How did phishing pages end up on my site?

Almost always a vulnerable plugin, an unprotected upload form, or stolen credentials. Attackers scan the web constantly for vulnerable WordPress installs to use as throwaway hosting.

Am I in trouble with Google or my host?

You can be. Google Safe Browsing flags domains hosting phishing kits, and most hosts will suspend an account on a phishing complaint. We submit reconsideration and provide a written explanation for your host.

Will my visitors know?

No — the kit is on subpages, not your homepage. Real visitors hitting your real site don’t see it. Anti-phishing services may add a notice to the affected URLs, which we get removed as part of the cleanup.

How do I prevent this happening again?

The report names the exact vector and lists the specific changes you need to make. I can also handle them for you.

// PHISHING PAGE · WORDPRESS · REMOVED

WordPress phishing page removal.

Your domain is being used to host fake login pages for Microsoft, Google, or banks. I remove the phishing kit, close the way in, and file the abuse reports. Flat $279.

Start a cleanup → How phishing pages end up on your site

§ 01 — MECHANISM

Your domain looks legitimate. That’s why they picked you.

A compromised WordPress install with a real SSL certificate and an aged domain is the perfect hosting platform for a phishing page. The attacker uploads a fake-login kit — usually to wp-content/uploads/ — and sends links to thousands of victims. Your visitors see the unfamiliar URL only after they’ve typed their password.

Removing the phishing kit is the easy part. The harder part is finding the backdoor that uploaded it, because the same backdoor will upload another one in two days. I do both.

// find — recently uploaded suspicious files

01 find wp-content/uploads/ \\
02     -type f \( -name '*.html' -o -name '*.php' \) \\
03     -mtime -30
04
05 // HTML or PHP files in /uploads/ created in the last
06 // 30 days are almost always either kits or backdoors.

§ 02 — WHAT WE REMOVE

Phishing kit out. Backdoor closed.

[ TRIAGE ]

Filesystem scanned for files that don’t belong: HTML and PHP in uploads, files mimicking famous login pages, unfamiliar subdirectories.
[ PHISHING KIT ]

Every file in the kit removed. Static assets, fake forms, exfiltration endpoints — gone.
[ BACKDOORS ]

The PHP backdoor that uploaded the kit is found and removed, so the next batch can’t be planted.
[ HARDENING ]

PHP execution disabled in uploads. File upload checks audited. Permissions tightened.
[ ABUSE REPORTS ]

Abuse reports filed with the host of the exfiltration endpoint and the registrars of any spoofed brands.
[ REPORT ]

Plain-English forensic write-up, list of brands targeted, what the kit collected, what I did about it.

§ PRICE

Flat $279. One-time. Per site.

[ RESCUE ]

$279

FLAT · ONE-TIME · PER SITE

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup →

[ SHIELD ]

$29 / mo

PER SITE · CANCEL ANY TIME

Continuous monitoring, hardening, one cleanup per year included.

Get protected →

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Start an engagement.

Send the scope, stack, and timeline. You get a written proposal with a fixed quote.

Contact →