Advisory: Phishing campaign targeting WooCommerce stores

This advisory originally appeared on the WooCommerce Developer blog.

Phishing campaigns have targeted WooCommerce store owners with emails that falsely claim to be from WooCommerce. These emails warn about critical security vulnerabilities that do not exist and attempt to trick you into downloading malware. This page explains how to identify these fake emails, verify legitimate WooCommerce communications, and protect your store.

Identify fake emails

↑ Back to top

Phishing emails targeting WooCommerce store owners share several common characteristics. Watch for the following signs:

  • The sender address uses a suspicious domain such as help@security-woocommerce.com, incident@notify-woocommerce.com, or help@support-woocommerce.com.
  • The email claims that a “critical security vulnerability” was found in WooCommerce.
  • The email mentions a specific store URL and claims it is directly impacted.
  • The email asks you to download and install a “security patch,” which is actually malware.

Verify real emails from WooCommerce

↑ Back to top

Legitimate WooCommerce security communications always come from official email address domains such as @woocommerce.com or @automattic.com. When suggesting an update, these emails direct you to official download pages or the WordPress.org repository and include clear documentation and verification steps.

Before taking any action based on an email, confirm the information directly on the WooCommerce website or the WooCommerce Developer blog.

Respond to phishing emails

↑ Back to top

If you receive a suspicious email claiming to be from WooCommerce, take the following steps in order:

  1. Do not click any links or download any files from the email.
  2. Do not install any extensions or plugins referenced in the email.
  3. Report the sender domain to your email provider as phishing.

Keep your store secure

↑ Back to top

You can reduce your exposure to phishing and other threats by following these security practices:

  • Install updates directly from your WordPress admin dashboard or from WooCommerce.com.
  • Enable auto-updates for security patches.
  • Use strong, unique passwords and enable two-factor authentication.
  • Only install extensions and plugins from trusted sources such as WordPress.org or WooCommerce.com.

WooCommerce is actively working to shut down these phishing domains. If you have concerns about your store’s security, contact the WooCommerce support team through your WooCommerce.com account.

Use of your personal data
We and our partners process your personal data (such as browsing data, IP Addresses, cookie information, and other unique identifiers) based on your consent and/or our legitimate interest to optimize our website, marketing activities, and your user experience.