How to Safely Remove Phishing from Your WordPress Website?
You are here because your visitors are seeing a big, red warning about phishing when they try visiting your website.
But, why are they seeing this warning? Yours is not a phishing website!
While there is an outside chance that this is a false alarm, the first thing you should do is scan your website for malware. If your website shows up clean, you can breathe a sigh of relief, and skip to the section on how to appeal the warning. If not, stay calm, we’ll tell you exactly how to remove phishing from your website.
TL;DR Most likely, your website has gotten hacked, and Google Safe Browsing has flagged it as dangerous to visit; specifically that it is a phishing website. You need to remove the hack immediately to get your website back to its original state.
What is the WordPress phishing hack?
Simply put, a phishing attack is when hackers trick unsuspecting users into giving up their personal identity and financial data by posing as a legitimate brand that the user trusts.
This means that there are official-looking pages on your website that may cause people to share private information.
In case you are interested in reading about them in greater detail, we’ve included a section on types of phishing attacks at the end.
How bad is the WordPress phishing hack?
Phishing attacks cost businesses billions of dollars every year. In the first 6 months of 2020 alone, there were 312,766 phishing websites detected.
A phishing attack is very bad for your website.
All malware is destructive and must be dealt with on priority. You’ve already spent some time figuring out what has gone wrong, but do remember that every minute that the malware remains on your website, you are incurring a loss.
How to get rid of the phishing should be a top priority. We’ll tell you how to remove phishing yourself later in this article.
But just so we’re clear: removing malware manually is not a straightforward task and we don’t recommend it under any circumstance. A hacked website can have multiple infections, backdoors, and hidden fake admins due to malicious files like favicon_bdfk34.ico and many more. Trying to find and remove them all by yourself is a surefire way to wreck your site completely.
We strongly recommend you use a security plugin which removes phishing instantly from your website without further delay.
How do I know my website has phishing?
If you haven’t come across instances of phishing campaigns yourself, and you’ve seen Google’s browsing warnings like this site has been marked as a phishing site, you may be wondering if your website has really been compromised. There is a sure-fire way to rule out the possibility:
- Check Google Search Console > Security Issues for notices about deceptive content.
- Visit some of the flagged URLs in the report from a different computer, on a different network or in incognito mode. Hackers can mask malware from website administrators to prolong infection.
- Check third-party inclusions on your website. Ad networks can sometimes serve ads that have phishing campaigns. As ads are typically cycled, you may have to refresh the website several times to check the ads being shown. Even if an ad has social engineering content, your website could still be flagged as containing deceptive content.
If Google Search Console flags issues, then you can be certain your website is a victim of the WordPress phishing hack, and can proceed to phishing removal.
How to clean phishing campaigns from my website?
There are a couple of ways to remove phishing pages from your website.
The fastest way to get rid of phishing is to use a security plugin to remove it safely, without compromising your website any further. Then you can go about appealing the warning.
Alternatively, you can remove phishing pages manually. To be clear, this process involves digging through the code to find the pages and therefore malware. The phishing pages will not be easily visible in your database, but hidden in various system files and directories in your content management system.
Only experienced developers should attempt to remove phishing files, because there is a possibility that you might delete necessary code and cause irretrievable damage to the website. Please proceed cautiously with deleting the following pages:
- Pages you didn’t create. Some phishing pages will mimic your website design, content, and branding as much as possible, so as to look legitimate and to remain undetected for as long as possible.
- Phishing pages will mostly be login and payment pages because this is the type of information that hackers are looking to capture.
- Bank or eCommerce branded pages. Because phishers are impersonating a legitimate entity, they will copy their branding to do so. You are likely to find logo files, perhaps in a favicon file, and several image files that are used to replicate official branding.
- Unfamiliar folders that appear to be from another entity.
- Incorrect checkout pages on your own ecommerce pages, if you have them. Hackers could be redirecting your own customers from your pages.
As added insurance, take a fresh backup of your website, before phishing removal. If anything goes wrong, you still have the infected website that you started with, and you can decide to opt for a 1-click clean up instead.
