Fake CAPTCHA Malware in WordPress: How I Removed malware?fake_captcha.13 from a Fake Yoast SEO Plugin

When a WordPress site is hacked, the problem is not always obvious from the dashboard. Sometimes the homepage still looks normal, wp-admin still works, and the site owner has no idea anything is wrong until a malware scanner starts flagging multiple frontend URLs for JavaScript malware.

That is exactly what happened in this case. The infection was detected as Known javascript malware: malware?fake_captcha.13. After a manual investigation, I traced the malware to a fake plugin folder inside public_html/wp-content/plugins/yoast-seo-304b6b41. The file pretended to be Yoast SEO, but it was actually injecting obfuscated JavaScript through wp_footer and exposing visitors to a fake CAPTCHA-style malware flow.

I clean hacked WordPress websites manually, including fake plugin infections, JavaScript malware, SEO spam, hidden backdoors, and reinfection loops. This case is a good example of how attackers hide malware inside normal-looking plugin folders to avoid detection.

How the infection was first detected

The first clear sign of compromise came from a malware scan. Multiple public pages on the site were flagged with the same signature: Known javascript malware: malware?fake_captcha.13. The scan also showed a long obfuscated JavaScript payload, which strongly suggested a frontend script injection instead of a simple spam page or redirect-only infection.

This type of malware is dangerous because it affects real visitors directly. Instead of only damaging the backend or quietly generating spam URLs, it runs in public pages and can be used to load deceptive prompts, fake CAPTCHA flows, or other malicious scripts in the browser.

What malware?fake_captcha.13 looked like in this case

After expanding the scan details, the pattern became clearer. The infection was tied to obfuscated JavaScript loaded on frontend pages. The payload was deliberately unreadable at a glance, which is a common attacker tactic used to hide malicious behavior and make manual inspection harder.

That was already a major red flag. Legitimate WordPress plugins do not normally echo huge obfuscated JavaScript blobs into public page output, especially not from a plugin pretending to be a trusted SEO tool.

Tracing the malware to a fake plugin

During the manual cleanup, I audited the WordPress plugins directory and found a suspicious folder here:

public_html/wp-content/plugins/yoast-seo-304b6b41

The folder name stood out immediately. It looked like an attempt to impersonate a real SEO plugin while hiding behind a random suffix. That is a common tactic in WordPress malware cases. Attackers know site owners recognize trusted plugin names, so they reuse familiar branding to make malicious folders look harmless.

Inside that folder, I found a PHP file named:

yoast-seo-304b6b41.php

That file was the real source of the infection.

Why the plugin was clearly malicious

At the top of the file, the attacker used a forged plugin header so the malware would appear to be a legitimate plugin:

<?php
/**
 * Plugin Name: Yoast SEO
 * Description: Improve your SEO with real-time feedback...
 * Version: 27.2
 */

That header was fake. The file was not the real Yoast SEO plugin. It was a malicious frontend injector disguised as one.

The most suspicious part of the code was the frontend injection logic:

<?php
if (!defined('ABSPATH')) { exit; }

function suspicious_frontend_injector() {
    if (is_admin()) { return; }

    $payload = '...long obfuscated JavaScript...';
    echo "<script>\n" . $payload . "\n</script>";
}

add_action('wp_footer', 'suspicious_frontend_injector', 999);

This is what made the file so dangerous:

• It skipped the WordPress admin area with is_admin(), which reduced the chance of obvious detection in wp-admin.
• It hooked into wp_footer, which meant the malware ran on the frontend where visitors would see the effect.
• It printed a long obfuscated JavaScript payload directly into public pages.
• It used a high hook priority of 999, which helped the malicious script execute late in the page output.

This was not accidental junk code or a broken plugin. It was a deliberate malware loader.

How the fake CAPTCHA malware worked

In this case, the fake plugin acted as the delivery mechanism. Instead of dropping a single obvious rogue file in the root directory, the attacker hid the malware inside the normal WordPress plugins folder, where it could blend in with legitimate extensions.

Once active, the plugin injected the obfuscated JavaScript payload into frontend pages. That payload was what triggered the scanner detection as malware?fake_captcha.13 and led to the fake CAPTCHA behavior on the infected site.

This kind of infection is especially dangerous because it targets visitors directly. It can be used to show scam prompts, trick users into fake verification flows, or load additional malicious browser-side code.

