How to Safely Remove Phishing from Your WordPress Website?



You’re here and when your people want to visit your website, they see a huge red alert about phishing.

But, why do they see this warning here? Yours is not a platform for phishing!

Although there is an outside risk that this is a false warning, checking your website for ransomware is the first thing you can do. You should breathe a sigh of relief if the website comes up safe, and skip to the segment on how to appeal the notice. If not, we’ll tell you precisely how to delete phishing from your website if you remain cool.

TL;DR The website has most likely been compromised, and Google Safe Browsing has flagged it as unsafe to visit; specifically, it is a website for phishing. To get your website back to its original state, you need to delete the hack immediately.

What is the WordPress phishing hack?

Simply put, a phishing attack is when, by posing as a reputable brand that the user trusts, hackers deceive unwitting users into giving up their personal identity and financial details.

This suggests that on the website there are official-looking sites that may cause people to share private information.


Look at these examples of the use of well-known brands in phishing attacks. In a genuine WordPress site, the Google phishing website has been added.

We also added a segment on the forms of phishing attacks at the end in case you are interested in reading about them in more depth.

How bad is the WordPress phishing hack?

Every year, phishing attacks cost companies billions of dollars. There were 312,766 phishing websites found in the first 6 months of 2020 alone.

Credit: APWG

For your website, a phishing attack is really negative.

Both malware is disruptive and needs to be handled on a priority basis. You’ve probably spent some time finding out what went wrong, but note that you suffer a loss every minute that the malware sits on your website.

A top priority should be how to get rid of phishing. Later in this post, we’ll tell you how to uninstall phishing on your own.

But we’re just so clear: it’s not an easy process to uninstall malware manually and we don’t recommend it under any circumstances. There will be several viruses, backdoors, and secret false administrators on a compromised website. Trying to locate and delete them all on your own is a surefire way to totally ruin your web.

We highly recommend that you use a security plugin that automatically prevents phishing from your website without further delay.

How do I know my website has phishing?

You may be curious if your website has actually been hacked if you have not come across incidents of phishing campaigns yourself, and you have seen Google’s surfing alert. To rule out the chance, there is a sure-fire way:

  • Check Google Search Console > Protection Concerns for misleading content alerts.
  • In the study, visit any of the flagged URLs from another device, on another network, or in incognito mode. Hackers can disguise malware from website administrators to prolong infection.
  • On your platform, review third-party inclusions. Often, ad networks may serve advertisements that have phishing campaigns. Because commercials are usually cycled, you may have to refresh the page multiple times to validate the advertisements being displayed. Your website might also be flagged as having misleading material, even though an ad has social engineering content.

If you have trouble with Google Search Console flags, then you should be confident that your website is a survivor of the WordPress phishing hack and can try to delete phishing.

How to clean phishing campaigns from my website?

There are a couple of ways to delete the website’s phishing pages.

The easiest way to get rid of phishing is to use a security plugin to securely uninstall it, without further damaging the website. You will then go to appeal the notice.

Alternatively, you should manually delete phishing pages. To be sure, in order to locate the pages and thus malware, this method requires searching through the code. Phishing pages will not be readily accessible in your folder, but will be concealed in your content management system’s numerous system files and folders.

Only professional developers should strive to uninstall phishing files, since there is a risk that the correct code can be removed and the website can cause irretrievable harm. Please proceed to edit the following sites with caution:

  • Pages that you have not made. In order to appear authentic and to stay undetected for as long as possible, certain phishing sites would imitate the website architecture, content, and branding as much as possible.
  • Login and payment pages will mostly be phishing pages because this is the sort of data that hackers are looking to capture.


Pages branded by banks or eCommerce. As a legitimate entity is impersonated by phishers, they will copy their branding to do so. You are likely to find logo files that are used to replicate official branding, maybe in a favicon file, and several image files.


Unfamiliar folders that appear to be from another entity.

If you have them, incorrect checkout pages will appear on your own e-commerce pages. Hackers might be able to redirect your own clients from your pages.

As additional protection, take a fresh backup of your website, before phishing elimination. You still have the infected website that you started with if anything goes wrong, and you can decide instead to opt for a 1-click cleanup.

How to ask Google for a review

It takes an average of 72 hours to complete the review process. Making 100 percent sure that phishing removal was successful is vital. Otherwise, your request will be rejected and it will only take even longer to process.

  • Go back to Google Search Console > Issues of Security
  • Check the box that I have fixed these problems and request a review.
  • You will need to provide information about what steps you have taken to eliminate phishing.

Why WordPress is vulnerable to phishing?

By its very nature, WordPress is intended to be simple to use and easy to customise with themes and plugins as well. These additional software bits are intended to add functionality and features, but do not always have the best security practises. Consequently, they cause the page to have weak entry points.

Why WordPress is vulnerable to phishing?

By its very nature, WordPress is intended to be simple to use and easy to customise with themes and plugins as well. These additional software bits are intended to add functionality and features, but do not always have the best security practises. Consequently, they cause the page to have weak entry points.

You can’t completely do away with themes and plugins, and that really isn’t a solution. Taking preventive measures and addressing vulnerabilities is the best way.

How to prevent phishing from happening again?

Due to vulnerabilities, malware is finding its way into WordPress. To gain access, hackers exploit vulnerabilities and insert their nefarious code bits into your website. Quite often, website managers, until something goes wrong, are not even aware of these developments. And by then, there had already been significant damage and losses.

Install a security plugin

The importance of installing a good security plugin can not be underlined sufficiently. After being informed by a visitor or your web host or Google that your website has issues, you do not want to be caught on the back foot.

