We’ve been receiving and filtering out more of these phishing emails aimed at getting login details for WordPress sites.
This phishing attempt is quite sophisticated.
When the link to login is clicked, the user is taken to a standard WordPress login page on the attackers site. After entering login credentials, the user is then re-directed to their own login page – it appears as though their initial login attempt failed because of a typo, however their credentials have been recorded by the attacker.
It would be easy for a user to not even notice their credentials have been stolen.
Although the login link is hidden by the formatting of the HTML email (the orange button), a dead give away is the poor spelling and grammar. And the bogus attackers URL is revealed when the mouse hovers over the button.
One easy way to protect users against this type of attack is to customise their login page so it is significantly different to the default WordPress login page (something we do as standard when developing WordPress based sites). Then users have a visual clue that they are on the correct login page.