Help Center
Preventing Phishing on WordPress Websites
cgibbs2
Carlin Gibbs
Community Content Marketing Specialist at GoDaddy
Updated on
Useful Resources

Preventing Phishing on WordPress Websites

Phishing can be a severe threat. You might have received an email posing as your bank account or a text message posing as your phone company. Phishing is becoming a regular occurrence, so how can you prevent it on your WordPress site?  

First, let’s get into what phishing is, then we will cover ways to prevent it, such as website security

What is Phishing?  

Phishing is when scammers try to steal sensitive information such as personal identification information (PII). The personal identification information can be:   

  • Passwords  
  • Usernames  
  • Phone Numbers  
  • Login details 
  • Emails  
  • Credit card information  
  • Bank Account information  
  • Social Security Number (SSN)  
  • Secret answer questions  
  • PIN (Personal Identification Number)   

There are many ways phishing can take place, so here are a few examples of phishing activities.   

Email phishing 

Email phishing tends to be the most common type of attack. Scammers send emails to victims from a trusted or known sender, such as their bank, to reveal or enter confidential information. The victim clicks on hyperlinks or even replies to the email, which results in the PII being shared.   

Targeted or not, you can assume that you or someone you know has received a phishing scam via email. While nowadays, it is easier for us to notice these fraudulent emails since anti-spam technology has evolved. Most phishing emails end up in our spam folder, never reaching our inboxes.   

Here’s an example of a phishing email that attempted to trick WordPress site owners into thinking their database needed an upgrade. 

fake wordpress email

While this may look like a legit WordPress email, it is from a hacked WordPress site. It collects the information when the link is clicked or credentials entered.  

Scammers will perform identity theft or fraudulent activities, causing a lot of hassle for the victim. If a user fails to notice that the page is fake, they will enter their WordPress login. The user would then have their WordPress login details or stolen credit card information. 

Google Docs phishing

Sometimes phishing scams can come in fake Google docs links when hackers add these malicious links to online documents.   

As Google docs are common to share, many people assume they are safe. If they click the phishing link, it can take them to a page like this:   

Google Phishing Link

If you look at the example, you can see the top information bar is fraudulent as Google doesn’t ask you to click and select a provider. If unnoticed by the user, they would fall victim to the scam and their information stolen.  

WordPress Website Phished Signs

There are a few ways to know about your WordPress site has been hacked. Depending on the type of hack, it can result in different signs. Here are some examples to tell if your site has been hacked.   

You are unable to log into your site 

Although sometimes we forget our login details, if you cannot log in, hackers may have deleted your admin account from your WordPress site. If they have deleted your account, you may also be unable to reset your password from the WordPress login page. You will have to contact your hosting provider for help.   

Your site’s homepage has changed

One of the easiest ways to know if you have been hacked is when there are changes to your homepage. Some hackers may want to change your homepage to announce you have been hacked in an attempt to extort money possibly. This isn’t as common as other hacks since hackers will attempt to go unnoticed for as long as possible.   

A drop in your site’s traffic 

If you look at your reports, such as Google Analytics, and see a sudden drop in traffic, it could be a sign that your site has been hacked. If your site has been hacked, Google will blacklist the site due to its safe browsing tool. The tool shows warnings to users who might be trying to visit your site. This is why paying attention to website security for your WordPress sites is crucial.  

Ways to Prevent Phishing on WordPress Site 

To ensure your sites are safe, you can opt for the security plugin or service; for instance, Website Security Plan is just one of the many ways to protect your sites. GoDaddy’s security plans are powered by Sucuri, helping give you peace of mind.  

Having a daily website scanner included in your plan is a must. This can help alert you if any suspicious activity occurs on your site, helping you prevent the problem before it’s too late.  

Besides website security plans, some easy tips to prevent phishing on your sites are to keep an eye out for these red flags:   

  • Suspicious URLs; 
  • Lack of HTTPS;  
  • Typos or weird wording;  
  • Unknown email senders.  

Try to use 2FA (Two-Factor-Authentication) whenever possible. This will make it harder for hackers to take over your site if your credentials are stolen, as 2FA will alert you. Protecting your email domain with DMARC is another crucial security measure. You could also create a Google Search Console account that helps notify you about security problems. Specialized sites such as PhishTank or VirusTotal can help owners determine if their sites host phishing pages. Most phishing occurs on hacked sites.   

Conclusion  

Being aware of phishing and keeping an eye out for red flags can help you avoid any hacking attempts on your WordPress sites. Be aware of your cybersecurity, and you can gain peace of mind knowing that these attacks are preventable.    

If you need help choosing a website security plan, this helpful cheat sheet has what you need to help you decide.