Visitors hit a fake “Verify you are human” or Cloudflare check on your site that you never added — and it tricks them into running malware or clicking “Allow” for endless push-notification spam. This is the ClickFix / fake-CAPTCHA attack. We find the injected code, remove the overlay, close the backdoor, and stop your site from being used against the people who trust it.
Last updated: June 2026 · Reviewed by the FixHackedWordPress malware response team
What Visitors Are Seeing
Fix-First, Pay-Later Guarantee
We remove the fake CAPTCHA first. If we can’t secure your site, you pay nothing.
Quick Answer
The fake CAPTCHA hack injects a counterfeit “verify you are human” overlay — usually mimicking Google reCAPTCHA or Cloudflare Turnstile, right down to a fake Ray ID — onto your WordPress site. It doesn’t actually verify anything. Instead it uses ClickFix social engineering: the visitor is told to press Win+R, paste, and hit Enter, which silently runs a PowerShell command the page copied to their clipboard, installing info-stealing malware. A second variant simply gets visitors to “click Allow,” hijacking browser notifications to flood them with spam.
Crucially, the rest of your site often looks untouched — attackers change as little as possible to stay hidden, frequently triggering only on the first visit. Removal means finding the obfuscated injected code (in plugin/theme files, the database, or injected scripts), deleting the overlay, and closing the backdoor so it can’t be re-added. If your site instead forcibly redirects visitors, see our redirect malware removal or mobile redirect pages.
ClickFix
Tricks visitors into running malware
First-visit
Often shows once, making it hard to repro
Your brand
Weaponized against your own visitors
$0
If we can’t fix it
Two Ways It Attacks
The overlay looks identical to a real bot check, which is exactly why it works. Behind it sits one of two payloads — and we remove both kinds.
Mode 1 — ClickFix
The page silently copies a malicious command to the visitor’s clipboard, then walks them through Win+R → Ctrl+V → Enter under the guise of “verification.” That command downloads and runs an info-stealer that grabs passwords, session cookies, and crypto wallets. The victim infects themselves — no exploit needed — which is why it slips past traditional defenses.
Mode 2 — Push hijack
The fake check asks the visitor to “click Allow,” which actually grants browser push-notification permission. The attacker then spams that person’s device with scam and adult notifications long after they’ve left your site — damaging your brand and driving away repeat visitors.
A real CAPTCHA never asks you to open Run, paste a command, or allow notifications to prove you’re human. If yours does, it’s malware. Send us your URL to confirm.
These campaigns are built to be hard to reproduce and hard to scan for. Here’s where we look for the injected overlay and its trigger.
Payloads hidden in legitimate plugin or theme files using tricks like hex-to-decimal decoding that pull the overlay from a second file — designed to dodge simple base64 searches.
A script in header.php, footer.php, or a widget that loads the fake CAPTCHA from a remote domain, so the payload can change without touching your site again.
Encoded scripts stored in wp_options or post content that render the overlay sitewide without an obvious file change.
A cookie that shows the fake CAPTCHA only once per visitor — which is why you often can’t reproduce it and assume it’s gone when it isn’t.
A malicious plugin (sometimes named to look like security software) that injects the overlay and quietly maintains access.
Web shells and rogue admins that re-add the CAPTCHA after a partial cleanup — covered on our backdoor removal page.
Unlike spam that mostly hurts your rankings, this attack turns your trusted site into a malware-delivery and notification-spam launchpad aimed at your own visitors. The reputational damage — and the risk of Google flagging you as deceptive or distributing malware — compounds fast, so removing it quickly matters.
Attackers often change almost nothing else on the site and trigger the overlay only on a visitor’s first load via a cookie. So you check, see a normal site, and assume it’s fine — while new visitors keep getting hit. Reliable confirmation means testing from a clean session, which is part of our process.
Methodology
Find the overlay, delete it, and close the door so your visitors stop being targeted.
We trigger the overlay from a clean first-visit session, then trace it to the injected code — whether it’s in files, the database, a rogue plugin, or a remote loader.
We de-obfuscate and delete the payload across every location, including the cookie/first-visit logic, so the fake CAPTCHA stops appearing for anyone.
We find how they got in, remove backdoors and rogue admins, rotate keys, and lock down login and uploads so it can’t be re-injected.
We re-test from fresh sessions to confirm it’s gone, and if Google or a browser flagged your site, we file the review request to clear it.
Simple Pricing
No tiers, no upsells. One price to remove the fake CAPTCHA and secure your site.
$75 flat, to start
Complete overlay removal and hardening — one site.
Fix-first, pay-later · you only pay once it’s clean
If it asks visitors to press keyboard shortcuts, open Run, paste a command, or “click Allow” to prove they’re human, it’s malicious. A genuine CAPTCHA never does this. The ClickFix variant gets visitors to install info-stealing malware themselves; the push variant hijacks their notifications.
It usually shows only on the first visit per browser using a cookie, and attackers change little else, so a return visit looks normal. We trigger it from a clean session to confirm it and find the source.
Related but different. A redirect hack sends visitors to another site; the fake CAPTCHA keeps them on yours and manipulates them into self-infecting or allowing spam. If yours forcibly redirects, start with our redirect malware removal page.
The malware runs on the visitor’s own machine, but your compromised site delivered it — which is a real reputational and trust problem, and can get you flagged by Google or browsers. The priority is removing it fast and clearing any warning.
Most sites are cleaned and hardened within 4–12 hours. It’s a flat $75 to start, fix-first and pay-later — you only pay once it’s clean. Contact us with your URL.
Every visitor who hits that fake CAPTCHA is a person your site just tried to infect or spam. We remove it, close the backdoor, and clear any warning — and if we can’t, you pay absolutely nothing.
Flat $75 · Fix-first, pay-later