Why this infection was dangerous

This was more than just one suspicious file. It combined several common attacker tactics in one infection:

• trusted plugin impersonation
• frontend-only payload delivery
• obfuscated JavaScript injection
• fake CAPTCHA-style malicious behavior
• malware affecting multiple public URLs

That combination makes the infection harder for site owners to catch early. The plugin can look normal at first, the dashboard may appear mostly unaffected, and the real damage happens in public page output where visitors are exposed.

My WordPress malware removal process

For this site, I followed a manual cleanup workflow instead of relying only on automated tools.

1. Verified the malware signature
   I reviewed the scan findings to confirm that multiple pages were infected and that the detection was consistently malware?fake_captcha.13.
2. Inspected the WordPress plugins directory
   I audited wp-content/plugins and identified the suspicious yoast-seo-304b6b41 folder.
3. Analyzed the fake plugin file
   I opened the PHP file and confirmed it was not a legitimate SEO plugin but a malicious script injector.
4. Removed the fake plugin safely
   After confirming the file was malicious, I removed it and checked for related suspicious artifacts.
5. Checked for persistence and hidden malware
   A proper cleanup does not stop at one file. I reviewed the rest of the installation for hidden persistence, suspicious users, rogue files, and reinfection paths.
6. Hardened the WordPress installation
   Once the active infection was removed, I applied post-cleanup security hardening to reduce the risk of reinfection.

What website owners should learn from this case

1. Fake plugins can look legitimate

Attackers often impersonate trusted plugin names to make malicious folders look safe.

2. The plugins folder is not automatically trustworthy

Many site owners focus on the root directory, but attackers also hide malware deep inside wp-content/plugins.

3. Obfuscated JavaScript is a major warning sign

If a plugin is echoing a giant unreadable JavaScript payload into the frontend, that is almost never normal behavior.

4. Frontend-only behavior can hide the infection

Because this malware skipped the admin area, it reduced the chance of being noticed quickly inside wp-admin.

5. Manual review still matters

A scanner can identify the malware family, but proper cleanup often requires manual file inspection and a deeper WordPress investigation.

Signs your site may have similar malware

• malware warnings on multiple public URLs
• fake CAPTCHA prompts appearing on the frontend
• suspicious plugin folders with random suffixes
• plugins pretending to be well-known tools but stored in strange folders
• obfuscated JavaScript echoed inside plugin PHP files
• reinfection after deleting one obvious malicious file

If you see any of these symptoms, your site probably needs a deeper WordPress malware cleanup, not just a quick one-file deletion.

Final thoughts

This case is a strong example of WordPress malware hiding in plain sight. The infection was detected as Known javascript malware: malware?fake_captcha.13, but the real source was a fake plugin folder disguised as Yoast SEO inside the normal plugins directory.

The malicious file used a forged plugin header, avoided the admin area, and injected obfuscated JavaScript through wp_footer. That made it stealthy enough to blend in while still affecting real visitors on the frontend.

If your WordPress site is showing malware scan alerts, fake CAPTCHA prompts, suspicious plugin folders, or unexplained frontend script injections, do not assume the problem ends with the first infected file you find. Infections like this often rely on disguise, persistence, and normal-looking locations to avoid detection.

Frequently Asked Questions

What is fake CAPTCHA malware in WordPress?

Fake CAPTCHA malware is malicious code that injects deceptive browser-side behavior into public pages, often showing fake verification prompts or loading additional harmful scripts for visitors.

Why would a fake plugin impersonate Yoast SEO?

Attackers often reuse trusted plugin names so malicious folders look familiar and are less likely to be questioned during a quick inspection.

Can a fake plugin reinfect a WordPress site?

Yes. Fake plugins are often used as persistence mechanisms, which means they can restore deleted malware or keep unauthorized access alive.

Why is wp_footer dangerous in a malware case?

If attackers hook malicious code into wp_footer, they can inject scripts into public pages without affecting the admin area as obviously.

Is deleting one malicious plugin file enough?

Usually not. A proper cleanup should also check for hidden users, additional rogue files, database injections, and other persistence points.

Need help removing fake plugin malware from WordPress?

I manually clean hacked WordPress websites, remove fake plugins, trace hidden malware, investigate obfuscated JavaScript injections, and secure the site properly so the infection does not come back.

Hire me or start with my WordPress malware removal service.