How to ask Google for a review
The review process takes an average of 72 hours to complete. It is vitally important to make 100% sure that phishing removal was successful. Otherwise, your request will be rejected and the process will just take even longer.
- Go back to Google Search Console > Security Issues
- Check the I have fixed these issues box, and Request a review
- You will need to provide details of what actions you have taken to remove phishing
Why WordPress is vulnerable to phishing?
By its very nature, WordPress is meant to be easy to use, and additionally easy to customise with themes and plugins. These additional bits of software are intended to add features and functionality, but don’t always have the best security practices. Therefore, they cause the website to have weak entry points.
You cannot do away with themes and plugins altogether, and really that is not a solution. The best way is to take preventive measures and address vulnerabilities.
How to prevent phishing from happening again?
Malware finds its way into WordPress because of vulnerabilities. Hackers exploit vulnerabilities to gain access, and insert their nefarious bits of code into your website. Quite often, website administrators aren’t even aware of these developments—until something goes wrong. And by then, significant damage and loss has already taken place.
1. Install a security plugin
We cannot sufficiently stress the importance of installing a good security plugin. You do not want to be caught on the back foot, after being informed by a visitor or your web host or Google that your website has problems.
Choose a plugin that is able to prevent malware from being installed in the first place and includes a strong firewall. If malware is detected on your website, the plugin should be able to remove it without compromising your website further, and ensuring the content remains intact. And finally, choose a plugin that has an expert manual removal service.
2. Remove backdoors
This critical step in prevention is tricky to execute well, because backdoors can be hidden in legitimate folders. What makes removal even more complex is that many of the functions are used by plugins for benign reasons. So deleting a function that may appear to be a backdoor can cause unintended consequences. We do not recommend doing this on your own.
Check your database to identify and remove unverified users. Be careful not to delete real users. Also change all admin passwords after you remove phishing.
4. Keep your website updated
A simple, often overlooked method to ensure security is to keep your WordPress and all installed plugins and themes updated. Updates include security patches that address vulnerabilities, among other things, and should be installed on priority.
If there are plugins or themes that you don’t actively use, disable or remove them.
5. Install an SSL certificate
Most web hosts include SSL certificates in their services. SSL certificates encrypt data that is sent back and forth between browsers and servers. It is very simple to set up and use, and is actually a requirement from Google to promote safe browsing and it will also remove site not secure warning on your site padlock.
6. Require strong login credentials
Easy to guess usernames and passwords are still one of the easiest ways for a hacker to gain unauthorized access to a website. Require all users to set strong passwords for their accounts.
There is a lot you can, and should, do secure your website. Here is a complete guide to all the steps you can take to address vulnerabilities, learn what to look for, and even how to choose the right plugins and themes for your website that ensure your visitors and their data remains safe.
Types of phishing attacks
Phishing itself is a type of social engineering attack, which essentially means that the attack relies on pretending to be someone else to be successful. Additionally, social engineering attacks rely on the victim giving up their information willingly, because they believe the request is legitimate.
WordPress phishing hack
The hacker has inserted official-looking pages into your functioning website to defraud people by pretending to be a brand. While this is bad enough, consider that you may have been the victim of a phishing attack to begin with, because…
Targeting website administrators
…sometimes, you are targeted for your admin login credentials, in order for hackers to gain access to the websites you manage.
You may have received an email asking you to update your database “urgently”, otherwise something catastrophic will happen. The email will take you to a page which will resemble your web host or admin panel to update your database by entering your credentials.
Or perhaps, a scammer is posing as an irate customer, asking for a refund.
Even WordPress professionals with years of experience can sometimes be taken in by these emails, especially if they are managing multiple websites, and are handling operations of all those websites in different places.
Email phishing vs. WordPress phishing hack
There are various flavours of phishing: using emails, putting up malicious web pages, and most often, a combination of the two. Hackers insert pages on your website, which appear to be from a trusted organisation, in order to collect their login credentials. Generally, an unsuspecting user reaches this fraudulent page via an email, but they can also stumble upon it via a link or a redirect.
