Safeguard yourself against sneaky WordPress scams.

6 Minutes

Every day, our inboxes fill up, we empty them, and they fill up again. It seems endless. You might even be lulled into a false sense of security when it comes to the emails you’re getting. But it’s crucial to be aware and vigilant of the lurking dangers that can await in your inbox, one of which is phishing email scams.

Phishing, akin to the age-old art of fishing, involves cunning attempts to “hook” people into divulging sensitive information, such as passwords or financial details. These deceptive messages often pose as legitimate entities, exploiting trust to trick recipients.

One such phishing scam you as a WordPress site owner should be aware of is emails coming from imposters pretending to be WordPress security in order to try and steal personal and account information. Read on to learn more about phishing scams and how to keep yourself and your site safe.

Did you know?

3.4 billion phishing emails are sent every day.

– ZDNet

Famous phishing attacks.

There are many different ways that cybercriminals will try to fool people through phishing scams. Here are three of the most famous ones that have happened across the globe in the last ten years.

Facebook and Google

A Lithuanian man named Evaldas Rimasauskas managed to steal over $100 million from Facebook and Google. Rimasauskas and his co-conspirators created fairly convincing forged email accounts of Taiwan-based, which actually does legitimate business with Facebook and Google. They sent carefully crafted phishing emails with fake invoices, contracts and letters from Quanta Computer to employees at both Facebook and Google. They managed to fool employees into paying millions of dollars over a period of two years between 2013 to 2015. 

Ubiquity Network Social Engineering Attack

On June 5, 2015, scammers impersonated the CEO and lawyer of the San Jose-based technology company, Ubiquity Network, and sent an email to the Chief Accounting Officer of the company’s subsidiaries based in Hong Kong. They were asked to make a series of transfers in order to close a secret acquisition. Over the next 17 days, 14 wire transfers were made to accounts in Russia, Hungary, China and Poland, estimated to be a total of $46.7 million. 

The “Google Docs Phishing Scam” of 2017

Cybercriminals exploited Google’s authentication system. Victims received seemingly innocuous emails inviting them to collaborate on a Google Doc. But the link led to a deceptive third-party app seeking access to users’ Google accounts. The scam quickly spread, affecting millions and highlighting the vulnerability of widely used platforms to crafty phishing tactics.

The email is coming from inside the house.

As mentioned above, one of the ways that people might try to hook you is by impersonating brands and sending you emails relating to your site – from your marketing to your domain, SEO prompts and hosting issues or upgrades.

In particular, hackers and other malicious agents might impersonate security teams and scare you into thinking that your account has been hacked or is in danger of being hacked at a later date. 

Lately, WordPress has seen a rise in the latter where emails have been going out, impersonating both the “WordPress team” and the “WordPress Security Team“ and attempting to convince web admins to click through to install a plugin on their site that contains malware.

In an email sent out to all subscribers, WordPress has promised that “The WordPress Security Team will never email you requesting that you install a plugin or theme on your site, and will never ask for an administrator username and password.”

Double-check to stay safe.

Just so you know, the WordPress Security Team will only talk to WordPress users in two places: the  WordPress News site and the Making WordPress Secure blog.

If you do get an official-looking email from WordPress, always check for these two things:

  1. The only two domains WP’s emails come from are always “” or “”.
  2. If you click through for more info from the sender, It should always say “Signed by:” in the details section.

If both of these things are not on the email you receive from someone who says they’re from WordPress, don’t click on anything in the email and do not respond to the email, and instead highlight it as a scam to your email provider.

Plug it in, plug it in.

When it comes to plug-ins, the WordPress Plugin team will never contact you directly but they can email plugin support staff, owners and contributors. If you’re one of those three and receive an email, make sure you check for the two things above in the email. The sender will be [email protected].

Quick hits about plugins: 

  • All official WordPress plugin live at 
  • There are Internationalized versions on subdomains, such as,, etc.
  • Subdomains can contain a hyphen, but a dot will always appear before
  • Site admins can also access the plugin repository via the plugins menu on their WP dashboard.

Protecting your WordPress site.

Now that you know what to look for when it comes to email impersonation schemes from WordPress, we also have some proactive steps to help fortify the security of your WordPress site.

Enable two-factor authentication (2fa)

Adding an extra layer of authentication significantly enhances your site’s security. Enable 2FA to ensure that even if your password gets compromised, an additional step is required for access.

Regularly update plugins and themes

Outdated plugins and themes are an easy entry points for hackers. Keep your WordPress installation, plugins, and themes up to date to patch vulnerabilities and ensure optimal security.

Use strong passwords

Implementing strong, unique passwords for your WordPress admin, database, and hosting accounts is fundamental to thwarting unauthorized access attempts.

Install a security plugin

Think about using a reputable security plugin that provides features like malware scanning, firewall protection, and activity monitoring. These plugins can act as an additional line of defense against potential threats.

Educate your team

If your company has a team managing your WordPress site, ensure that they are educated about security best practices and the potential risks associated with phishing scams.