⚠️ Warning: A new phishing campaign is targeting WordPress website owners with fake update emails. Stay alert and don’t get tricked!
🧐 What’s happening?
Many users have recently received emails with subject lines like:
“WordPress 6.5.2 requires a PHP update”
At first glance, it looks like a routine notification. But in reality, it’s a scam.
🚩 Red Flags in These Emails
- Fake sender address — It’s not from
wordpress.org, even if it looks similar. - Malicious links — The email contains links that supposedly point to PHP update instructions, but actually lead to phishing websites or install malware.
- Professional design — The email looks clean and legitimate to avoid suspicion.
🧪 What does the fake email look like?
A typical email includes:
- A warning about outdated PHP
- A button or link to “update” or “read more”
- Reference to the latest WordPress version (e.g., 6.5.2)
It’s designed to make you panic and click — don’t fall for it.
✅ What should you do?
- Do NOT click any links in the email.
- Verify the sender — If it looks suspicious, delete it immediately.
- Contact your hosting provider or site administrator.
- Ensure your site is fully updated (WordPress core, themes, and plugins).
- Scan your site for malware if you accidentally interacted with the email.
🛡 How to stay safe?
- Use trusted security plugins like Wordfence or iThemes Security.
- Enable two-factor authentication for admin logins.
- Regularly back up your site.
- Never trust emails asking you to manually update anything — check your site’s dashboard instead.
📌 Remember: WordPress does not send emails asking you to update PHP or install plugins manually. All official updates happen via your site’s admin panel or through your hosting provider.
When in doubt — ask your developer or digital agency. Better safe than hacked.