How to Find & Remove Phishing From Your WordPress Site?

Oct 5, 2019

How to Find & Remove Phishing From Your WordPress Site?

Oct 5, 2019

Learning that your website is sending spam emails can feel like a nightmare. It’s a frustrating situation to be in. Luckily there is a fix to phishing but you need to act fast.

In the past, we have come across websites sending phishing emails and in our experience, all these websites were hacked. Moreover, sending spam emails is just one of the many malicious activities that hackers are doing with your website.

Hackers could be using your website to launch attacks on other websites. They could be using your site’s server to store illegal files. They could also be stealing sensitive information from your site or even using black hat SEO techniques to rank their own products (recommended read – pharma hack). Not just that, hacked websites are often blacklisted by Google and suspended by their hosting providers. 

But don’t worry because your website is not beyond repair. In this post, we’ll show you how you can remove the fix your website and take measures to protect your website from future attacks.


If you are under phishing attack and are looking to just clean the infection and fix the site, you can install our WordPress Phishing Removal Plugin (MalCare). It’ll instantly clean your site and get it back up and running in no time.


What is Phishing?

Phishing is a malicious operation executed by hackers in hopes of making a quick buck. It starts with hacking a website, then using the site’s resources to send emails with deceptive messages. The purpose of these messages are to dupe people into sharing sensitive information like credit card info.

A common example is a phishing email that will be sent to someone’s inbox, prompting them to click a link and open a website. The site will be a hoax version of a trusted site like a banking site.

Phishing attacks used to be carried out on a large scale. Attackers would target a large number of people, by sending them emails hoping that someone will take the bait. But today, email service providers like Gmail have good anti-phishing measures in place. That’s bad news for your website because it’s being blocked by email service providers.


gmail anti-phishing warning


Hackers use compromised websites to send hundreds and thousands of spam emails for phishing purposes. Email providers take strict measures against such websites. Your website can be blacklisted by Google.

Your domain can be marked as dangerous by spam watchdog services like Spamhaus, your web host may suspend your site. In most cases, site owners are unaware that their website is being exploited until it’s too late.

[Back to Top ↑]

Why is Phishing Hard to Detect?

It’s difficult to identify a hacked website and it’s even more difficult to detect a phishing campaign on your website.

Hackers who gain access to your site insert phishing pages on the domain without your knowledge. They tread carefully and that’s why many site owners learn that their website is hacked when it’s too late. Either their site is blacklisted by Google or suspended by the hosting provider.

Another reason it’s hard to detect phishing is because most security scanners are unable to detect it. Attackers are able to hide malicious files or codes anywhere on the site.

Security scanners, even the popular ones often look for malicious codes (also called malware) in places where malware is usually known to hide.

Detecting phishing operations are beyond their scope. This is why finding a good security plugin is so important. In the next section of this, we are going to introduce you to a plugin that is not plagued with such shortcomings.

[Back to Top ↑]

How to Find & Remove Phishing?

There are two ways of scanning and cleaning phishing from your site and those are:

  1. You can do it manually (the hard way)
  2. You can do it using a plugin (the easy way)


1. Manually Finding & Removing Phishing

Malicious codes or malware can be present anywhere on the site. It’ll take you forever to find them manually. Moreover, there are chances of missing malware which is often hidden in a clever way.

2. Finding & Removing Phishing with a Plugin

Using a security plugin guarantees a better result but then again not all plugins are good at detecting a phishing hack. If you want to find malware that’s difficult to detect, MalCare Security Services is your best bet.

i. MalCare Detects New & Unknown Malware

Hackers are clever. They infect WordPress websites with new types of malware or try to insert complicated codes. Since most security scanners are looking for known malware, they fail to detect new and complicated malware.

MalCare’s WordPress malware scanner takes a different approach. It checks the behavioral pattern of codes. That’s how it detects new and unknown malware.

ii. MalCare Accurately Locates Malware

When other security plugins search only in known locations, MalCare looks beyond that. It carefully tracks all the activities going on on your website. That way, when hackers are executing phishing operations from an uncommon location, it’ll able to detect and alert you about it.

iii. MalCare Cleans Malware Instantly

Cleaning malware can be a big headache because many security plugins take a significant amount of time to get your website back to normal.

With MalCare’s WordPress malware removal, you don’t have to worry about the turn around time. Because it allows you to clean your website by yourself with the click of a button.

Let’s try and scan your WordPress website with MalCare.

Step 1: Find & Remove Phishing Infection With a Plugin

1. Sign up with MalCare and set up an account. Add your site to the MalCare dashboard and it’ll automatically start scanning your website. You’ll be notified once it detects malware on your website.

NOTE: On rare occasions, you may find that your site is flagged incorrectly. If that’s the case, you can request a review from Google – review incorrect phishing warning. If your hosting provider has suspended your website, then write them an email. Share a screenshot of your scanned website to prove that your site has no malware.


malcare clean


2. Following the malware detection, you’ll need to remove the malware from your website. You can do that by selecting the Auto-Clean button.

Depending on the size of your website, MalCare takes a while to remove malware from your website. It informs you once the process is complete.

Step 2: Measures Beyond Phishing Removal

Phishing pages are placed on the site through the exploitation of some vulnerability on the website. It could be a vulnerable plugin, a pirated theme with hidden backdoors or a compromised user account.

Since you’ve found phishing files on your website, it is important to determine how those pages were placed. You need to find vulnerabilities and patch them. Or else there’s a good chance that you’ll be hacked all over again.

Take the following measures after you have cleaned your hacked site:

1. Update Your Plugins, Themes, & Core

We have been investigating hacked websites for close to a decade. One reason most websites get hacked is outdated plugins or themes or even the WordPress core.

