial fraud.


12. How WordPress Security Firms Are Responding

Organizations like GoDaddy Security and Sucuri are actively monitoring these threats. Their efforts include tracking malware variants, providing guides for users to remove malware, and educating the public about best practices to keep websites secure.


13. The Role of GoDaddy Security in Tackling ClickFix

GoDaddy’s security team has been instrumental in exposing the methods used in the ClickFix campaign, from tracking the installation of malicious plugins to analyzing web server logs that reveal patterns of malicious activity.


14. Preventive Measures for WordPress Site Owners

WordPress users should take the following preventive measures:

  • Regularly update both WordPress and installed plugins.
  • Use reputable plugins and only download them from trusted sources.
  • Set up real-time monitoring to detect unauthorized file changes.

15. Resetting Passwords and Strengthening Login Security

The use of strong, unique passwords, two-factor authentication, and other login security protocols can prevent unauthorized access. Implementing these basic security steps can be instrumental in mitigating the risk posed by campaigns like ClickFix.


16. How Technijian Can Help Protect WordPress Sites

Technijian offers a comprehensive suite of cybersecurity services tailored for WordPress sites, ensuring robust protection against threats like ClearFake and ClickFix. Technijian’s experts specialize in malware removal, security monitoring, and vulnerability assessment. Partnering with Technijian can help site owners mitigate risks, proactively detect threats, and establish a fortified defense against future attacks.


17. Conclusion: Building a More Secure WordPress Environment

The clear rise in malware campaigns targeting WordPress sites underscores the need for vigilant, proactive security practices. By understanding the threat landscape, adopting preventive measures, and working with specialized security providers like Technijian, WordPress users can safeguard their sites and provide a secure experience for visitors.


Frequently Asked Questions (FAQ)

1. What are ClearFake and ClickFix?

ClearFake and ClickFix are malware campaigns targeting WordPress sites. ClearFake displays fake browser updates, while ClickFix uses simulated error messages to trick users into downloading malicious software.

2. How do these campaigns exploit WordPress plugins?

These campaigns use malicious plugins that mimic popular plugins, often with similar names, to avoid detection by site administrators. They are installed to display fake alerts.

3. What is the role of Binance Smart Chain in these attacks?

The attackers use Binance Smart Chain to host malicious JavaScript, which is then injected into compromised WordPress sites, facilitating the display of fake update or error banners.

4. How can I detect if my WordPress site has been compromised?

Monitor your site’s plugins, perform regular security scans, check server access logs, and look for any suspicious activity. Reset passwords immediately if you suspect a breach.

5. What immediate actions should I take if my site is affected?

Remove unknown plugins, reset all admin passwords, and scan for malicious files. Enable two-factor authentication to bolster security.

6. How can Technijian help with these threats?

Technijian provides malware removal, continuous security monitoring, and threat prevention services specifically for WordPress. Their expertise can help prevent, detect, and eliminate threats like ClearFake and ClickFix.

About Technijian

Technijian stands at the forefront of managed IT services in Orange County, delivering dynamic solutions that empower businesses to stay competitive in an ever-evolving digital world. Based in Irvine, we proudly serve companies across Irvine, Anaheim, Riverside, San Bernardino, and Orange County with solutions that ensure seamless, secure, and scalable IT environments.

Our position as a trusted managed service provider in Irvine is built on our commitment to excellence and client-focused service. Whether you need IT support in Irvine or IT consulting in San Diego, our team of experts is equipped to align your technology with your business goals. We bring deep expertise in IT support in Orange County, managed IT services in Anaheim, IT infrastructure management, and IT outsourcing services, allowing you to focus on growth while we manage your technology needs.

At Technijian, we specialize in comprehensive, customizable managed IT solutions for businesses of all sizes. From cloud services and IT systems management to business IT support and network management, our services are crafted to enhance efficiency, protect data, and ensure robust IT security. With dedicated support across Riverside, San Diego, and Southern California, we’re here to keep your business operating smoothly and securely.

Our proactive approach includes disaster recovery, IT help desk support, and IT security services to safeguard your operations and minimize downtime. We offer a comprehensive range of services that adapt to your business, including IT support in Riverside, IT solutions in San Diego, and IT security solutions in Orange County—so your operations remain resilient, agile, and prepared for the future.

With Technijian, you gain more than just an IT partner—you gain a strategic ally committed to optimizing your IT performance and helping you thrive. Experience the Technijian advantage today with tailored IT consulting services, IT support services in Orange County, and managed IT services in Irvine that meet the demands of modern business.

6,000 WordPress Sites Hacked to Install Plugins Pushing
Technijian
Over 6,000 WordPress Sites Hacked to Install Plugins Pushing Infostealers
Loading
/

Ravi JainAuthor posts

Technijian was founded in November of 2000 by Ravi Jain with the goal of providing technology support for small to midsize companies. As the company grew in size, it also expanded its services to address the growing needs of its loyal client base. From its humble beginnings as a one-man-IT-shop, Technijian now employs teams of support staff and engineers in domestic and international offices. Technijian’s US-based office provides the primary line of communication for customers, ensuring each customer enjoys the personalized service for which Technijian has become known.

Comments are disabled.