As a principal weapon in the hacker’s arsenal, phishing attacks have stood the test of time, remaining a constant threat in the ever-evolving realm of cyberattacks. For years, hackers have relied on the deceptive art of social engineering to exploit human vulnerabilities and acquire sensitive information.
From its modest beginnings to today’s highly targeted and sophisticated attacks, WordPress phishing continues to wreak havoc on businesses and individuals alike. Furthermore, the covert nature of WordPress phishing has made it increasingly difficult to identify and mitigate the attack in a timely manner. Disguised as legitimate web pages, WordPress phishing is designed to operate under the radar without raising any suspicions from the website owner and even the most powerful malware scanners.
In this guide to WordPress phishing attacks, we will delve into the inner workings of WordPress phishing, exploring the common techniques hackers use to deceive unsuspecting users and business owners. We will equip you with the knowledge required to mitigate phishing attacks promptly, stay one step ahead of an attacker’s cunning schemes, and fortify your defenses against this formidable threat to WordPress security.
Phishing Attacks are the Leading Social Engineering Attack Vector
Phishing is a broad term that describes several social engineering techniques cybercriminals use to acquire sensitive information. Derived from the word “fishing”, this social engineering attack vector focuses on using bait to trick victims into giving up personally identifiable details such as usernames and passwords. A carefully crafted bait in the form of a web page, often delivered via email, is all it takes to deceive the unsuspecting individual and lure them into the trap.
Phishing attacks are designed to induce a sense of urgency, manipulating the victim into taking immediate action without checking the legitimacy of the request. Provoking an impulsive response in the targeted individual, cybercriminals attempt to distort the victim’s rational thinking and exploit the natural tendency to react quickly in urgent situations. The attacker’s main goal is to create a situation in which the victim will willingly divulge personal information or perform other harmful actions while not fully realizing it.
Time-sensitive situations, such as a serious security threat or a limited offer, make a perfect basis for a phishing attack. For example, a user can receive an email prompting them to reset their account password due to it having been leaked. The email looks like it came from a trusted source and contains a link to a web page identical to the login page of the legitimate service the victim actively uses. Little does the individual know that the login details they enter will go straight to the attacker.
The ease of execution and high success rates allow phishing to remain the leading social engineering attack vector and one of the most common techniques used for credential harvesting.
The Information Phishers Seek
Phishers are after all kinds of sensitive user-identifiable details that can help them impersonate an individual or conduct identity theft. Phishing attacks are simply a gateway for various forms of malicious exploitation that leverage sensitive data. One of the most common types of information phishing attacks aims to obtain include:
- User credentials. Account credentials, such as usernames and passwords, are the main target of phishing attacks.
- Credit card details. In pursuit of financial gain, hackers can steal credit card information, subsequently verifying the collected data through carding attacks.
- Personally identifiable information. This includes details such as social security numbers, addresses, and phone numbers.
- Financial information. Collecting bank account numbers and online banking credentials allows cybercriminals to conduct fraudulent transactions.
As you can see, phishing is a highly versatile tool in the hacker’s toolkit. Using social engineering techniques, cybercriminals can easily acquire sensitive information without any sophisticated schemes involved.
From Creation to Distribution: Understanding Phishing Attack Execution
The execution of a phishing attack typically involves two stages: creating a deceptive phishing page and distributing it to potential victims. In the first stage, a cybercriminal chooses the target of the attack and puts effort into creating a credible phishing scenario. The second stage is dedicated to finding the best way to deliver the bait to the victims and maximize the chances of the attack’s success by tailoring the social engineering attempt to appear legitimate and enticing.
Choosing the Victim
Attackers choose their targets for phishing attempts based on various factors, which include the potential value of the information that can be obtained and the chances of successfully deceiving the victim. One of the key factors influencing the decision-making in phishing attacks is the level of access the attacker seeks to obtain their end goal.
Choosing the Attack Method
Cybercriminals may have different motives, ranging from defrauding individual users by gaining access to their accounts to acquiring administrative privileges that would enable them to seize control over the targeted service and compromise the entire system. The extent of the desired access shapes their strategy and determines the specific tactics used in the phishing attack. Based on the attacker’s objectives, the three main phishing attacks are mass phishing, spear phishing, and whaling.
