Placeholder canvas

15+ Types of WordPress Phishing Attacks: Removal and Prevention Tactics

WordPress has established itself as the go-to platform for developing websites, thanks to its user-friendly interface and exclusive plugin ecosystem. However, its popularity has also attracted cybercriminals who exploit vulnerabilities for malicious purposes. One common threat is phishing attacks, which can compromise your site’s security and reputation. In this blog, we’ll delve into what WordPress phishing attacks are, how to remove phishing from your site, and essential preventive measures to safeguard your online presence.

Understanding WordPress Phishing Attacks

Phishing refers to an online scam where hackers masquerade as legitimate entities, tricking victims into revealing sensitive information or downloading malware. The term is analogous to “fishing,” as both involve baiting and waiting for a response. Phishing attacks involve tricking users into divulging sensitive information such as usernames, passwords, and financial details. Attackers often send deceptive emails or create fake login pages that appear genuine. Once users enter their information, cybercriminals gain unauthorized access to accounts or inject malicious code into websites.

According to the statistics by Statista recorded in 2022, around 30 percent of adults worldwide encountered phishing scams. During that year, Vietnam experienced the highest proportion of internet users targeted by phishing attacks. Additionally, the global count of distinct phishing sites surpassed 1.35 million.

phishing attack
phishing attacks

Examples of Phishing Attacks

Email Spoofing

Email spoofing entails sending messages that appear to originate from a genuine sender, such as a bank or online service provider. These messages often contain urgent pleas for recipients to click on a link and furnish their login credentials, personal details, or credit card information. The link guides users to a fraudulent website aimed at harvesting their data.

Email Spoofing
Source: NJCCIC


Clone Phishing

Clone phishing attack involves crafting a duplicate of a valid website or communication, frequently utilizing stolen content. Cyber attackers subsequently dispatch emails or messages that seem to emerge from a reliable source, duping users into clicking malevolent links or downloading harmful attachments.

Clone Phishing
Source: Threatcop 

Domain Spoofing

Domain spoofing is a strategy wherein attackers manipulate the sender’s email domain to create the illusion that the message emerges from a legitimate source. This ploy is used to mislead recipients into believing they are receiving an email from a trustworthy entity, even though it’s an illicit endeavor.

HTTPS Phishing

HTTPS phishing exploits secure connections (HTTPS) to deceive users into believing they are accessing a safe website. Malefactors might employ counterfeit SSL certificates to establish an apparently legitimate setting, winning users’ confidence and coaxing them into divulging sensitive information.

Source: Sectigo



Smishing, or SMS phishing, involves sending fraudulent text messages to users, often with a sense of urgency or a tempting offer. These SMSes may contain links to malicious websites or prompt users to reply with personal information.

Source: Proofpoint 

Spear Phishing

 Spear phishing is a targeted scheme of phishing where attackers tailor their messages to a specific individual or organization. They gather information about the target to make their emails or messages more convincing and increase the likelihood of success.

Spear Phishing
Source: Imperva



Vishing, or voice phishing, occurs when attackers use phone calls to impersonate legitimate entities, such as banks or government agencies. They attempt to manipulate recipients into revealing sensitive information or performing actions that compromise security.

Watering Hole Phishing

Watering hole phishing involves targeting websites that a specific group of users frequently visit. Attackers compromise these websites and inject malicious code. When users visit the compromised site, they unknowingly download malware onto their systems.

Credential Harvesting 

Attackers create fake login pages that closely mimic the legitimate ones of popular websites or services. Unsuspecting users enter their usernames and passwords, unknowingly giving away their credentials to the attackers.

Credential Harvesting 
Source: Imperva 

CEO Fraud 

Also known as “whaling,” this attack targets high-ranking executives within organizations. Attackers impersonate CEOs or other senior leaders and send emails to employees requesting sensitive information or fund transfers.

CEO Fraud 
Source: It Governance, USA

Phishing via Social Media

Attackers create fake social media profiles and interact with users to build trust. They then send messages containing malicious links or attachments, luring users into divulging personal information or clicking on harmful content.

Phishing via Social Media
Source: Global Sign

Malware Distribution 

Attackers send emails with infected attachments or links to malicious websites. When users open the attachment or click on the link, malware is downloaded onto their devices, allowing attackers to gain control over their systems or steal sensitive data.

Banking Scams

In these scams, attackers send emails claiming to be from a bank, warning users of suspicious activity on their accounts. The email prompts email owners to click on a link to verify their account information, which leads to a fake website developed to steal their credentials.


Attackers manipulate DNS settings to redirect users from legitimate websites to malicious ones without their knowledge. This method allows attackers to capture sensitive information directly, even if users enter the correct URL.

Source: Protectimus

Invoice Scams 

Attackers send fake invoices or payment requests to individuals or businesses, often appearing to come from legitimate vendors or service providers. These invoices contain malicious links or attachments that, when clicked, can lead to credential theft or malware installation.

Invoice Scams 
Source: PhishLabs

Gift Card Scams

Attackers impersonate someone the victim knows, like a family member or coworker, and ask for gift cards to be purchased and sent. The victims believe they are helping someone they trust, but in reality, they are falling for a scam.

Gift Card Scams
Source: Chapman Newsroom


Emergency Scams

Attackers send emails or messages claiming a loved one is in trouble or danger and need immediate financial assistance. This preys on the victim’s emotions and urgency to manipulate them into sending money.

