ClickFix Is Hitting Australian Businesses Through Hacked WordPress Sites

The ACSC has issued its first standalone alert on ClickFix, an attack that talks people into running malware on their own machines, as reported by iTnews. Attackers are compromising the WordPress sites of legitimate Australian businesses and injecting a fake Cloudflare “verify you are human” prompt. When a visitor clicks it, a PowerShell command is quietly copied to their clipboard and a pop-up asks them to paste and run it — which installs Vidar Stealer, malware that harvests saved passwords, browser sessions and crypto-wallet keys. The ACSC’s full advisory is on cyber.gov.au.

This matters for two reasons. If your team browses the web — all of them do — any one of them could land on a trusted-looking site and be coached into pasting a command they don’t understand. And if your own business website runs on WordPress, it could be the site doing the infecting, which drags your brand into someone else’s attack and exposes your visitors. Antivirus often waves this through because the victim runs the command themselves; there’s no dodgy attachment to scan.

What to do this week: tell your staff, plainly, that no legitimate website ever asks you to copy text and run it in the Run box, PowerShell or Terminal — if a “captcha” or “fix” asks for that, close the tab. On the technical side, restrict who can run PowerShell and scripts, and make sure your endpoint protection is behaviour-based, not signature-only. If you run a WordPress site, patch core, themes and plugins now and delete anything you’re not using.

If you’re not sure whether your staff would spot this — or whether your website is patched — that’s worth closing off. Security awareness training and a managed cybersecurity baseline are exactly the controls that stop ClickFix turning into a breach.