Phishing Attacks Targeting WordPress Sites: Fake Logins, Deceptive Emails, and Credential Theft

Table of Contents 4 sections

What is Phishing?

Phishing is a social engineering attack where the attacker impersonates a trusted entity to trick victims into revealing sensitive information, typically login credentials, financial details, or personal data. In the WordPress ecosystem, phishing attacks take two primary forms:

1. Attacks targeting WordPress administrators — Phishing emails designed to steal your WordPress login credentials
2. Compromised WordPress sites hosting phishing pages — Your site being used as infrastructure for phishing campaigns targeting others

Phishing Attacks Targeting WordPress Admins

Common Tactics

• Fake security alerts — "Your site has been hacked! Log in immediately to secure it" with a link to a fake login page
• Plugin update notifications — Emails mimicking WordPress.org plugin update notices
• Hosting provider impersonation — "Your hosting account will be suspended unless you verify your credentials"
• SEO penalty warnings — "Google has flagged your site for malware. Click here to appeal"
• Fake invoices — Billing notices from popular WordPress services (Elementor, WPEngine, etc.)

How to Identify Phishing Emails

• Check the sender's email domain carefully (wordpress.org vs wordpr3ss.org)
• Hover over links before clicking — the URL should match the claimed sender
• Look for urgency and threat language — legitimate services rarely threaten immediate account deletion
• Check for grammar and formatting issues
• WordPress.org will never ask for your password via email

Your WordPress Site Hosting Phishing Pages

Compromised WordPress sites are frequently used to host phishing pages targeting banks, email providers, social media platforms, and other services. Attackers hide these pages in:

• Random directories within /wp-content/uploads/
• Subdirectories that look legitimate: /wp-content/plugins/security-update/
• Hidden folders with names starting with a dot: /.well-known/phishing/

Consequences of Hosting Phishing Content

• Google will flag your site with a "Deceptive site ahead" warning
• Your domain may be blacklisted by email providers
• Your hosting provider may suspend your account
• You may face legal liability
• Your SEO rankings will plummet

Prevention Strategies

Protecting Your Admin Credentials

1. Enable Two-Factor Authentication — Even if credentials are phished, 2FA blocks unauthorized access
2. Use a password manager — Autofill only works on the real domain, preventing fake login pages from capturing credentials
3. Bookmark your login page — Always access wp-admin via a bookmark, never through email links
4. Train your team — Ensure anyone with WordPress access knows how to identify phishing

Preventing Your Site From Being Used for Phishing

1. Keep WordPress updated — Prevent the initial compromise
2. Monitor file changes — Use a security plugin that alerts you to new or modified files
3. Restrict file uploads — Only allow necessary file types (images, PDFs) and never allow PHP uploads
4. Regular malware scans — Scan for suspicious files in your uploads and plugins directories
5. Google Search Console — Register your site to receive notifications if Google detects phishing content