Array / 8 min read

WordPress phishing: what it is and how to protect your site.

A WordPress phishing attack manipulates WordPress site users and admins into giving personal information or performing unsafe actions. It’s a common cybersecurity issue and one of the most prevalent in the WordPress environment.

Often, attackers send emails using official accounts from your site or fabricate emails that look like they were sent from your site’s domain. Other times, they gain backdoor access to your site through a brute force attack or another type of hack. Then they use their newfound authority to create authentic-looking pages where users can input personal information.

This article will explore what WordPress phishing attacks are, how common they are, and what attackers can gain from them; it also explores nine strategies to avoid them.

What is phishing?

Illustration of an email

Phishing is a social engineering attack aimed at stealing information such as usernames and passwords, credit card numbers, intellectual property, and more. The attackers usually send emails impersonating trusted people or organizations to get victims to expose their personal information unintentionally.

“Social engineering” attacks exploit human psychology and behavior to get people to do things and reveal information they otherwise wouldn’t. In phishing attacks, victims receive instant messages, text messages, or emails posing as trusted entities. The messages contain a malicious link that, when clicked, leads to the theft of personal information.

For example, if they don’t change it, someone may receive an email saying their account password will expire in one day. Suppose an attacker poses as the company behind the website the password corresponds to (such as a university). In that case, they can direct them to a fake password recovery system that steals the information they input.

How common are phishing attacks in WordPress?

According to Sucuri’s 2021 security report, phishing malware was the 5th most common type of malware infection among the websites they cleaned up with SiteCheck, their malware removal tool. 7.39% of infected websites had at least one phishing malware signature.

About 95% of SiteCheck’s users use WordPress as their CMS, so their report approximates how common the problem is in the WordPress environment.

According to this report, phishing attacks generally target login credentials for cloud services such as Microsoft Office and Adobe, but also financial institutions and popular services such as Netflix. The stolen passwords are later used for credential stuffing attacks, the reuse of stolen credentials to use brute force to crack even more accounts.

Wordfence’s 2022 WordPress security report indicates that sophisticated attackers use phishing, among other techniques, to steal information. Less commonly, attackers may use phishing to get users to reveal multi-factor authentication codes, gaining access to their accounts.

Types of phishing

A hooded man coding

Spear phishing

This phishing attack is aimed at members or employees from a specific organization, institution, or company. It requires inside knowledge about the organization, its power structures, financial practices, and more.

Attackers usually craft authentic-looking emails posing as high-ranking members of the organization. The emails may encourage members and employees to perform a specific action, such as clicking on a malicious link where their credentials will be compromised or transferring company funds.

In 2015, wireless products company Ubiquiti Networks lost $46 million due to attackers impersonating executives in emails that instructed finance personnel to transfer money to offshore accounts.

Email phishing scams

These attacks are aimed at larger numbers of people than spear phishing attacks and are more of a numbers game: if attackers send it to enough people, at least some of them will take the bait.

The above example about attackers tricking university students into giving up their usernames and passwords is a case of an email phishing scam. The attack is still confined to the scope of a university, and the attackers still craft authentic-looking. Still, it’s less specific because it’s sent to a large pool of victims rather than members of a particular department.

What do attackers gain from phishing?

A hooded man writing code from the back

With phishing attacks, attackers can gain large sums of money or confidential information. The most common motivations for phishing attacks are:

  • Stealing login credentials and potentially using them to gain personally identifiable information (PII) about users, such as credit card numbers.
  • Using stolen credentials to make unauthorized purchases or move funds.
  • Performing identity theft with stolen credentials.
  • Impersonating trusted organizations and individuals to convince others to give up PII.
  • Stealing intellectual property.
  • Spreading malware through malicious links.
  • Tricking users into giving up multi-factor authentication codes and accessing their accounts.
  • Adding stolen credentials to their backlog, which they can use to perform future stuffing attacks.
  • Gaining a foothold in an organization’s inner systems as part of a multi-layered cyberattack, such as performing a website defacement and asking for ransom.

How to protect your WordPress site from phishing attacks? 9 strategies

Identify phishing pages on your website

If attackers gain unauthorized admin access to your site through some type of cyberattack, they may sneakily create phishing pages from where they funnel user information. These pages are usually hidden, fraudulent payment or login pages since this is the most valuable information for hackers.

Be aware of pages you didn’t authorize that ask for personal information.

Deploy multi-factor authentication (MFA)

A multiple-factor authentication is a form of access control that allows access only after the user has provided two or more different proofs of identity. The first proof of identity is the password/username combination. The second proof varies. It can be a second password that changes periodically, a verification code sent to your email address or any other verification form.

Use a web application firewall (WAF)

WAFs are evolutions of the traditional hardware firewalls that only control data flow at the IP address and transport protocol levels. WAF can filter attacks performed at the application level, where applications run code and perform functionality on the web server. 

Many WordPress security plugins include WAFs in their plans. Explore security plugins that have them or dedicated WAF plugins.

Filter incoming phishing emails.

Filtering phishing emails is one of the best ways to minimize their potential harm. Some ways to reduce phishing emails include the following:

  • Use a filtering or blocking feature built into your email provider or a specialized service. Make sure filtering is on for all users by default.
  • Check all incoming emails for malware, scams, and phishing.
  • Fine-tune filtering and blocking rules. Filtering means suspicious emails end up in the spam folder. Blocking means they are dropped completely. Finding a compromise between the two will be key for enforcing security and avoiding dropping legitimate emails.

Reduce the information attackers have access to

Especially in spear phishing campaigns, attackers need access to a certain amount of information about your organization’s power structure and inner workings. If you reveal too much information about your founders and higher-ups, they may be able to falsify emails and exploit the trust of other members.

Carefully consider the information you make public by determining how much legitimate users need to know and avoiding sharing the rest.

Use anti-spoofing controls

Deploy email anti-spoofing and verification protocols such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

These protocols guarantee to others that the emails you send from your domain’s addresses are authentic and safe.

Spread cybersecurity awareness among members of your organization

Educate your team members about the warning signs of phishing emails, but don’t expect them to recognize every phishing email or to be 100% vigilant of phishing 24/7. Even experts have fallen victim to phishing.

Phishing countermeasures are more effective when automated since they can tag suspicious traffic better than any human could. Assure them that phishing is hard to spot because it is designed to be that way. Combining automation and cybersecurity awareness will greatly reduce the threats phishing poses.

Remove backdoors

Backdoors attacks are a common security threat in the WordPress environment. Some measures you can take to minimize successful backdoor attacks include:

  • Perform a backdoor scan with plugins such as MalCare, iThemes Security, and Bulletproof Security.
  • Inspect core directories for suspicious files. Directories and files commonly used by attackers include the wp-themes folder, the wp-plugins folder, the uploads folder, the wp-includes folder, and the wb-config.php file.
  • Avoid vulnerable and unmaintained plugins and themes.
  • Use strong, unique passwords for all team members.
  • Limit login attempts to your site.
  • Keep your WordPress core and PHP versions updated.

Install SSL certificates

SSL certificates encrypt the data exchanged between users and your WordPress site. Many web hosts offer SSL certificates, so explore whether your plan already includes it. Otherwise, consider changing web hosts.

SSL certificates make browsing more secure and increase your website’s overall SEO ranking.


Phishing is a common security problem for WordPress site admins and users. Since it exploits human psychology and social behavior by appealing to us through seemingly trusted channels, it can take much work to spot.

By following these recommendations, your WordPress site will be safer from phishing attacks, allowing you to protect your reputation, website integrity, and users’ personal information.

If you found this article helpful, read our blog for more WordPress guides, tips, and tricks.