WordPress updates help add new features, improve performance, most importantly fix security issues. Skipping updates would mean vulnerabilities on your website remain unfixed. This could lead to re-hacks.

Update all outdated themes and plugins, even the ones that are not active. Vulnerable non-active plugins and themes are as dangerous as the active ones.


update plugins


2. Remove Inactive Plugins & Themes

Many site owners love to try out new plugins and themes but they often don’t remove the tools they’ve experimented with them. Over time vulnerabilities in inactive plugins and themes. Vulnerabilities in an inactive plugin can be exploited to gain access to your website.

Delete the themes and plugins that you don’t use. If you have tools that you’ll utilize in the future, ensure that you are keeping them updated at all times.

3. Delete Pirated Plugins & Themes

The price of using a pirated plugin or theme can be heavy. Unknown to users, pirated themes and plugins come with hidden backdoors using which hackers can gain access to your website. Remove any pirated software you are using.

4. Delete Rogue Users

After hacking a WordPress website, hackers would want to ensure that they can access the website even after the site is cleaned. That’s why they place backdoors and create new user accounts.

You can take a look at all the user accounts present on your website and if you find one that you can’t recognize, it could be part of a hack. You should delete that account.

Step 3: Remove Google Blacklist Warning

Hacked websites are often blacklisted by Google. The search engine giant wants to ensure that its users are having a safe browsing experience. Hacked websites can harm users by prompting them to click on malicious download links. To protect its users, Google blocks them from accessing hacked websites.

Before we tell you how to remove Google blacklisting, ensure that your website really is blacklisted. You can use the following tools to find out if your website is blacklisted – Is My Website Penalized and Is Banned.


phishing attack ahead warning


To remove blacklisting from your website, you need to do the following:

  1. Remove phishing using the method we discussed earlier.
  2. Then, inform Google to review your website and remove the black warning.

Typically, it takes 72 hours for Google to remove the blacklist.

Step 4: Remove Web Host Suspension

Like Google, web hosts also want to protect their users. Certain cheap hosting plans (like shared hosting) have more than one website on a single server. Every website can utilize certain resources. Often hacked websites utilizing more than it’s a share of resources. This could have an impact on the performance of other websites on the same server.

To prevent this from happening, hosting providers suspend websites as soon as they figure that it’s hacked.

If your website is suspended, you’d want to inform hosting providers that your site is now clean. Send them an email to your hosting provider. Alternately, you can get on a call with a representative.

Ensure that you have scanned your website and taken a screenshot of your clean site. You may require to show it to prove that your website is malware-free.

With that, we have come to the end of how to find and remove phishing.

[Back to Top ↑]

How to Protect Site From Future Phishing Attacks?

Although you have fixed the issue at hand, there are chances of getting re-hacked in the future. But you can easily avoid that by having a few basic security measures in place. Those are –

1. Keep Your Website Updated

Updates roll in quite often, which is why many site owners end up skipping it. But outdated software is a major cause behind websites getting hacked.

Updates not only bring new features they also fix security flaws. Skipping updates would mean that the security issues remain unpatched. You should ideally set aside an hour each week when to update your websites.

Alternately, if you can afford to, you can hire a WordPress management agency to take care of updates.

2. Use an SSL Certificate

Back in the old days, SSL certificates were used either on payment pages or login areas. But now, thanks to Google’s drive to make the web safer, many websites have SSL certificates installed.


gree lock ssl certificate


An SSL certificate ensures that visitors, whether they are leaving a comment or buying a product from your website, are transferring information safely. There are paid SSL certificates as well as free ones. If you want an SSL certificate, here’s great guide that explains how HTTPS improves your security.

3. Enforce Strong Login Credentials Policies

Your login pages are the most vulnerable pages of your WordPress websites. Hackers try to crack your login credentials to gain access to your admin area. A unique username and password will make it hard for hackers to crack your credentials.

Generally, people see strong login credentials as an obstruction. Mainly because recalling strong passwords are hard. Don’t worry, there are ways in which you can manage strong passwords.

However, hackers are constantly improving their tools, and therefore using strong credentials alone are not helpful. For more, you can read our in-depth guide on WordPress login protection and brute force attack.

4. Use a Security Plugin

Having a security plugin is non-negotiable. Whether your website attracts millions of visitors or a few hundred, hackers target all kinds of websites. A good security plugin offers complete protection against hackers and bots. It’ll scan your website on a daily basis and drive away unwanted traffic with the help of a firewall.

While there are many security plugins to choose from, not all plugins operate in the same way. Take a look at this comparison of the top WordPress security plugins and choose what you find best suits your needs.

5. Employ Least Privileged Principles

There are 6 user roles on a WordPress website – Administrator, Editor, Author, Contributor, Subscriber, and Superadmin. Every role comes with a certain power that can be abused if you are not allocating the roles properly.


wordpress user roles


The top of the ladder belongs to Super Admin and Administrator. The rest of the users have limited power to make modifications to the website. Ensure that only a few trust-worthy people hold administrative to power.

[Back to Top ↑]


Final Thoughts

We hope you found our phishing removal guide easy to follow and were able to fix your website without any hiccups. This was long read but before you leave, here’s what we suggest you do:

  1. Bookmark this article. Seriously. Bookmark it.
  2. Share it with your colleagues and any website owners you know.
  3. Install a WordPress Security Plugin that protects your website against hack attacks.
  4. Now, focus on growing your business.

We sincerely hope you found the help to needed. If you would like to chat with us, click on the live chat button on the right.

Website still seeming “Phishy”? Be Malware-free with MalCare!

clean wordpress phishing
Share via
Copy link