- Mass phishing. Mass phishing attacks are broad-scale campaigns that target a large number of users of a well-known organization or service. Striving to deceive as many victims as possible, attackers cast a wide net, hoping at least some users will fall for the scam and give away their account credentials and other personal information.
- Spear phishing. Spear phishing attacks are more targeted and tailored as attackers carefully select specific individuals or organizations as their targets. Cybercriminals conduct extensive research to gather information about their victims and use this knowledge to develop highly personalized approaches.
- Whaling. Whaling is an amplified version of spear phishing that targets high-profile individuals with significant organizational access and authority. Whaling phishing attacks often aim to trick victims into disclosing sensitive corporate information or authorizing fraudulent transactions.
Having chosen their victims, attackers then create web pages that closely resemble the login page of a targeted website or service, such as an online banking portal, social media platform, cloud storage, or email provider. Such fraudulent web pages are designed to replicate the appearance and functionality of legitimate websites or online services to trick users into believing they are interacting with a trusted resource. By creating static web pages and including stylesheets, images, and other visual elements copied from legitimate resources, cybercriminals make the phishing page appear indistinguishable from them.
Phishing Attack Distribution
After creating a carefully crafted phishing page, it must be distributed among the attack’s victims. The fraudulent page is uploaded to a web resource that the attacker controls, either a compromised website or a website specifically set up for this purpose. Subsequently, the fraudulent content is disseminated through various channels, including email and messaging platforms.
Cybercriminals often register domain names that resemble those of legitimate services to make the phishing page more convincing — a malicious technique commonly known as domain name spoofing. The utilization of domain spoofing often increases the success rates of phishing attacks, making the fraudulent web page appear more enticing and credible.
Although domain spoofing is effective, it introduces additional costs that hackers normally want to avoid. Using hacked websites to host phishing campaigns or acquiring free domain names and taking advantage of hosting platforms offering free trials is cheaper and helps the attacker to hide their identity better.
One of the most commonly used ways of distributing phishing campaigns is email. As one of the most popular communication channels, email offers extensive customization options, allowing attackers to manipulate the appearance of phishing emails to create visually convincing requests. Moreover, email accounts are relatively easy to obtain from public sources, which eliminates the need to hack into private databases.
What is WordPress Phishing?
WordPress phishing involves the utilization of WordPress sites as either hosts or distribution channels for phishing attacks or targeting WordPress website owners as the primary victims.
WordPress phishing attacks are remarkably versatile, which enables them to serve as effective tools for achieving various malicious objectives. Attackers can employ social engineering techniques to defraud your customers and obtain WordPress admin credentials, allowing them to seize control over your website and use it as a platform for facilitating further attacks.
3 Main Types of WordPress Phishing Attacks and How to Defend Against Them
WordPress phishing encompasses three primary types of attacks that may affect your WordPress website at different times. Let’s examine how hackers can exploit your WordPress website and use social engineering against you and your customers.
WordPress Phishing Attacks Targeting You as a Business Owner
Hackers often use phishing attacks to gain unauthorized access to WordPress websites. Using social engineering techniques eliminates the need to identify and exploit WordPress vulnerabilities in order to take control of a website. Instead, an attacker will try to manipulate you into giving away your WordPress admin credentials or perform another harmful action that will expose your website and potentially personal devices to malicious exploitation.
Fake Upgrade Notifications and Security Alerts
One of the most prominent techniques used by hackers is using fake WordPress update warnings or security notifications, prompting website owners to act quickly in an attempt to mitigate security risks. Carefully crafted warnings are delivered to WordPress users’ mailboxes, giving the impression that they were sent from WordPress.
In this type of WordPress phishing attack, hackers often employ email spoofing techniques, manipulating the email address the message originated from and incorporating a seemingly legitimate link that includes the domain name of your WordPress site within the URL. The website owner is expected to click on the link to install updates or address a vulnerability. In reality, they will be granting access to their website to the attacker through meticulously designed cross-site request forgery involving session hijacking. The exceptional credibility of these WordPress phishing emails, combined with the devastating consequences they can unleash, makes this type of WordPress phishing attack the most perilous.
