Finding out your website is being used for phishing can be alarming, especially if you did not create the page or send the suspicious emails.

In many cases, the website owner is not the intended victim. Instead, attackers have quietly broken into a legitimate site and used its trusted domain name to host fake login or verification pages.

The good news is that this can be fixed. The important thing is to act calmly, contain the issue quickly, and avoid removing only the visible phishing page while leaving the original security gap behind.

What is happening?

A phishing page is a fake page designed to trick people into entering sensitive information, such as passwords, payment details, or account logins.

Attackers often prefer to place these pages on real business websites because they look more trustworthy than a throwaway domain. Your website may have a valid HTTPS certificate, an established history with search engines, and a domain that does not immediately look suspicious.

That makes the scam more convincing for victims and more damaging for your business.

Why this matters for your business

Even if your customers were not the target, a compromised website can still affect your organisation. A phishing page hosted on your domain can lead to:

• Browser warnings that stop visitors reaching your site
• Hosting account suspension or abuse notices
• Search engine warnings and reduced visibility
• Email delivery problems if your domain is added to spam blocklists
• Loss of trust with customers, suppliers, and partners
• Potential data protection concerns if stolen information passed through your server

For a busy business owner, the visible phishing page is only part of the problem. The bigger question is how the attacker got in and whether they still have access.

How website owners usually find out

Most website owners do not discover phishing content by browsing their own site. The first warning usually comes from someone else.

You might receive:

• A warning from Google Safe Browsing, Microsoft SmartScreen, or another browser protection service
• An email from your hosting company about abuse or suspicious files
• A report from a customer, supplier, bank, or security team
• A notice that your outgoing email is being blocked
• A message in Google Search Console under security issues

By the time one of these warnings appears, the phishing page may already have been live for days or weeks.

Where phishing pages hide on WordPress sites

On WordPress websites, phishing files are often placed in locations that are easy for attackers to write to or that look ordinary at first glance.

Common hiding places include:

• Folders inside wp-content/uploads
• Directories with names that imitate well-known brands, such as fake login or account verification pages
• Randomly named folders that are not linked from the main website
• Modified theme, plugin, or core WordPress files
• Hidden PHP files used as backdoors

A backdoor is a hidden way for an attacker to regain access after a clean-up. If the phishing page is removed but the backdoor remains, the site can be reinfected very quickly.

Do not just delete the page and move on

It is tempting to find the suspicious folder, delete it, and assume the issue is solved. Unfortunately, that often only removes the symptom.

Phishing kits can sit alongside other malicious files, fake admin users, spam mailers, redirects, or hidden access points. The homepage may look completely normal while the problem remains buried elsewhere.

A proper malware removal process needs to deal with both the phishing content and the route the attacker used to place it there.

What to do first

The first priority is to stop harm without destroying useful evidence or giving the attacker a chance to return.

1. Take the phishing content offline. This may mean renaming the folder, blocking the URL, or moving the files out of the public web area.
2. Take a full backup of the infected site. Keep a copy before making major changes. This can help with investigation, reporting, and recovery if anything goes wrong.
3. Quarantine suspicious files. Store them safely outside the public website rather than leaving them accessible.
4. Change all relevant passwords. Include WordPress administrators, hosting, SFTP or FTP, database, email, API keys, and any third-party integrations.
5. Force users to log in again. End active sessions and remove any access you do not recognise.

Only after containment should the full clean-up begin.

Cleaning the website properly

A clean-up should be thorough. Attackers rely on partial fixes, especially on websites without regular security monitoring or managed updates.

The process should include:

• Removing the phishing files and directories
• Searching for backdoors and obfuscated code
• Checking for unfamiliar WordPress admin users
• Reviewing scheduled tasks and unusual server activity
• Inspecting files such as .htaccess and wp-config.php for redirects or hidden includes
• Reinstalling WordPress core, plugins, and themes from trusted sources
• Updating vulnerable plugins, themes, and WordPress itself
• Checking file permissions and removing access that is no longer needed

For business-critical websites, this is where professional website maintenance and malware removal support can save time and reduce the risk of reinfection.

How to remove browser and search warnings

Once the site has been fully cleaned, you may need to request reviews from the services that flagged it.

Google Safe Browsing warnings are usually handled through Google Search Console. Microsoft SmartScreen and other reporting services have their own review processes. If the URL was reported to phishing databases, those may also need rechecking after the malicious content has been removed.

Do not submit review requests too early. If the website still contains malware, phishing pages, or backdoors, the warning may remain in place for longer.

Check whether any data was collected

In some attacks, the fake form sends stolen information to an external server. In others, it may store submissions on your own hosting account.

If there is any chance that personal data passed through your website, check server logs, databases, and suspicious files carefully. You may also need to consider your data protection responsibilities and seek appropriate advice.

How to prevent it happening again

Once the immediate issue is under control, the next step is improving your WordPress security so the same problem does not return.

Useful prevention measures include:

• Keep WordPress, plugins, and themes updated. Outdated software is one of the most common ways attackers get in.
• Use strong, unique passwords. A password manager helps prevent reuse across accounts.
• Enable multi-factor authentication. This adds a second step to logins, making stolen passwords less useful.
• Limit admin access. Give users only the permissions they actually need.
• Use a WAF. A web application firewall helps block common attacks before they reach your website.
• Set up security monitoring. File integrity monitoring and malware scanning can alert you when unexpected changes appear.
• Keep reliable offsite backups. Backups should be tested, recent, and stored away from the main website.
• Train your team. Phishing emails aimed at staff can lead to stolen admin credentials.

How matm can help

At matm, we help businesses keep WordPress websites secure, maintained, and recoverable. If your website has been compromised, or you want to reduce the risk of future attacks, we can help with:

• Managed WordPress, plugin and theme updates
• Security monitoring and WAF setup
• Regular backups and fast site recovery
• Malware removal and emergency response

If you are worried your website is hosting a phishing page, contact matm on [email protected] or call 01952 883 526.

Based on research by Sucuri.