4 Steps to Fight Phishing

Cary, NC – At CaryCitizen, we publish about 60 websites for businesses and orgs. So, it was inevitable that someone would get hit with a phishing attack sooner or later. Here are four tips for fixing your website.

What’s a Phishing Attack?

Most people know phishing from the consumer side. You get an alarmist email with something like “You bank account is going to be put on hold.” You click on the link and it goes to some tacky site selling cheap phones or Viagra.

But phishing also affects website owners and publishers. That’s because the bogus link to consumers goes to a bogus page hosted on your website.

Phishing hacks place a small piece of code (called malware) on your website. It generates the offending page under your domain name.

The offending code can come from a comment, a pingback or via FTP.

While anyone can be the victim of a phishing attack, it most often happens to websites that haven’t kept current with updates.

Step 1 – Update Everything

Take a back-up of your site before updating.

As an example of updating everything, if your website is powered by WordPress, make sure you are using the latest version. If you’re using an earlier version, you’re vulnerable. Same is true for other web appliances like Joomla or Drupal.

Update any and all plugins you may be using on your site.

Step 2- Scan Your Site

You can perform a quick, free scan of your website for malware and vulnerabilities at Sucuri.com.

Note: sometimes Sucuri used caches results, so hit the Re-Scan button if you do this on a number of occasions in a short period of time.

Step 2 – Remove Malware from Your Site

There are three ways to remove malware that’s infecting your website:

  1. Manually via FTP
  2. Using a Plugin like WordFence
  3. Reinstalling the site software

Reinstalling the site software is the nuclear option. It may (probably will) blow out all your content and any changes you’ve made to the code. If you have not already taken a backup of your site content, do it now. In WordPress, do Export from the Admin menu. Re-import your content after installing a fresh copy of WordPress.

Step 3 – Change Your Passwords

In many cases, hackers have penetrated your website by stealing your password. Close the gate by changing your password for both login and for FTP.

If you have many users for the site or FTP, make sure your users scan their computers for viruses and malware before you give them a new password. You don’t want to get re-infected. See below for tips on scanning your personal computer.

Step 4 – Scan Your Computer

The most likely scenario is that the malware traveled from someone’s computer to your website server. It might have come from your computer.

Malware often travels via email. Somewhere on your computer, there may be an email attachment waiting to go from dormant to active.

On a Mac, you can download a free utility called Sophos. Sophos scans your entire computer and any attached hard drives, identifies threats and in most cases can clean them up. It works in the background (and can take hours), but won’t interrupt your normal routine.

On Windows, you can get a malware scanner and removal utility from Microsoft.

Other Considerations

  • How will I know I’ve been infected? – You may get an email from Google. You may get emails from irate or concerned consumers who have received phishing emails. You may get phone calls from people who actually think their email or bank account is going to be closed.
  • Don’t Panic – Phishing injections on a website are not fatal. If cleaning it up seems daunting, many for-pay services exist to fix the problem.
  • Don’t Ignore it – Malware won’t go away by itself. Your site could get blocked by Google. Now that’s a serious problem for any business! Take steps right away to fix the issue.


Hal Goodtree is the Publisher of CaryCitizen, a member of the Town of Cary’s Technology Task Force and a resident at Cary Innovation Center. Photo by Ringai.