Introduction

If a phishing page appears on your domain, treat it as a live compromise, not a content mistake. Attackers often hide these pages in uploads, forgotten directories, or stale app paths so they can impersonate trusted brands while the main site looks normal.

Symptoms

  • Users or search results report a fake login or payment page on your domain
  • The phishing page lives at a strange URL that no one on the team recognizes
  • Search engines index spam or credential-harvesting pages on the site
  • Unknown files appear in writable directories or old deployment paths
  • Access logs show repeated requests to hidden directories or uploaded scripts

Common Causes

  • An attacker uploaded files through a vulnerable plugin, form, or outdated app path
  • Weak credentials allowed direct file access or admin panel compromise
  • Old unused directories remained publicly writable or executable
  • A prior cleanup removed visible malware but left a backdoor behind
  • Multi-site or shared hosting contamination exposed the same environment repeatedly

Step-by-Step Fix

  1. Take down or block access to the phishing URLs immediately while preserving copies and logs needed for investigation.
  2. Search the full web root and writable directories for unauthorized HTML, PHP, JavaScript, or archive files related to the phishing content.
  3. Compare the current deploy state against a known-good version and remove all unexpected files, symlinks, or cron-triggered persistence.
  4. Rotate hosting, CMS, database, and deployment credentials because file-level access may still be active.
  5. Audit recent uploads, vulnerable plugins, old admin accounts, and server write paths to identify how the attacker placed the phishing page.
  6. Replace compromised application files with clean builds from trusted sources instead of patching one suspicious file at a time.
  7. Check search engine indexing, browser safety tools, and external scanners to confirm the phishing content is no longer reachable.
  8. Request delisting or security review only after you are sure the attacker cannot re-create the page through the same access path.
  9. Lock down writable directories, admin access, and monitoring so new unauthorized pages are detected quickly.