Phishing scams frequently impersonate the WordPress team or WordPress Security Team to trick administrators into installing malware or divulging login credentials; official WordPress communications never request installing plugins or passwords via email.

Scammers often send fake emails posing as the WordPress or WordPress Security Team, urging site administrators to act urgently on alleged security issues by installing a plugin or updating software. These malicious plugins contain malware designed to compromise websites. The emails may include official-looking logos, technical jargon, even CVE vulnerability numbers, and links to phishing sites that mimic the WordPress plugin repository but are hosted on non-WordPress domains. Sometimes fake emails also ask for administrative usernames and passwords, which WordPress never requests via email. This social engineering exploits users' fears and urgency to deceive them into handing over sensitive info or letting attackers control their websites

How to Spot These Scams

Key red flags include:

  • Emails not sent from an official WordPress domain (legitimate emails come from @wordpress.org or @wordpress.net).
  • Urgent language pressuring immediate action ("Act now!", "Immediate action required!").
  • Poor grammar, formatting inconsistencies, or strange phrasing.
  • Links that do not point to official WordPress sites (hover over links to verify before clicking).
  • Requests for passwords or installation of plugins via email.
  • Unexpected attachments, which WordPress does not send in security emails

Risks of Falling for These Scams

If victims click malicious links or install scam plugins, attackers can gain full administrative access to websites, plant backdoors, redirect visitors to harmful sites, steal data, and even send fraudulent emails from compromised WordPress domains. This can lead to loss of website traffic, blacklisting by search engines, and reputation damage

How to Protect Your WordPress Site

  1. Always verify emails by checking the sender's domain and signature details. Official WordPress emails are signed by wordpress.org.
  2. Do not click links or download attachments from suspicious emails.
  3. Use trusted WordPress security plugins like Wordfence or Sucuri to monitor for vulnerabilities and scan for malware.
  4. Educate all team members to recognize phishing emails and report suspicious activity instead of acting on it hastily.
  5. Keep WordPress core, themes, and plugins updated to patch known vulnerabilities.
  6. Enable two-factor authentication (2FA) for admin accounts to add an extra security layer.
  7. Regularly back up your site and have a recovery plan in case of compromise.

What to Do If You Suspect a Scam

  • Do not engage with or respond to suspicious emails.
  • Report suspicious or phishing emails to your email provider and forward them to security@wordpress.org.
  • Check your site for unauthorized users, unfamiliar plugins, or suspicious files.
  • Run a comprehensive malware scan using security plugins.
  • Change passwords for WordPress, hosting, FTP, and databases immediately if credentials may have been compromised.
  • Restore your site from a clean backup if it has been hacked.
  • Contact your hosting provider for assistance with recovery and mitigation

Scams targeting WordPress users often impersonate the WP Team Account or Security Team, using emails urging urgent actions that lead to installing malware or exposing login details. Recognizing official communications, avoiding suspicious links, using security tools, and educating your team are critical to preventing compromise. If you receive doubtful emails, verify their authenticity before taking any action to keep your WordPress site secure.