Advisory: Phishing campaign targeting WooCommerce stores

This advisory originally appeared on the WooCommerce Developer blog.

In the past we have identified phishing campaigns targeting WooCommerce store owners. These emails have falsely claimed to be from WooCommerce and alert users about critical security vulnerabilities that do not exist.

If you receive any emails such as these, always confirm that emails are arriving from official domains before taking any action, and always confirm any security issues directly on our official sites before taking any action.

How to identify these fake emails

↑ Back to top

The phishing emails:

  • Come from suspicious domains like help@security-woocommerce.com, incident@notify-woocommerce.com, or help@support-woocommerce.com
  • Claim that a “critical security vulnerability” was found in WooCommerce.
  • Mention a specific store URL and claim it is directly impacted.
  • Ask users to download and install a “security patch” (which is actually malware).

How to identify real emails from WooCommerce

↑ Back to top

WooCommerce security communications always come from official email address domains like @woocommerce.com or @automattic.com. When suggesting an update, they direct users to official download pages or WordPress.org repositories with clear documentation and verification steps.

What to do if you receive these emails

↑ Back to top
  1. Do not click any links or download any files.
  2. Do not install any extensions/plugins from these emails.
  3. Report the domains to your email provider as phishing.

Keeping your store secure

↑ Back to top

The best ways to keep your WooCommerce store secure:

  • Install updates directly from your store’s WP Admin dashboard or WooCommerce.com.
  • Enable auto-updates for security patches.
  • Use strong, unique passwords and two-factor authentication.
  • Only install extensions/plugins from trusted sources (WordPress.org or WooCommerce.com)

We’re actively working to shut down these phishing domains. If you have concerns about your store’s security, please contact our support team through your WooCommerce.com account.

Your security is our priority.