WordPress Will Never Ask You to Update Software
By default, WordPress does not send any notifications of pending core, plugin, or theme updates or unpatched vulnerabilities, but you will still receive some warning messages from your WordPress site. Make sure to examine each email carefully, paying particular attention to the sender’s address and the attached link. All notifications will be displayed within the WordPress admin area of your website, so it is best to log in to it and check for any updates manually or configure automatic software updates and vulnerability patching.
iThemes Security Pro will take care of your WordPress core, plugin, and theme updates. Advanced vulnerability scanning will automatically identify and address any security flaws on your WordPress website caused by outdated software and notify you if anything needs your attention. Two-factor authentication or passwordless authentication based on passkeys, combined with robust session hijacking protection, will eliminate the possibility of an attacker seizing control over your WordPress website, even with the correct credentials.
WordPress Phishing Attacks Targeting Your Customers
WordPress phishing attacks don’t just threaten your website and you as a business owner but also your website visitors and customers and their user accounts. Instead of stealing sensitive customer information from your website’s database, hackers may try to trick your customers into entering their user credentials and personal details into a deceptive web page that mimics a legitimate login page of your website. Furthermore, attackers can disguise phishing attempts as sale announcements, exclusive personal discounts, and various other forms of personalized communication.
Detecting an ongoing phishing attack against your customers is rarely possible, leaving them vulnerable to potential threats. Additionally, the primary responsibility of protecting their personal information from social engineering attempts rests on the customers themselves.
The best way to protect your customers’ data from WordPress phishing attacks is to enforce strong password rules and multi-factor authentication for user accounts. Ensure the security of data transmitted to and from your WordPress website by always maintaining a valid SSL/TLS certificate. Installing an SSL/TLS certificate signed by a trusted certificate authority creates a secure communication channel between your website and its visitors, encrypting sensitive information such as login credentials and financial data.
Additionally, you should strictly limit the level of access your customers have to your WordPress website to ensure that they only have the necessary privileges required for their intended actions. This is key to limiting the potential damage that can arise from account-level compromises.
Your WordPress Site as a Platform for Hosting and Distributing Phishing Attacks
WordPress websites are most commonly used as conduits for phishing campaigns in WordPress phishing attacks, providing server resources for hosting fraudulent web pages or facilitating their distribution through email. Your WordPress website is merely utilized as a platform for carrying out phishing attacks without any inherent affiliation to fraudulent activity.
If a WordPress website gets compromised, it is likely to be used to host phishing campaigns. It harms your reputation and can lead to significant financial losses resulting from a drop in traffic due to your WordPress website being placed on the Google Blacklist and subsequently flagged as deceptive.
Hacked WordPress websites are widely used to power different types of cyber attacks, not just phishing. Malware distribution, brute force attacks, and denial of service are frequently carried out through highly distributed methods, leveraging large networks of compromised websites and servers. Such networks of compromised endpoints, known as botnets, amplify the scale and impact of cyber attacks, making them a formidable weapon in the hacker’s arsenal.
Website security matters. Protecting your WordPress website against being used as a platform for hosting and distributing phishing and malware involves taking a multifaceted approach to website protection. Implementing a strong defense-in-depth strategy to fortify the security of your WordPress website is critical in effectively preventing website-level compromises and subsequent data breaches. By incorporating multiple layers of security mechanisms and controls, you create a robust defense system that acts as a barrier that protects your website from being exploited.
Hidden in Plain Sight: Why Malware Scanners Fail to Identify Phishing
Phishing attacks pose a significant threat to WordPress website owners due to their covert nature. Once a WordPress phishing attack is uploaded to your website, identifying and removing fraudulent web pages can become challenging. WordPress phishing attacks are designed to be stealthy. Mimicking legitimate web pages and utilizing the same visual elements and layout, phishing pages may be scattered across multiple directories or hidden within seemingly innocuous files. This makes their detection a complex and time-consuming process, even for experienced WordPress users.
When dealing with website compromises and malware infections, website owners often turn to malware scanners as valuable tools for cleaning WordPress websites. And while modern malware scanners have proven to be indispensable in identifying obfuscated code, code injections, and malicious redirects, they often fall short when it comes to detecting phishing attacks. This is because phishing pages typically do not contain any traditional forms of malicious code, and malware scanners lack the ability to distinguish such fraudulent pages from the legitimate content of the website.
How to Remove WordPress Phishing From Your Website? 3 Main Steps
Being unable to rely on malware scanners to identify WordPress phishing attacks makes removing fraudulent web pages from your website a painstaking and predominantly manual process. You will need to manually review your website files and examine all scripts precisely and carefully. Follow the three-step process below to streamline and expedite detecting and removing phishing attacks from your WordPress site.
