WordPress Phishing Scams: What Every User Needs to Know

Beth Osborne
August 11, 2018 by
Beth Osborne

WordPress powers 30% of the web and is by far the largest content management system (CMS). It's easy-to-use and has fans that range from regular users to developers. However, popularity breeds exposure.

When users adopt a platform, that means there is an opportunity—opportunities for hackers. Because so many businesses and individuals use it, it's very attractive to hackers. A study looked at over 11,000 infected websites and found 75% were WordPress sites, which is an indication of its vulnerabilities but also their market share. Most of these infections probably started with phishing.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Why So Vulnerable, WordPress?

So, how does a CMS that's so prevalent has so many vulnerabilities? It's not the platform itself that creates much of these weak spots. Much of the activity in breaching these sites is via plug-ins. Plug-ins are convenient and connect systems and allow them to communicate. But not every plug-in has the same security protocols. It only takes one weak link for hackers to find a way into the application.

It's not like WordPress didn't foresee that risk would only increase. Their founder talked about it way back in 2007. Moreover, as the web has grown, no housing billions of websites, the spam that a WordPress site must thwart grows. WordPress sites over 82,000 more spam incidents an hour than they did a decade before.

WordPress Phishing Scams: Two Ways Hackers Get Users

There are two ways in which phishing can impact WordPress users. First, your site can be set can be compromised in two ways: hackers are using your WordPress site to lure in others, or administrators receive phishing emails.

Phishing's objective is to obtain sensitive information. It starts with some type of communication with links. It looks legitimate, but that one click is all it takes for the "hook" to work. Where that link goes is to an infected page, one that could be on your website, and you don't even know it.

Phishing Pages

Most attackers use a WordPress site as a magnet to distribute malware via phishing. The hacker uses the WordPress site as a cover. This is the most used tactic, but threat actors can also use phishing tactics against website administrators to get access to the site to steal PPI (protected personal information).

The majority of WordPress administrators have no idea that phishing pages are on the site. The files are not included with the legitimate pages, and the website doesn't appear to be different. They are hidden from the visible eye. So, you may only learn the pages are there when you get a notification from someone who received the phishing email.

Finding and Removing Phishing Pages

So, how can you find these pages and remove them? It's all about the code.

You'll need to inspect the code to understand if your WordPress site has been hacked. These pages will be standalone and buried within the CMS. One way to find them is by their name. Since a phishing scam is an effort to mimic your site so that it looks legitimate, file names give it away. The files will contain items associated with your brand but not be pages you created.

Hunting all through the site isn't an effective way to find these pages. Download all the site files locally to analyze them. The files you are looking for will most likely be grouped together. They often have a directory name that has the organization name. Once you find the corrupt files delete them, but there aren't only pages. Malicious code can be embedded into shopping cart pages, redirecting customers to the fake checkout instead of the real one. You should also find a file called password.txt, which is there to collect the information of the hacked.

Phishing Emails

On the other side of this experience is that administrators of WordPress sites receive a phishing email that looks exactly like a notification they may receive many times a day. Novice or professional users can fall victim to this.

WordPress Phishing Scams Can Fool Even WordPress Pros

For those that manage multiple WordPress sites, their email is bombarded with emails from those sites. So, if one slips in that looks official, it'd be easy to click on it. One interesting thing that scammers will do is forward an email, so it looks like an actual person sent the email, and that it needs the reader's attention.

That's when recipients need to look closer. Asking questions like:

  • Do you know the sender?
  • Is the link going to the URL that's known to you?
  • It's best to ask questions and do a quick search to see if this is really legitimate. Even the best WordPress user can be fooled when the email is so familiar and looks like what they might receive on a regular basis.

    Password Reset Emails Are Red Flags

    If you look on the WordPress support boards, you'll find lots of questions around how someone was able to obtain usernames and passwords for their sites. One thing that keeps getting repeated is that account holders were receiving password reset emails. These, of course, look like they are coming from your domain. Except you didn't try to reset your password. The reset email link looks like it's your domain but clicking on it either messes up your login or compromises it in some way. So, don't click on anything you didn't ask to reset.

    Emails Received by Customers Look Real

    When a malicious hacker has infiltrated a WordPress site, they begin spinning of emails. Sometimes it's a small trickle; while other times, it may go out to an entire customer base. The emails will look like they are coming from your domain. However, the message is what's suspicious and what clients should be warned of educationally. First, tell them that emails that request PPI or other sensitive information would never come from the company. Further, urge customers to forward to you these types of emails, so you're team can proceed to investigate.

    This type of phishing campaign often spikes when WordPress vulnerabilities are exposed. Your domain needs to be protected; thus if hackers know the vulnerabilities, you should as well. Then take the actions to close the loop on security.

    Even though your website has been compromised, as hackers can send emails from your domain, the links won't always go to phishing pages on your site. They may link to another WordPress sites that have been hacked.

    Advanced Phishing Techniques

    Hackers aren't just going to do the same thing they've always done. As security measures increase so does the creativity of a hacker. Here are some additional examples of how they can obfuscate URLs:

    See Infosec IQ in action

    See Infosec IQ in action

    From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

    • Image maps inserted into the email, which looks like a safe click
    • Misspellings in domain names, usually by only one character
    • Offsite links and search features have higher vulnerability by exploiting javascript
    • Using all the disguise capabilities available
    • WordPress Phishing Prevention

      Prevention and awareness both need to be internal and external. Some of the largest organizations in the world are the target of WordPress phishing scams. While they have a team of vigilant technology experts, hackers are sometimes successful. Thus, you need security awareness training to prevent users from clicking on phishing emails internally or externally. Make training for staff mandatory. Write educational pieces on it for your audience. With a better understanding of exactly how phishing works, this should lead to fewer damaging clicks.

      Beth Osborne
      Beth Osborne