Support » Plugin: Captcha » Don’t use this Plugin

Viewing 3 replies - 1 through 3 (of 3 total)
  • From Wordfence…

    What We’ve Done So Far

    As of this writing, we’ve created three firewall rules in total to protect our users’ sites from the backdoor installation. Premium customers received the first two rules on December 8th and the third one on the 14th. These rules also protect against the backdoor itself executing in Captcha as well as in the five other plugins available for download on Free users will receive these rules 30 days from the original publish date via the community version of the Threat Defense Feed.

    We have also been working with the plugins team to get out a patched version of Captcha (4.4.5) that is backdoor-free. The plugins team has used the automatic update to upgrade all backdoored versions (4.3.6 – 4.4.4) up to the new 4.4.5 version. Over the course of the weekend over 100,000 sites running versions 4.3.6 – 4.4.4 were upgraded to 4.4.5. They have also blocked the author from publishing updates to the plugin without their review.

    Our Recommendations

    We recommend that you uninstall the Captcha plugin immediately from your site. Based on the public data we’ve gathered, this developer does not have user safety in mind and is very likely a criminal actor attempting yet another supply chain attack. You should also ensure that you’ve enabled automatic updates within WordPress – that’s still one of the best ways to keep your site secure before disclosures like this take place. We also recommend using the Premium version of Wordfence, to proactively defend your site against threats like this one.

    The most viable alternative seems: ‘Really Simple CAPTCHA‘ (By Takayuki Miyoshi, creator of ‘Contact Form 7’ and compatible with it)


    Well done for sorting this out.

    Contact Form 7 prefers to use Google Captcha API instead by integrating it into Contact Form 7 so I use that now.


    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Hello, please read the entire original post. We worked with Wordfence last week to clean up the plugin and pushed it out as an automatic update.

    They explained this in their post.

    Version 4.4.5 is safe and you probably already have the update.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Don’t use this Plugin’ is closed to new replies.