Ostensibly a blogging platform, WordPress has quietly become one of the foundational pillars of the modern web, used as the basic format for millions of websites run by single users to massive corporations. But that ubiquity has made WordPress an easy target for hackers and scammers.
Web hosting and service provider GoDaddy reports that a new infection is spreading quickly across WordPress implementations, loading up plugins that present users with fake Chrome messages that trick visitors into downloading and installing malware.
Over 6,000 WordPress-based sites have been loaded up with these bogus plugins, which might also appear as messages from Facebook, Google Meet, or Captcha verification pages.
The “ClearFake” system has been around since at least 2023, according to BleepingComputer, but a new variant called “ClickFix” is spreading via a series of malicious plugins. These plugins have innocuous names like “Google SEO Enhancer” and “Quick Cache Cleaner,” the kind of thing that might attract anyone who’s trying to optimize their website for more traffic or better performance.
But it might not even be a matter of spreading the fake plugins. GoDaddy’s research indicates that at least some infections come from stolen administrator logins and automated installation tools. It would be easy enough to toss a database of compromised logins and passwords at a decently popular WordPress site and see if you can get in.
If you’re using WordPress as a base for a website, make sure your administrator accounts are using strong and unique passwords, and maybe give your plugins a once-over. If you’re just a regular user who browses the web, remember to be on the lookout for bogus installation messages and scary-sounding warnings, and never trust any download prompt that randomly pops up as you’re browsing.
Author: Michael Crider, Staff Writer, PCWorld
Michael is a 10-year veteran of technology journalism, covering everything from Apple to ZTE. On PCWorld he’s the resident keyboard nut, always using a new one for a review and building a new mechanical board or expanding his desktop “battlestation” in his off hours. Michael’s previous bylines include Android Police, Digital Trends, Wired, Lifehacker, and How-To Geek, and he’s covered events like CES and Mobile World Congress live. Michael lives in Pennsylvania where he’s always looking forward to his next kayaking trip.
Recent stories by Michael Crider:
You can now report fake reviews to the FTCFacebook and Instagram bring back facial recognition to ‘protect people’YouTube is testing a cheaper ‘Premium Lite’ plan… that still has ads