Source: Aura

It’s important to stay vigilant and cautious when interacting with emails, messages, or websites, especially if they request personal information, financial details, or immediate action. Always verify the source before taking any action and be wary of unsolicited communications.

Phishing Scheme Targeting WordPress Sites 

Distinguished from prior phishing campaigns, this new attack method capitalizes on fraudulent emails that convincingly mimic authentic WordPress notifications. These emails prompt users to promptly update their databases.

Recent findings by WP experts expose a novel phishing attack directed at WordPress sites. The strategy involves deploying fabricated database update notifications, posing significant risks to website owners. In contrast to earlier phishing endeavors, attackers ingeniously replicate genuine WordPress appeals within their emails, coercing users into taking immediate database update actions.

Employing typography and layout resembling legitimate WordPress update messages, coupled with a footer reminiscent of parent company Automattic’s branding, cybercriminals endeavor to entice users into clicking the “Update” button. Subsequently, users are prompted to provide their login credentials, followed by requests for website and administrator names. Notably, these deceitful emails contain numerous grammatical errors, coupled with the urgency of an impending “deadline,” elements incongruent with the norms of WordPress or general hosting providers.

phishing attack
Source: Astra Security


Identified as the “database_upgrade_phishing_message,” this campaign allows hackers to acquire usernames, passwords, and website URLs, furnishing them with the ammunition to deface site content and distribute malware to users. Furthermore, complete access to WordPress sites empowers malicious actors to embed backdoor access, thereby establishing unhindered entry at their convenience. Consequently, businesses may witness sudden dips in site traffic or find themselves blacklisted by prominent search engines.

Identifying Phishing Attack on Your WordPress Site

  • Check for Suspicious Emails: If users report receiving unusual emails requesting login information or payment details, it could indicate a phishing attack.
  • Identifying malicious code: It’s important to review the code to determine whether your WordPress site has been compromised. Such code might be inserted into shopping cart pages, sending customers to counterfeit payment portals instead of legitimate ones. Additionally, be on the lookout for a file named password.txt, designed to gather data for hacking purposes.
  • Check for hidden pages/files: The hidden pages will exist separately within the CMS, containing branding elements, but they won’t be the pages you’ve authored. The files you’re seeking are likely organized together in groups, often residing within a directory named after the organization. Frequently, we come across phishing pages containing .htaccess files that prevent search engines, malware scanners, and certain hosting providers from indexing them.
  • Verify URL: Regularly check your site’s URL to ensure it matches your actual domain. Phishing sites often use similar URLs to deceive visitors.
  • Monitor User Accounts: Keep an eye on your user list for any unauthorized or suspicious accounts that might have been created by attackers.
  • Scan for Malware: Utilize security plugins or online tools to scan your website for suspicious and malicious code.
  • Google blacklisting: Encountering a Google blacklist warning when accessing your website indicates that Google has identified harmful behavior after analyzing your site. This is often a result of the presence of phishing pages on your WordPress site.

Removing Phishing from Your WordPress Site

  • Change All Credentials: Immediately change passwords for all user accounts, including admin, FTP, and database access.
  • Delete Suspicious Accounts: Remove any unauthorized or suspicious user accounts from your site’s admin panel.
  • Review and Remove Malicious Code: Carefully examine your site’s code, themes, plugins, and corrupted files for any injected malicious code. Delete or replace affected files.
  • Restore from Clean Backup: If possible, restore your site from a backup taken before the attack occurred. This will help eliminate any injected malicious elements.
  • Google blacklisting; Notify Google to review your website and eliminate the black warning. Typically, the removal process takes around 72 hours. If your site was associated with phishing, you’ll need to submit a reconsideration application mail via Google Webmaster Tools.

Preventing Future Phishing Attacks

  • Keep Software Updated: Regularly update WordPress core, themes, and plugins to close known security vulnerabilities.
  • Choose Reliable Sources: Install plugins or themes only from reputable sources, and keep the number of plugins to a minimum to reduce phishing attack surfaces.
  • Implement Two-Factor Authentication (2FA): Require users, especially administrators, to authenticate via 2FA for an extra layer of security against phishing attacks.
  • Use SSL Encryption: Install an SSL certificate to encrypt data transmission between users and your site, deterring attackers from intercepting sensitive information.
  • Educate Users: Train your users to identify phishing attacks and report suspicious activities promptly.
  • Employ Security Plugins: Use security plugins that offer features like malware scanning, firewall protection, and intrusion detection to build a security wall against phishing attacks.
  • Regular Backups: Maintain up-to-date backups of your site, so you can quickly restore it to a clean state in case of a phishing attack.

Also Read: WordPress Security Checklist: 15 Ways To Secure Your WordPress Website 


WordPress phishing attacks pose a significant threat to your website’s integrity and the trust of your users. By understanding how phishing attacks occur, promptly removing any phishing elements, and adopting preventive measures, you can safeguard your site and maintain a secure online presence. Stay vigilant, keep your software updated, and educate yourself and your users about the risks and best practices to enjoy a safe and thriving WordPress website.

Want faster WordPress?

WordPress Speed Optimization

Try our AWS powered WordPress hosting for free and see the difference for yourself.

No Credit Card Required.

Whitelabel Web Hosting Portal Demo

Launching WordPress on AWS takes just one minute with Nestify.

Launching WooCommerce on AWS takes just one minute with Nestify.