For businesses that use WordPress as their website platform, the impact of an attack like ClickFix can be devastating.
First, it compromises the security of visitors, which can cause irreparable damage to the company’s reputation. In addition, infected websites run the risk of being deindexed by search engines such as Google, since the malware can be detected by web security mechanisms. This affects the website’s SEO .
Another critical factor is information theft. Malware installed through ClickFix can capture sensitive data, such as banking information and passwords, from both website administrators and visitors. This data can then be sold on the dark web or used directly by cybercriminals for more targeted fraud and attacks.
Furthermore, removing malware of this type can be complex and expensive, requiring not only a website cleanup but also security audits and, in many cases, a partial or complete rebuild of the company's online environment.
website creation or optimization
How does ClickFix spread?
ClickFix’s modus operandi involves installing fake plugins on student data compromised WordPress sites. These plugins are loaded directly into the site’s header section via the legitimate wp_enqueue_scripts action, which allows scripts and styles to be added to WordPress pages.
Although this function is widely used for benign purposes, cybercriminals manipulate it to load malicious scripts.
Fake plugins use names that are similar to legitimate plugins, such as “Google SEO Enhancer” or “LiteSpeed Cache Classic.” This similarity makes it difficult for administrators without cybersecurity expertise to distinguish between legitimate and malicious plugins.
Researchers at GoDaddy, one of the world's largest hosting companies , have identified that the cybercriminals behind ClickFix also use smart contracts and blockchain to hide the malicious code and distribute the payloads, making it even harder to detect and remove the infected plugins.
Automation is another aspect that facilitates the rapid spread of this campaign. Attackers use automated scripts to install the fake plugins on compromised websites, which explains the speed with which ClickFix spread in September 2024.
Preventative measures for WordPress websites
Businesses that use WordPress as the foundation of their online operations need to take strict preventative measures to avoid falling victim to campaigns like ClickFix. Below are some best practices.