Please note that you will need a solid understanding of WordPress and the necessary tools for managing your website components. Working with WordPress files and database tables can be challenging, especially when manually scanning your website for phishing and malware. iThemes training is designed to equip you with the essential knowledge and skills to manage your WordPress site effectively.
Step 1. Examine Your WordPress Website’s Document Root for any Directories with Suspicious Names
WordPress phishing attacks are most commonly found in separate folders within your website’s document root. Phishing pages are often uploaded to WordPress websites in the form of a file archive in .zip or similar formats. Once uploaded, compressed files are extracted into a dedicated directory containing multiple components, including HTML or PHP pages, CSS stylesheets, and images.
Organizing fraudulent content in an isolated directory allows the attacker to separate it from the content you would typically see on a WordPress website. Surprisingly, when hackers create dedicated folders for WordPress phishing attacks, they do not attempt to conceal them, which is often the case with malicious backdoors. Such directories often have names that closely resemble the legitimate service the phishing pages attempt to impersonate.
If you suspect a phishing attack has been uploaded to your WordPress site, review the files and folders in your website’s root directory. The presence of an archive file often indicates the malicious nature of the directory that you do not recognize.
Step 2. Review the Contents of the
wp-content Directory and Individual Plugin and Theme Folders
Although putting WordPress phishing attacks in a dedicated directory in the website’s document root is a common practice, attackers will often employ more sophisticated methods in an attempt to conceal the presence of fraudulent web pages. The WordPress content directory and specific theme and plugin folders within it serve as great hiding spots for WordPress phishing attacks.
Thoroughly examine individual plugin and theme folders inside the
wp-content directory of your WordPress website. Look for suspicious files that do not seem to be part of WordPress core or the original plugin or theme package, especially if they have unusual names or extensions. Pay close attention to PHP scripts and HTML files and note any discrepancies that could indicate the presence of a WordPress phishing attack.
Step 3. Scan Your WordPress Website For Any Malicious Redirects
In addition to uploading WordPress phishing to your website and using it as a platform for hosting fraudulent web pages, hackers may incorporate malicious redirects into legitimate files to divert your website visitors to malicious content without their knowledge or consent.
Identifying and removing malicious redirects requires thoroughly examining your WordPress website’s files and database data. Start by reviewing the files within your WordPress installation, including .htaccess and the main index.php file within the document root folder. Look for any suspicious code that may initiate redirects or modify the behavior of certain website elements.
Furthermore, inspect your WordPress database for any code that could be facilitating the malicious redirects. Pay close attention to the “wp_options” table, as it is a common target for attackers seeking to redirect your website visitors to phishing campaigns. Look for suspicious entries within the
wp-options table containing unfamiliar domain names or incorporating redirect rules you do not recognize.
Protect Your Site Against WordPress Phishing with iThemes Security Pro
WordPress phishing attacks remain a formidable security threat that can significantly affect business owners and their customers. The covert nature of WordPress phishing makes it difficult to recognize as attackers employ increasingly sophisticated techniques to disguise social engineering attempts as legitimate requests, inducing a sense of urgency. Attackers craft convincing messages and create fraudulent web pages that appear trustworthy and closely resemble the appearance of legitimate services. All this helps cybercriminals manipulate unsuspecting victims into revealing sensitive information.
One of the primary responsibilities of every website owner is to provide a safe user experience by keeping their website free of malicious content and phishing attacks. Taking a proactive approach to website security is crucial in safeguarding your WordPress website and its visitors from the devastating consequences of data breaches and malware infections.
iThemes Security Pro and BackupBuddy offer a comprehensive security suite designed to protect WordPress websites from being exploited as breeding grounds for launching phishing attacks and distributing malware. With advanced vulnerability scanning, multi-factor authentication, file integrity monitoring, and flexible backups, the plugins ensure a proactive approach to WordPress website security, allowing you to remain one step ahead of relentless cyber attacks.
Kiki has a bachelor’s degree in information systems management and more than two years of experience in Linux and WordPress. She currently works as a security specialist for Liquid Web and Nexcess. Before that, Kiki was part of the Liquid Web Managed Hosting support team where she helped hundreds of WordPress website owners and learned what technical issues they often encounter. Her passion for writing allows her to share her knowledge and experience to help people. Apart from tech, Kiki enjoys learning about space and listening to true crime podcasts.