New phishing campaigns are trying to trick WordPress admin users into giving out their username and password so that hackers can take over their sites.
What is email phishing?
Just as it sounds, email phishing is a social engineering trick that throws some “bait” into your inbox to try and reel you in as a fisherman does with fish.
Sometimes the bait (fake email) can look pretty darn authentic too!
WordPress core and many plugins such as WooCommerce, Gravity Forms and others send out email notifications to administrators.
It’s easy to get distracted when you are busy – I’ve fallen foul to that trap myself in the past.
Types Of WordPress Email Phishing Scams
Database Upgrade
A WordPress site often needs to update the database.

Sometimes after an update, you will see the above page asking you to upgrade the database.
The database upgrade is a page on your site and never an email.
Scam emails will send you to a link which looks like a standard WordPress login page.
The scammers record your username and password and can even log you into your site, so you don’t suspect anything.
Admin Email Correct?
Another WordPress core system notification prompts you to verify the admin email.

Similar to the database upgrade, this is a page on your website and never an email.
The phishing email will redirect you to a fake WordPress login page where the scammers steal your login details.
How Can You Spot Scam Emails?
When you hover over a button or link in most email apps, you can see the attached URL.
Have a look at the URL before you click through.
If it seems suspicious, don’t click it – type your website URL directly into a browser tab.
Keep The Hackers Out Using 2FA
For an additional layer of security, consider using multi-factor authentication for your WordPress logins.