A malicious “ClickFix/Fake CAPTCHA” script is popping up on my WordPress site. I haven’t touched anything yet, so the site is exactly as the attacker left it. Here’s what I need, ideally within the next few hours: • Track down every trace of the injected JavaScript—whether it’s buried in theme files, slipped into the database, or hiding in an obfuscated payload—and delete it for good. • Scan functions.php, header.php, and any other core or template files for suspicious snippets, eval () calls, base64 blocks, or recently modified code. • Review the user table, flag any unfamiliar admin accounts, and remove them. • Re-save permalinks and flush all caching layers once the cleanup is complete. • Finish up by installing and configuring at least one reputable security plugin (e.g., Wordfence, Sucuri, or iThemes Security) so this doesn’t happen again. I’m open to your recommendation. I can secure hosting-level access if you discover that the infection sits outside WordPress. Please be comfortable navigating file managers, phpMyAdmin, and SSH for a swift, surgical cleanup. Deliverables will be a fully functional, malware-free site plus a short report summarizing what you found, what you removed, and which hardening steps you put in place.