Fake CAPTCHA Malware Removal Case Study: Cleaning malware from WordPress

When a WordPress site is hacked, the problem is not always obvious from the dashboard. Sometimes the site looks normal until a malware scanner starts flagging multiple frontend pages for JavaScript malware. That is exactly what happened in this case.This WordPress infection was detected as Known javascript malware: malware?fake_captcha.13. After a manual investigation, I traced the infection to a fake plugin folder inside public_html/wp-content/plugins/yoast-seo-304b6b41. The malicious file pretended to be Yoast SEO , but it was actually injecting obfuscated JavaScript through wp_footer and exposing visitors to a fake CAPTCHA-style malware flow.

Quick Summary

• Malware detected as: Known javascript malware: malware?fake_captcha.13
• Infection type: Fake CAPTCHA JavaScript malware
• Root cause: Fake plugin in wp-content/plugins/yoast-seo-304b6b41
• Plugin disguise: Fake Yoast SEO plugin header
• Malicious behavior: Injected obfuscated JavaScript through wp_footer
• Impact: Multiple frontend URLs flagged as malicious
• Fix: Removed fake plugin, cleaned malware, checked for persistence, and hardened the site

How the Infection Was First Detected

The first sign of compromise came from a malware scan. Multiple pages on the site were flagged with the same signature: Known javascript malware: malware?fake_captcha.13. The scanner also showed a long obfuscated JavaScript payload, which strongly suggested a frontend script injection rather than a simple spam page or redirect-only infection.

This type of infection is dangerous because it affects real visitors. Instead of only damaging the backend or creating hidden spam URLs, the malware runs in public pages and can be used to load deceptive prompts, scam flows, or malicious scripts in the browser.

Multiple URLs were flagged for Known javascript malware: malware?fake_captcha.13.

What malware?fake_captcha.13 Looked Like in This Case

After expanding the scan details, the pattern became clearer. The infection was tied to obfuscated JavaScript loaded in frontend pages. The payload was not readable at a glance because it had been deliberately encoded to hide its behavior and make manual inspection more difficult.

That was a strong red flag. Legitimate WordPress plugins do not normally inject huge obfuscated JavaScript blobs into page output, especially not through a fake plugin pretending to be a trusted SEO tool.

The malware scan showed an obfuscated JavaScript payload associated with fake CAPTCHA-style behavior.

Tracing the Malware to a Fake Plugin

During the manual cleanup, I inspected the WordPress plugins directory and found a suspicious folder here:

public_html/wp-content/plugins/yoast-seo-304b6b41

The folder name immediately stood out. It looked like it was trying to imitate a real SEO plugin while hiding behind a random suffix. That is a common tactic in WordPress malware attacks. Attackers know site owners recognize trusted plugin names, so they use familiar branding to make malicious folders look less suspicious.

Inside that folder, I found a PHP file named:

yoast-seo-304b6b41.php

That file was the real source of the infection.

The infection was traced to a fake plugin folder named yoast-seo-304b6b41 inside wp-content/plugins.

Why the Plugin Was Clearly Malicious

At the top of the file, the attacker used a forged plugin header so the malware would appear to be a legitimate plugin:

The fake plugin impersonated Yoast SEO and injected obfuscated JavaScript through wp_footer.

How the Fake CAPTCHA Malware Worked

In this case, the fake plugin acted as the delivery mechanism. Instead of dropping a single obvious rogue file in the root directory, the attacker hid the malware inside the normal WordPress plugins folder, where it could blend in with legitimate plugins.

Once active, the plugin injected the obfuscated JavaScript payload into the frontend. That payload was what led to the scanner detection as malware?fake_captcha.13 and triggered the fake CAPTCHA behavior seen on the infected site.

That kind of behavior is especially dangerous because it targets visitors directly. It can be used to load scam prompts, trick users into interacting with fake challenges, or support broader malicious campaigns beyond the site itself.

Visitors were exposed to a fake CAPTCHA prompt triggered by the malicious frontend payload.

Why This Infection Was Dangerous

This infection was more than just one suspicious file. It was dangerous because it combined several common attacker tactics:

• Trusted plugin impersonation
• Frontend-only payload delivery
• Obfuscated JavaScript injection
• Fake CAPTCHA-style malicious behavior
• Malware affecting multiple public URLs

That combination makes the infection harder for site owners to catch early. The plugin can look normal at first, the admin area may appear mostly unaffected, and the real damage happens in public page output where visitors are exposed.

My WordPress Malware Removal Process

For this site, I followed a manual malware removal workflow rather than relying only on automated tools.

1. Verified the malware signature I reviewed the scan findings to confirm that multiple pages were infected and that the malware was being detected as malware?fake_captcha.13.
2. Inspected the WordPress plugins directory I audited wp-content/plugins and identified the suspicious yoast-seo-304b6b41 folder.
3. Analyzed the fake plugin file I opened the PHP file and confirmed it was not a legitimate SEO plugin but a malicious script injector.
4. Removed the fake plugin safely After confirming the file was malicious, I removed it and checked for related suspicious artifacts.
5. Checked for persistence and hidden malware A proper cleanup does not stop at one file. I reviewed the rest of the installation for hidden persistence, suspicious users, rogue files, and reinfection paths.
6. Hardened the WordPress installation Once the active infection was removed, I applied security cleanup and hardening steps to reduce the risk of reinfection.

What Website Owners Should Learn From This Case

1. Fake plugins can look legitimate

Attackers often impersonate trusted plugin names to make malicious files look safe.

2. The plugins folder is not automatically trustworthy

Site owners often focus on the root directory, but attackers also hide malware deep inside wp-content/plugins.

3. Obfuscated JavaScript is a major warning sign

If a plugin is echoing a giant unreadable JavaScript payload into the frontend, that is almost never normal behavior.

4. Frontend-only behavior can hide the infection

Because this malware skipped the admin area, it reduced the chance of being noticed quickly in wp-admin.

5. Manual review still matters

A scanner can identify the malware family, but proper cleanup often requires manual file inspection and deeper WordPress investigation.

Signs Your Site May Have Similar Malware

• Malware warnings on multiple public URLs
• Fake CAPTCHA prompts appearing on the frontend
• Suspicious plugin folders with random suffixes
• Plugins pretending to be well-known tools but stored in strange folders
• Obfuscated JavaScript echoed inside plugin PHP files
• Reinfection after deleting one obvious malicious file

If you see any of these symptoms, your site may need a deeper WordPress malware cleanup rather than a quick one-file deletion.

Final Thoughts

This case was a strong example of WordPress malware hiding in plain sight. The infection was detected as Known javascript malware: malware?fake_captcha.13, but the real source was a fake plugin folder disguised as Yoast SEO inside the normal plugins directory.

The malicious file used a forged plugin header, avoided the admin area, and injected obfuscated JavaScript through wp_footer. That made it stealthy enough to blend in while still affecting real visitors on the frontend.

If your WordPress site is showing malware scan alerts, fake CAPTCHA prompts, suspicious plugin folders, or unexplained frontend script injections, do not assume the problem ends with the first infected file you find. Infections like this often rely on disguise, persistence, and normal-looking locations to avoid detection.

Need Help Removing Fake Plugin Malware from WordPress?

I manually clean hacked WordPress websites, remove fake plugins, trace hidden malware, investigate obfuscated JavaScript injections, and secure the site properly so the infection does not come back.