Choose a plugin that, in the first place, can prevent the installation of malware and includes a strong firewall. The plugin should be able to remove it without compromising your website further if malware is detected on your website, and ensure that the content remains intact. And finally, choose a plugin with an expert removal service for manuals.

Remove backdoors

It is difficult to execute this critical step in prevention well, because backdoors can be hidden in legitimate folders. What makes removal even more complex is that, for benign reasons, many of the functions are used by plugins. Deleting a feature that may appear to be a backdoor can have unintended implications. We do not recommend that you do this alone.

Delete unauthorised users

In order to identify and remove unverified users, check your database. Be careful not to delete users that are real. Change all admin passwords after phishing is removed, too.

Keep your website updated

To ensure security, a simple, often overlooked method is to keep your WordPress and all installed plugins and themes updated. Security patches include updates that address vulnerabilities, among other things, and should be installed on a priority basis.

Disable or remove them if there are plugins or themes that you don’t actively use.

Install an SSL certificate

SSL certificates are included in their services by most web hosts. SSL certificates encrypt data between browsers and servers that is sent back and forth. It is very easy to set up and use and is actually a Google requirement to encourage safe browsing.

Require strong login credentials

Usernames and passwords that are easy to guess are still one of the easiest ways for a hacker to gain unauthorised website access. All users are required to set strong passwords for their accounts.


There’s a lot you can do to secure your website, and you should. Here is a complete guide to all the steps you can take to address vulnerabilities, learn what to look for, and even how to choose the right website plugins and themes to ensure that your visitors and their information remain secure.

Types of phishing attacks

Phishing itself is a form of attack on social engineering, which essentially means that the attack depends on pretending to succeed in being someone else. Additionally, social engineering attacks rely on the victim giving up their information willingly, because they believe the request is legitimate.

WordPress phishing hack

In order to defraud people by pretending to be a brand, the hacker has inserted official-looking pages into your functioning website. While this is bad enough, consider that, to start with, you might have been the victim of a phishing attack because…

Targeting website administrators

In order for hackers to gain access to the websites you handle, you are sometimes targeted for your admin login credentials.

You may have received an email asking you to “urgently” update your database, otherwise something disastrous will occur. By entering your credentials, the email will take you to a page that will resemble your web host or admin panel to update your database.


Or perhaps, a scammer is posing as an irate customer, asking for a refund.


Notice the glaring grammatical mistakes, and there’s a link even though the email talks about an attachment.

These emails can sometimes take in even WordPress professionals with years of experience, especially if they manage multiple websites and handle the operations of all those websites in different places.

Email phishing vs. WordPress phishing hack

There are different phishing flavours: using emails, putting up malicious web pages, and a combination of the two most often. In order to gather their login credentials, hackers insert pages on your website which appear to be from a trusted organisation. Generally, an unsuspecting user reaches this fraudulent page via an email, but they can also stumble upon it via a link or a redirect.

Fun fact: The Google brand has a specific category of phishing attacks. Yup, the mighty Google is also not free from this threat. They have, in fact, a dedicated support page perpetuated in their name for misleading pages.


Individual vs. spear phishing

Phishing attacks target large groups, and a lack of personalisation is therefore one of the telltale signs of a phishing email. This is not to say that all automated emails are suspicious, but a lack of personalization can be a red flag if an email asks for sensitive data, such as credit card details or login credentials.

Except when a spear phishing attack happens to be the case. In order to give up their data, these types of attacks target specific people.

For certain websites, collecting login credentials may not pose a major problem for individuals, but it is a way to tap into the secure environment of that website (and its organisation) if, for example, the credentials belong to an employee.

We also tend to use similar credentials across various websites and devices, and sensitive information may be contained in those accounts.

How are phishing attacks discovered?

The most unfortunate way to find the WordPress phishing hack on your website is to land up on the blacklist of Google, and to see one of their warning messages for your visitors; unless you have a strong security plugin installed.

Through sophisticated AI, phishing websites are now being found. However, by individuals who experience them, they are also manually reported to Google.

In our everyday lives, as we are increasingly using devices and the Internet to perform tasks, internet security is now something of a byword. Everyone receives tips and advice from the government to their bank to keep their data safe from every brand they interact with, right to their grocery delivery app.

These messages contain practical ways to spot a phishing attack a mile away: check the sender (for emails), check the URL (for websites), if someone is unnecessarily pressured to complete an action, etc.

Phishing attacks are also getting more sophisticated, more accurately copying the language and branding of trusted organisations. Therefore, Google is extra vigilant about hacked websites in order to protect its users from being fooled.

What are phishers after?

Well, what are hackers of any kind after? Information which they are not permitted to have must be used in ways which they are not permitted to use. Unauthorized use may include theft of access to official databases and files, of identity, money or property, and so much more.

Look at the sectors that are most affected by phishing scams, and there is a clear pattern:


If your website stores any of the following information, you are a target for the WordPress phishing hack:

Details on credit cards
Account information for banks
Numbers for social safety
Passwords and usernames

And the list continues. As you can see from the list, for a hacker, any personal identification data is potentially useful. There are even lists of email addresses sold to unscrupulous companies or spammers.

What’s next then?

Hopefully, the removal of phishing was successful, and without any malware, your website is back up and running. We hope you have found the information helpful in this article.

Before we go, we want to emphasise that our expertise comes from protecting every day 1000s of websites like yours, and all that knowledge is packed into creating our best-in-class security plugin, MalCare. Try it out today, and be ever more stress-free about the security of your website.