This advisory originally appeared on WooCommerce’s Developer Documentation
In the past we’ve identified phishing campaigns targeting WooCommerce store owners. These emails have falsely claimed to be from WooCommerce and alert users about critical security vulnerabilities that don’t exist.
If you receive any emails such as these, always confirm that emails are arriving from official domains before taking any action, and always confirm any security issues directly on our official sites before taking any action.
How to identify these fake emails
↑ Back to topThe phishing emails:
- Come from suspicious domains like
help@security-woocommerce.com,incident@notify-woocommerce.com, orhelp@support-woocommerce.com - Claim a “critical security vulnerability” was found in WooCommerce.
- Mention a specific store URL and claim it’s directly impacted
- Ask users to download and install a “security patch” (which is actually malware)
How to identify real emails from WooCommerce
↑ Back to topWooCommerce security communications always come from official domains like @WooCommerce.com or @Automattic.com email addresses. When suggesting an update, they direct users to official download pages or WordPress.org repositories with clear documentation and verification steps.
What to do if you receive these emails
↑ Back to top- Do not click any links or download any files
- Do not install any plugins from these emails
- Report the domains to your email provider as phishing
Keeping your store secure
↑ Back to topThe best ways to keep your WooCommerce store secure:
- Install updates directly from your WordPress dashboard or WooCommerce.com
- Enable auto-updates for security patches
- Use strong, unique passwords and two-factor authentication
- Only install plugins from trusted sources (WordPress.org or WooCommerce.com)
We’re actively working to shut down these phishing domains. If you have concerns about your store’s security, please contact our support team through your WooCommerce.com account.
Your security is our priority.