Phishing does not just steal passwords: it can take over your website and cost you clients

Phishing is the most common cyber attack on UK businesses. It is often seen as an email problem.
In reality, for any business running a WordPress website, one stolen password can lead to something far more serious: a full website takeover, lost enquiries and clients who never come back.

I am explaining in this article how phishing becomes a website problem, what it costs in business terms, and how to prevent it before it happens.

Hello, I’m Bogdan. WordPress has been my working environment for over 25 years. I won’t try to turn you into a technical expert.
My goal is simpler: to show how everyday website issues quietly cost businesses money. It’s often without hacks, drama, or obvious failures.
Missed updates, poor maintenance, or weak internal processes are usually enough.

What is happening (non-technical explanation)

Phishing is when someone receives a fraudulent email or message designed to look legitimate. It often appears to come from a bank, supplier, software provider or colleague. The goal is simple: to trick the recipient into entering their login details.

For many business owners I speak with, the perceived risk stops at email access or payment fraud. What is often missed is the next step.

Most WordPress websites use an email address to manage admin access. If that email account is compromised through phishing, an attacker can reset the WordPress admin password and take control of the website.

Once inside the WordPress dashboard, an attacker can:

• redirect contact forms so enquiries never reach you
• add hidden pages used for spam or further phishing
• alter content in ways that damage trust
• install malicious software
• lock you out of the site entirely

And here is what makes this especially costly for businesses: the website continues to look completely normal from the outside. There is no error message. No alert. Visitors arrive, fill in forms, and leave. The business carries on, unaware that enquiries are silently disappearing.

According to the UK Government's Cyber Security Breaches Survey 2025, phishing remains the most prevalent and disruptive type of cyber attack, affecting 85% of businesses that reported a breach in the last 12 months. This is not an abstract threat.

In January 2024, Canterbury City Council, Dover District Council and Thanet District Council were hit by near-simultaneous cyber attacks that knocked planning portals, online payment systems and contact forms offline for almost two weeks. The three councils, serving a combined population of almost 500,000 residents, had to work alongside the National Cyber Security Centre to investigate and recover. A formal data breach report was filed with the Information Commissioner's Office.

If organisations with dedicated IT teams, government-level support and established security policies were caught out at this scale, a small business running a WordPress site without monitoring in place is considerably more exposed. And it would be a mistake to assume that running a small business makes you an unattractive target. Attackers tend to be quite indiscriminate. Smaller businesses are often prioritised precisely because they are easier to compromise.

How this issue hurts your business

A phishing-led site takeover rarely causes immediate, visible failure. The damage accumulates quietly.

• Lost leads and enquiries when forms are redirected or disabled
• Reputation damage when visitors encounter unexpected behaviour, altered content or warnings
• Client trust eroded if sensitive data is exposed or mishandled
• SEO damage if search engines detect and flag malicious activity
• Recovery costs for investigation, cleanup, legal review and potential ICO notification
• Internal disruption as management time is consumed by the incident

The longer the compromise goes undetected, the higher the cost.

Cost of inaction (what this really costs your business)

Real-life scenario:
A small professional services firm relies on its website to generate qualified enquiries and signal credibility.

One employee enters their credentials into a convincing phishing email. The attacker uses that access to reset the WordPress admin password and take control of the site.

Over the next 10 to 14 days, enquiry submissions stop reaching the business. The website remains live and appears normal.

The impact typically looks like this:

• Missed qualified enquiries: £2,000 to £5,000 in expected pipeline value
• Marketing spend still running during the incident: £400 to £900 wasted
• Forensic investigation and site cleanup: £800 to £2,000
• Legal or compliance review where required: £500 to £1,500
• Internal management time: invisible, but real

Total cost for one incident: easily £3,500 to £9,000, without downtime, public warnings or obvious alerts. That is the real cost of inaction.

Warning signs you should not ignore

Any of the following should be treated as a potential incident:

• A sudden, unexplained drop in website enquiries
• A team member reports receiving a suspicious login email from a supplier or software provider
• Unfamiliar admin users or changed settings inside WordPress
• Alerts from your hosting provider or Google Search Console flagging unusual activity
• Unexpected password reset requests arriving in email inboxes

If you see one of these, act immediately. Assume something may already have happened.

Quick checks you can do today (5–10 minutes)

As a business owner or manager, you do not need technical depth to reduce risk significantly. Here is where I would start.

• Check who currently has admin access to your WordPress site. Are all accounts recognised and still active?
• Confirm whether two-factor authentication is enabled on WordPress and on the email accounts linked to it
• Ask whether your hosting provider sends alerts for unusual login activity
• Ask your team directly: has anyone recently entered their details via an unexpected login email?
• Send a test enquiry through your website contact forms right now and confirm it arrives

If any gap appears, treat it as urgent, not a future task.

Fix options (from fastest to safest)

Immediate containment

Reset WordPress admin passwords immediately, revoke access for any unrecognised users and verify that contact forms are delivering correctly.

Proper fix (root cause)

Enable two-factor authentication on all WordPress admin accounts and on the email addresses connected to them. Audit all user accounts and remove anything unused or unrecognised.

Prevention

Introduce monitoring so that unusual login activity, new admin users or unexpected site changes trigger an immediate alert, rather than being discovered two weeks later.

The goal is early detection, not perfect prevention.

How to prevent this from happening again

A business-ready phishing defence, in my view, starts with these fundamentals:

• Two-factor authentication on WordPress and connected email accounts
• Regular audits of user access levels and active accounts
• Staff awareness so suspicious login emails are reported rather than ignored
• Monitoring and alerts for admin login activity and site changes
• A clear response process for when credentials are suspected to be compromised

Phishing cannot always be stopped at the inbox. Its consequences can be contained early.

Related issues to check next

• Updates done wrong can break your site — updates skipped can break your business
• Why websites fail during campaigns, not quiet periods
• You do not need to be hacked to have a security problem: the hidden cost of an unprotected WordPress site
• Hosting isn't a technical detail: it's uptime, speed, and whether customers trust your business

Key takeaways

1. Phishing is the most common cyber attack on UK businesses, affecting 85% of those that reported a breach
2. A compromised email account can lead directly to a full WordPress site takeover
3. The website continues to look normal while enquiries and revenue silently disappear
4. Delayed detection dramatically increases the total cost of the incident
5. Prevention and monitoring are far cheaper than investigation and recovery

FAQ