Safeguard yourself against sneaky WordPress scams.


5 Minutes

Phishing is on the rise.

Every day, our inboxes fill up; we empty them, and they fill up again. It seems endless. You might even be lulled into a false sense of security regarding the emails you’re getting. But it’s crucial to be aware and vigilant of the lurking dangers that can await in your inbox, one of which is phishing email scams.

Phishing, akin to the age-old art of fishing, involves cunning attempts to “hook” people into divulging sensitive information, such as passwords or financial details. These deceptive messages often pose as legitimate entities, exploiting trust to trick recipients.

One such phishing scam you, as a WordPress site owner, should be aware of is emails coming from imposters pretending to be WordPress security to try to steal personal and account information. Read on to learn more about phishing scams and how to keep yourself and your site safe.

Did you know?

3.4 billion phishing emails are sent every day.

– ZDNet

Famous phishing attacks.

Cybercriminals use many different methods to fool people through phishing scams. Here are three of the most famous ones that have happened worldwide in the last ten years.

  1. Facebook and Google: A Lithuanian named Evaldas Rimasauskas stole over $100 million from Facebook and Google. Rimasauskas and his co-conspirators created fairly convincing forged email accounts of Taiwan-based Quanta Computer, which actually does legitimate business with Facebook and Google. They sent carefully crafted phishing emails with fake invoices, contracts, and letters from Quanta Computer to employees at both Facebook and Google. They managed to fool employees into paying millions of dollars over a period of two years between 2013 and 2015. 
  2. Ubiquity Network Social Engineering Attack: On June 5, 2015, scammers impersonated the CEO and lawyer of the San Jose-based technology company Ubiquity Network and emailed the Chief Accounting Officer of the company’s subsidiaries based in Hong Kong. They were asked to make a series of transfers to close a secret acquisition. Over the next 17 days, 14 wire transfers were made to accounts in Russia, Hungary, China, and Poland, estimated to be a total of $46.7 million. 
  3. The “Google Docs Phishing Scam” of 2017: Cybercriminals exploited Google’s authentication system. Victims received seemingly innocuous emails inviting them to collaborate on a Google Doc. However, the link led to a deceptive third-party app seeking access to users’ Google accounts. The scam quickly spread, affecting millions and highlighting the vulnerability of widely used platforms to crafty phishing tactics.

The email is coming from inside the house.

As mentioned above, people might try to hook you by impersonating brands and sending you emails about your site—from your marketing to your domain, SEO prompts, and hosting issues or upgrades.

In particular, hackers and other malicious agents might impersonate security teams and scare you into thinking that your account has been hacked or is in danger of being hacked later. 

Lately, WordPress has seen a rise in the latter. Emails have been impersonating both the “WordPress team” and the “WordPress Security Team“ and attempting to convince web admins to install a plugin on their site that contains malware.

WordPress has clarified, “The WordPress Security Team will never email you requesting that you install a plugin or theme on your site and will never ask for an administrator username and password.”

WordPress Security Team alert on impersonation scams warning users about phishing emails
WordPress warns users about phishing scams impersonating the WordPress Security Team.

Double-check to stay safe.

So that you know, the WordPress Security Team will only talk to WordPress users on the WordPress News site and the Making WordPress Secure blog.

If you do get an official-looking email from WordPress, always check for these two things:

  1. The only two domains WP’s emails come from are always “@wordpress.org” or “@wordpress.net.”
  2. If you click through for more info from the sender, it should always say “Signed by: wordpress.org” in the details section.

If both of these things are not in the email you receive from someone who says they’re from WordPress, don’t click on anything in the email and do not respond to the email. Instead, highlight it as a scam to your email provider.

Plug it in, plug it in.

Regarding plug-ins, the WordPress Plugin team will never contact you directly, but they can email plugin support staff, owners, and contributors. Check for the above if you’re one of those three and receive an email. The sender will be plugins@wordpress.org.

Quick hits about plugins: 

  • All official WordPress plugins live at wordpress.org/plugins 
  • There are Internationalized subdomain versions, such as fr.wordpress.org/plugins, en-au.wordpress.org/plugins, etc.
  • Subdomains can contain a hyphen, but a dot will always appear before wordpress.org
  • Site admins can also access the plugin repository via the plugins menu on their WP dashboard.

Protecting your WordPress site.

Now that you know what to look for in email impersonation schemes from WordPress, we have some proactive steps to help fortify your site’s security.

  1. Enable two-factor authentication (2FA): Adding an extra layer of authentication significantly enhances your site’s security. Enable 2FA to ensure that even if your password gets compromised, an additional step is required for access.
  2. Regularly update plugins and themes: Outdated plugins and themes are easy entry points for hackers. Keep your WordPress installation, plugins, and themes up to date to patch vulnerabilities and ensure optimal security.
  3. Use strong passwords: Implementing solid and unique passwords for your WordPress admin, database, and hosting accounts is fundamental to thwarting unauthorized access attempts.
  4. Install a security plugin: Think about using a reputable security plugin that provides features like malware scanning, firewall protection, and activity monitoring. These plugins can act as an additional line of defence against potential threats.
  5. Educate your team: If your company has a team managing your WordPress site, ensure they are educated about security best practices and the potential risks associated with phishing scams.