WordPress phishing attacks aim to defraud your users and gain control over your website. They’re incredibly challenging to spot, so they can have a significant impact, potentially tanking customer perception and your ranking on search engine results pages.
Table of Contents
What Is a WordPress Phishing Attack?
During a WordPress phishing attack, scammers use a WordPress website to host malicious activity or defraud users of their personal information. The goal is usually to gain control of the website to use it for distribution or farm valuable data.
As of 2021, nearly 40% of websites rely on WordPress, making it a popular target for scammers. They often seek easy targets with few security measures or deploy bots to increase their attack’s reach.
You’d be right in assuming it’s becoming more common — there was a 61% increase in phishing from 2021 to 2022, totaling 255 million attacks. To keep yourself safe, you must know how to detect, stop and prevent them.
What Kinds of WordPress Phishing Attacks Exist?
The three main kinds of WordPress phishing attacks are email, webpage and add-on.
Most phishing attempts pass through email inboxes, appearing like legitimate messages from WordPress’s parent company. While you can usually tell they’re not genuine if you look close enough — they often contain misspellings and poor grammar — modern technological advancements like generative artificial intelligence make them look more realistic.
New kinds of phishing scams pop up regularly. For example, a specific type of phishing involving fraudulent copyright infringement messages appeared in 2022. The scammer sends an email with legal jargon, claiming some website content infringes their official intellectual property.
The aim is to get you to click on a link or enter their login information in a form to view the details of the accusation, which lets the scammer steal the administrative credentials to your website. Other phishing attempts may look like update requests, notifications or tech support.
Scammers can use stolen credentials or hijack sessions to gain access, letting them change your website. They can add fake pages to mimic existing ones, create new malicious ones, make pop-ups appear or redirect people to malicious websites. The goal is to steal personally identifiable information or credentials from users.
Many phishing attempts utilize themes and plugins because they’re popular and accessible, increasing the chances of success. While some are outright malicious, many simply have vulnerabilities that give scammers an advantage.
For example, vulnerabilities in a single WordPress plugin allowed users to reset anyone’s account — including administrators — ultimately affecting over 1 million websites in 2022. As long as they knew the username, they could use the password reset function to access the account without a validation key.
Can You Tell If Your WordPress Site Is Impacted?
Although phishing attempts are subtle, you can tell if your WordPress website has been impacted. Here are some clear signs of WordPress phishing to look out for:
- Google blocks the site: Google abruptly removes you from the search engine results page if it suspects your website of phishing.
- Sudden drops in traffic: Since phishing pages redirect users away from your website, you see an unexplainable decrease in traffic.
- Inability to log in: Administrator or user login information won’t work if a scammer has stolen the credentials and changed passwords.
- Unusual user activity: Unusual user activity can indicate malicious behavior.
- Popups appearing: Phishing attempts often use popups to trick people into thinking your website has a sale or special offer. While these are easier to spot, they’re more likely to get many victims quickly.
- Upticks in password requests: Users often forget their login information, but a sudden flood of user password resets suggests phishing is occurring on your website.
These actions may not tie directly to phishing alone, but you should be wary if you experience multiple simultaneously.
How Do You Find WordPress Phishing Attempts?
Although it can be challenging to spot WordPress phishing attempts because scammers do their best to hide their activity, they’ll always leave a trace. Administrators can look through “wp-content” files in the root directory or use a tool to scan for malicious redirects.
It may be challenging to find these files, considering the whole point is to keep them hidden. However, you can find what you need if you look for suspicious or unfamiliar text.
Be aware there will likely be multiple malicious files, even if only one phishing attack occurs — they need separate ones to fake a page and collect user data. Removing them is simple because scammers often group them, making it easier to get rid of everything on your first attempt.
Steps to Remove WordPress Phishing Attempts
Follow these steps to remove WordPress phishing files and stop the attack.
1. Put Website into Maintenance Mode
Putting your website into maintenance mode is the first step you should complete. It makes your job easier and prevents more people from falling victim to phishing attacks.
2. Make a Backup
Back up your website’s files so you have a safe copy somewhere. On top of being a basic cybersecurity method, it’s also helpful when you need to reference the original to compare the changes you make.
3. Download Files Locally
Download all files locally to analyze them manually. Keep an eye out for redirects or suspicious image files. While you can use a scanning tool, it might not pick anything up because they don’t technically contain malicious content.
4. Review all Content
Review every file to spot any suspicious or new ones. You can use a scanning tool or a security plugin to save time, but this method is the most secure. Although it’s a tedious process, it’s thorough.
5. Remove Suspicious Files
Remove every suspicious file and compare your backup to your finished product to see the extent of your work. At this point, it’s wise to uninstall all plugins, themes and even WordPress itself. You can reinstall them after you verify their legitimacy and security.
Can You Defend Against WordPress Phishing?
Although no method guarantees 100% prevention, you can increase your protection against WordPress phishing. Here are some of the best security tips:
- Have user password requirements: Combinations of capital letters, numbers and special characters can prevent phishing attacks because they increase password strength. With this approach, it’s much harder for attackers to perform a brute-force login.
- Use an SSL certificate: An SSL certificate and forced HTPPS redirection encrypt connections, protecting online transactions between the host and client.
- Require MFA: Even if an attack is initially successful, multi-factor authentication prevents the scammer from logging in. Additionally, it acts as proof of a phishing attempt.
- Hide the admin page: Unless you hide your admin page, anyone can view it if they add “/wp-admin” or “/wp-login-php” to the end of your website’s URL. To prevent this, alter WordPress installation files with a text editor or use a security plugin.
- Install a security plugin: Security plugins provide a fast, accessible way to protect your website if you verify their integrity and update them frequently.
While improving your overall cybersecurity is best, these tips focus on phishing prevention. Bots and scammers looking for easy targets are much less likely to go after you if you implement them.
Prevent WordPress Phishing
Although WordPress phishing attacks grow more common, you can defend against them. As long as you enhance your security measures and know what to keep an eye out for, you can protect your website and your users.