- Rapid7 uncovers large-scale WordPress hijacking campaign
- Fake Cloudflare CAPTCHA tricks visitors into running malware
- More than 250 sites compromised, including a US Senate candidate’s page
Experts have warned that cybercriminals are hijacking vulnerable WordPress websites left and right and turning them into launching pads for malware deployment.
Security researchers Rapid7 claim to have detected an ongoing, automated, large-scale campaign that even affected an anonymous US Senate candidate.
According to researchers, criminals first scan the web for vulnerable WordPress websites. There can be a wide variety of things, from default or poor administrator login credentials to unpatched themes and WordPress plugins with widely available exploit solutions, that are used to gain initial access.
Article continues below.
Implement an information stealer
The campaign likely started in December 2025 and has so far affected more than 250 websites worldwide.
Once inside, the criminals would do everything possible not to raise the alarm. Nothing is actually changed on the site; All they do is add a fake Cloudflare CAPTCHA on the first visit. This is such a common and common practice nowadays that most people don’t think twice, they simply complete the puzzle, confirm that they are not a robot, and go on with their day.
But the way users are asked to solve the CAPTCHA should be a big red flag. Instead of clicking a box or sliding a slider, you’re asked to copy and paste a command into Windows Run, classic ClickFix style.
So instead of proving that they are human, visitors end up downloading and running malware themselves. In this case, a data stealer designed to extract login credentials, authentication cookies, cryptocurrency wallet information, and other sensitive data.
Rapid7 says the campaign is likely highly automated and not targeted at any specific industry. Confirmed cases include regional media outlets, small business websites and even the official website of a US Senate candidate.
“The large-scale execution of the compromise on completely unrelated WordPress instances suggests a high level of automation on the part of the threat actor and is likely part of a long-term organized criminal effort,” Rapid7 said in its report.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
