Attackers are increasingly targeting poorly protected and abandoned WordPress websites for hosting phishing pages [1]. This poses a significant threat to users’ sensitive information and highlights the need for improved security measures.


Kaspersky recently reported that over 22,400 compromised WordPress websites were used for hosting phishing pages [1]. The attackers exploit vulnerabilities in WordPress plugins and themes to infiltrate these websites. Interestingly, they often leave the main functionality of the compromised websites untouched while hiding their phishing pages in new directories. By uploading a malicious shell script [1], the attackers gain remote access to the websites, allowing them to control the site and store sensitive information.

Phishing remains a popular method for attackers to deceive users into sharing sensitive information. The long neglect of these websites makes them attractive targets, as the phishing pages can remain active for an extended period. One example of malware that specifically targets poorly protected WordPress websites is the Balada Injector. This malware operates in waves, using new domain names and codes each time [2]. It adds multiple instances of malicious code to compromised websites, granting attackers remote access and redirecting visitors to websites with malvertising campaigns [2]. Researchers have discovered URLs of Command & Control endpoints and obfuscated JavaScript files used in the operation [2].

While the Balada Injector may not be as advanced as it could be [2], it still poses a significant threat. Website operators can follow Kaspersky’s tips to detect if their WordPress website has been hacked and is hosting phishing pages.


The increasing targeting of poorly protected and abandoned WordPress websites for hosting phishing pages highlights the urgent need for improved security measures. Website operators must remain vigilant and take steps to protect their websites from these attacks. Additionally, users should be educated about the risks of phishing and how to identify and avoid falling victim to such attacks. By implementing these measures, we can mitigate the impact of these attacks and ensure a safer online environment for all users.