In recent years, cyberattacks have evolved into increasingly sophisticated forms. A recent example of this scenario is ClickFix , a malware campaign that is compromising thousands of WordPress sites around the world by installing malicious plugins that masquerade as legitimate browser updates.
According to a survey by GoDaddy , this attack has already affected more than 6,000 websites in September 2024 alone and continues to be a growing threat to businesses of all sizes.
In this post, we explain how ClickFix operates, its implications for digital security, and the steps businesses should take to protect their online operations.
What is ClickFix and how does it work?
ClickFix is a variant of a scam already known as ClearFake, which student data uses fake browser update messages to infect systems with malware. The difference with ClickFix is that it takes advantage of the installation of fake plugins on WordPress sites to display these fraudulent messages.
These malicious plugins, which have harmless names like “Advanced User Manager” or “Quick Cache Cleaner”, look legitimate but actually contain malicious code that infects website visitors.
Plugins use JavaScript to inject code that simulates a browser error message, suggesting that the user needs to install an update to fix the problem. However, by clicking on the update, the visitor is actually downloading malware, such as remote access trojans or information-stealing programs like Vidar Stealer and Lumma Stealer .
That is, these malwares are designed to collect sensitive data such as login credentials and banking information.
One notable aspect of the ClickFix campaign is the way the attackers gain access to WordPress sites. Rather than exploiting vulnerabilities in WordPress itself , they use stolen credentials to log into sites as legitimate administrators.
This highlights the importance of robust security practices, such as strong passwords and two-factor authentication, to prevent these breaches from occurring.