This advisory originally appeared on WooCommerce’s Developer Documentation
We’ve identified a phishing campaign targeting WooCommerce store owners. These emails falsely claim to be from WooCommerce and alert users about critical security vulnerabilities that don’t exist.
How to identify these fake emails
↑ Back to topThe phishing emails:
- Come from suspicious domains like
help@security-woocommerce.com,incident@notify-woocommerce.com, orhelp@support-woocommerce.com - Claim a “critical security vulnerability” was found on or around April 14, 2025
- Mention a specific store URL and claim it’s directly impacted
- Ask users to download and install a “security patch” (which is actually malware)
These emails are not from WooCommerce
↑ Back to topWooCommerce security communications always come from official sources like WooCommerce.com or Automattic.com email addresses and direct users to an official download page or WordPress.org repository with clear documentation and verification steps.
What to do if you receive these emails
↑ Back to top- Do not click any links or download any files
- Do not install any plugins from these emails
- Report the domains to your email provider as phishing
Keeping your store secure
↑ Back to topThe best ways to keep your WooCommerce store secure:
- Install updates directly from your WordPress dashboard or WooCommerce.com
- Enable auto-updates for security patches
- Use strong, unique passwords and two-factor authentication
- Only install plugins from trusted sources (WordPress.org or WooCommerce.com)
We’re actively working to shut down these phishing domains. If you have concerns about your store’s security, please contact our support team through your WooCommerce.com account.
Your security is our priority.