We’re Seeing a New Type of Phishing Enquiry Targeting WordPress Sites

We’re Seeing a New Type of Phishing Enquiry Targeting WordPress Sites

Over the past few weeks, we’ve encountered a new type of phishing enquiry that looks convincingly like a genuine project brief. 

Not once, but twice, we received enquiries that appeared completely legitimate. The kind of message any digital agency would typically respond to without hesitation. 

In both cases, the objective appeared to be the same: encourage interaction with a compromised WordPress staging environment. 

It’s a reminder that phishing attacks are evolving. They are becoming more targeted, more believable, and far better at blending into normal day-to-day workflows. 

What These Enquiries Look Like 

Unlike traditional phishing emails filled with obvious warning signs, these enquiries are polished, professional, and structured like real client briefs. 

At first glance, they feel entirely routine. 

Some of the red flags we noticed included: 

• Unexpected enquiries with unusually detailed technical requirements  

• Links to staging environments or admin areas you do not recognise  

• Requests to review backend systems very early in the conversation  

• File downloads hosted outside trusted platforms  

• Small inconsistencies in branding, domains, or email addresses  

None of these signs alone confirm malicious intent, which is exactly what makes this approach so effective. 

The messaging feels natural because it mirrors a standard onboarding process that agencies and developers deal with every day. 

Why This Is a Concern 

What stood out most was how convincing these enquiries were. 

Rather than relying on obvious spam tactics, these attacks appear carefully designed to target businesses working within the digital and web development space. 

The enquiries used: 

• Realistic language and familiar project terminology  

• Legitimate-looking staging environments and domains  

• Requests that closely resemble genuine pre-project conversations  

In both examples we reviewed, the links pointed to WordPress staging environments. 

While we cannot confirm the exact intent behind them, the potential risks are significant. These types of approaches could be used to: 

• Capture login credentials through spoofed WordPress admin panels  

• Encourage downloads of malicious files disguised as project documentation  

• Gain access to systems through compromised credentials  

This is less about exploiting WordPress itself and more about exploiting trust, routine, and human behaviour. 

And that is often far more effective. 

Who Could Be Affected? 

From what we have seen so far, this type of phishing attempt is most relevant to: 

• Digital agencies handling inbound website enquiries  

• Freelance developers and WordPress specialists  

• Businesses running WordPress websites  

• Teams using publicly accessible staging or development environments  

If your workflow regularly involves reviewing external links, staging sites, or shared documentation, you are a potential target. 

What We Recommend Checking 

As a precaution, it is worth reviewing a few important areas across your website and hosting setup. 

1. Secure Staging Environments  

• Password protect staging and development sites using basic authentication  
• Restrict access by IP address wherever possible  

2. Review File Uploads  

• Check your /wp-content/uploads/ directory for unfamiliar files  
• Prevent execution of PHP or script files within upload directories through server configuration  

3. Update Plugins and Themes  

• Keep WordPress core, plugins, and themes fully up to date  
• Remove unused plugins or anything no longer maintained  

4. Audit User Access  

• Review administrator accounts regularly  
• Remove unfamiliar or inactive users  
• Enforce strong passwords and enable two-factor authentication wherever possible  

5. Maintain Awareness  

• Be cautious with unsolicited documents, downloads, or staging links  
• Avoid logging into external admin panels unless the source has been properly verified  
• Trust your instincts if something feels slightly off  

What We Did Internally 

Following these enquiries, we carried out a review across our own WordPress client environments. 

This included checks for: 

• Unauthorised files or suspicious activity  

• Plugin, theme, and WordPress core updates  

• Staging environment visibility and access controls  

• User permissions and authentication settings  

Fortunately, everything was found to be in good order. 

That said, the exercise reinforced how easily these types of phishing attempts could slip through without careful attention, especially when they appear so legitimate on the surface. 

Final Thoughts 

This does not appear to be a widespread attack in the traditional sense. 

Instead, it highlights how phishing and social engineering tactics are becoming more sophisticated and more targeted, particularly within the digital and web development sector. 

If you manage WordPress websites, it is worth taking a few minutes to review your setup, staging environments, and security processes to ensure everything is properly protected. 

And if an enquiry ever feels slightly unusual, even if it looks professional, it is always worth slowing down and taking a closer look. 

Prevention starts with awareness. 

If you would like support reviewing your WordPress security, staging environments, or wider digital infrastructure, speak to Clevercherry about strengthening your website security and protecting your digital platforms.