Fake Cloudflare Verification Page: How to Identify, Remove, and Protect Your WordPress Website
Picture yourself logging into your website and seeing that Cloudflare greets all your visitors with a “Verify you are human” page, which requires them to press Windows + R and run a command.
This is not a real Cloudflare security verification procedure. Instead, it is a social engineering scam associated with the ClickFix malware campaign. Rather than providing security, it tries to trick users into executing malicious commands and installing spyware.
In this guide, you’ll learn how to recognize a fake Cloudflare verification page, understand how attackers inject it into WordPress websites, and follow practical steps to remove it and strengthen your site’s security.
Table of Contents
What Is a Fake Cloudflare Verification Page?
A fraudulent Cloudflare verification page simulates the genuine Cloudflare bot protection service.
Unlike an authentic Cloudflare verification, this phony version tells users to do strange things like:
- Press Windows + R
- Press Ctrl + V
- Press Enter
Carrying out these commands on the victim’s computer will result in the download of malware capable of stealing passwords, browser cookies, cryptocurrency wallets, and other sensitive data.

Signs Your Website May Be Infected
Watch for these warning signs:
- Visitors see a Cloudflare verification page before your website loads.
- The page asks users to run Windows commands.
- The issue mainly affects Windows desktop users.
- Website security scans may appear clean while the malicious page still appears.
- Suspicious JavaScript appears near the end of your page source.
If your website displays these symptoms, investigate immediately.
How Attackers Inject the Fake Verification Page
Attackers generally achieve access by one of the following approaches:
- Faulty WordPress plugins or themes.
- Insecure administrator passwords.
- Previously established backdoors.
- Infiltrated hosting services or FTP credentials.
- Unsafe file management solutions.
After gaining access, they may inject encoded JavaScript into the theme files, such as:
- footer.php
- header.php
- functions.php
In some cases, malicious code may also be injected into the WordPress database.
Quick Tip: Check Recently Modified Files First
When investigating a fake Cloudflare verification page or any WordPress malware infection, don’t start by checking every file manually. A much faster approach is to review recently modified files.
If you are using any hosting control panel, such as Hostinger, cPanel, Plesk, etc., go to the File Manager and sort the files by modification time.
It is worth focusing on files modified within 2-7 days, with special notice of those that were not altered.
Pay special attention to important WordPress files such as:
- footer.php
- header.php
- functions.php
- index.php
- wp-config.php
Recently modified plugin or theme files
If the file has been changed without notice, match it to the original from the corresponding WordPress theme/plugin. Hackers usually add harmful PHP and JavaScript code at the beginning of these files.
Real-world example:
While investigating malware, the website owner used Hostinger’s File Manager to check files according to the Last Modified date. As a result, it was discovered that footer.php was the only file modified 10 days ago, while all of the other theme files remained unchanged for months. The malicious JavaScript responsible for the fake Cloudflare verification page had been inserted into this very file.
Pro Tip: Don’t check only the website files. Also, review your WordPress database (wp_options, wp_posts, and wp_users) for unexpected changes, as attackers sometimes inject malicious scripts into the database rather than modify files.
How to Check Your WordPress Website
1. View Your Page Source
Press Ctrl + U in your browser and inspect the HTML source.
Look for unexpected JavaScript appended near the closing </body> tag.
2. Review Theme Files
Inspect:
- footer.php
- header.php
- functions.php
Compare them with a clean copy of the theme from the official WordPress repository.
3. Check the WordPress Database
Review important tables such as:
- wp_options
- wp_posts
- wp_users
Look for unexpected scripts or unfamiliar administrator accounts.
4. Scan Your Website
Use trusted security tools such as:
- Wordfence
- Hostinger Malware Scanner (if applicable)
- Other reputable website security scanners
Keep in mind that automated scanners may not detect every type of obfuscated malware.
How to Remove the Fake Cloudflare Verification Page
If you identify the malicious code:
- Back up your website.
- Remove the injected JavaScript from the affected file.
- Replace modified theme or plugin files with clean copies.
- Update WordPress core, plugins, and themes.
- Change all passwords:
- WordPress
- Hosting account
- FTP/SSH
- Database (if applicable)
- Run another complete malware scan.
- Monitor the website for signs of reinfection.
If you cannot identify the source, consider asking your hosting provider or a malware removal specialist to investigate.
Prevent Future Infections
Reduce the risk of future attacks by following these best practices:
- Keep WordPress, plugins, and themes up to date.
- Remove unused plugins and themes.
- Download themes and plugins only from trusted sources.
- Enable two-factor authentication for administrator accounts.
- Perform regular backups.
- Install a reputable WordPress security plugin.
- Review administrator accounts regularly.
- Monitor modified files and security logs.
Is every Cloudflare verification page fake?
Cloudflare does not have any fraud detection to protect the website from bots. One of the main signs of problems is the need to run Windows commands or paste content into the command window on your computer. Real Cloudflare challenges do not need you to execute anything.
Can malware hide even if my website scanner says everything is clean?
Yes. In some cases, obfuscation and hidden backdoors are used so that the automated scanners will not catch it immediately. If the suspicious behavior persists, you can perform a manual check or contact your hosting provider.
Should I remove the malicious JavaScript?
Removing the visible code may stop the immediate symptoms, but you should also determine how it was injected. Otherwise, a hidden backdoor or unresolved vulnerability could allow the malware to return.
Final Thoughts
A fake Cloudflare verification page is more than just an inconvenience—it can put your visitors at risk by attempting to install malware on their devices. If you notice unusual verification prompts or suspicious JavaScript in your website’s source code, investigate promptly, restore trusted files, update your software, and verify that no hidden backdoors remain.
Regular security audits, timely updates, and strong account protection remain the best defense against this type of attack.
Also Read : What Is SSL? Types, Benefits & SSL vs TLS Explained