Fun fact: There is a special category of phishing attacks that sport the Google brand. Yup, the mighty Google isn’t free from this menace either. In fact, they have a dedicated support page for misleading pages perpetuated in their name.
Individual vs. spear phishing
Phishing attacks target large groups, and therefore one of the telltale signs of a phishing email is a lack of personalisation. This is not to say that all automated emails are suspect, but if an email is asking for sensitive data, like credit card details or login credentials, lack of personalisation can be a red flag.
Except when it happens to be a spear phishing attack. These types of attacks target specific individuals to give up their data.
Gathering login credentials may not present a big problem for individuals for certain websites, however it becomes a way to tap into the secure environment of that website (and its organisation) if the credentials happen to belong to an employee, for instance.
Also, we tend to use similar credentials across different websites and devices, and those accounts may contain sensitive information.
How are phishing attacks discovered?
The most unfortunate way to find out your website has the WordPress phishing hack is to land up on Google’s blacklist, and for your visitors to see one of the warning messages like this site has been marked as a phishing site; unless you have a strong security plugin installed.
Phishing websites are now being discovered through sophisticated AI. However, they are also manually reported to Google by individuals who experience them.
As we increasingly use devices and the Internet to carry out tasks in our daily lives, internet security is something of a byword now. Everyone receives tips and advice about keeping their data safe from every brand they interact with, right from the government to their bank to their grocery delivery app.
These messages contain practical ways of spotting a phishing attack a mile off: check the sender (for emails), check the URL (for websites), is there unnecessary pressure on someone to complete an action, etc.
Phishing attacks are also becoming more sophisticated, copying the language and the branding of trusted organisations more accurately. Therefore, in order to protect its users from being duped, Google is extra vigilant for hacked websites.
What are phishers after?
Well, what are any kind of hackers after? Information that they are not authorised to have, to be used in ways that they are not authorised to use. Unauthorised use may include theft—of identity, money or property—access to official databases and files, and so much more.
Look at the sectors most affected by phishing scams, and a clear pattern emerges:
If your website stores any of the following information, you are a target for the WordPress phishing hack:
- Credit card details
- Bank account information
- Social security numbers
- Usernames and passwords
And the list goes on. As you can see from the list, any personal identification information is potentially useful for a hacker. Even email addresses lists are sold to unscrupulous businesses or spammers.
So what’s next?
Hopefully phishing removal was successful, and your website is back up and running, without any malware. We hope you found the information in this article helpful.
Before we go, we want to emphasize that our expertise comes from protecting 1000s of websites like yours every day, and all that expertise is packed into developing MalCare, our best-in-class security plugin. Try it out today, and be stress-free about your website security forever more.
How to remove phishing from my website?
The best way to remove phishing campaigns from your website is to use a good security plugin. Manual phishing removal can be a long, complicated process, and prone to errors, because infected files are hidden in necessary and legitimate folders.
However, in case you feel confident about removing phishing attacks manually, we include a list of files to look for.
How to stop phishing?
Prevent phishing from occurring by addressing vulnerabilities:
1. Install a strong security plugin with a good firewall
2. Search for and remove backdoors if any. If your website had malware before, there is a good chance that it still has backdoors
3. Remove unauthorised users
4. Update WordPress, all plugins and themes
5. Install an SSL certificate
6. Require strong login credentials
Why has my website been flagged as phishing?
Websites are flagged as phishing websites if Google detects it, or if someone has reported your website to have phishing content. Phishing campaigns can occur without the website administrator’s knowledge, and so a visitor may come across a phishing page before you do. Ads served by networks can also contain phishing campaigns.
How to check if my website has phishing?
To check if your website has phishing pages or not, log into Google Search Console, and check the Security Issues tab for reports. If you have not verified your website ownership on Google Search Console, you will have to do that first.
What is phishing?
Phishing hacks are a type of social engineering hacks that rely on users being misled into giving up their information voluntarily. Hackers pretend to be trusted brands and organisations, usually mimicking the language, design and content of websites in order to steal user information.
Karishma was an engineer in a former life, and so she specialises in making tech more accessible through communication. When she isn't writing, Karishma spends her time tinkering in the innards of WordPress websites