Creating WordPress Phishing Pages


Staff member
May 15, 2017
Reaction score
Hi welcome back today I will show you how to create WordPress phishing pages. Phishing is the practice of sending emails or fake pages in order to trick targets into unknowingly giving personal information such as passwords and credit and debit card numbers.

Phishing attacks are a Social Engineering method that relies solely on human error and trickery.


Lets assume we are doing a Pentest on a popular WordPress website the admin has giving us permission to try and phish information from staff members without breaking into their WordPress or gaining information from the SQLDatabases. The site admin has spent 1000’s of dollar maintaining security of his website and believes it to be quite safe although he can’t be to sure that his staff members will compromise his website through human error.

A lot of people come to the conclusion that a user must be stupid or an idiot to fall for phishing pages. This is not the case with 1000’s of emails per day going to businesses and personal inboxs it can be quite easy to fall into the trap especially in shared inboxs with multiple staff reading and responding to messages. Phishing pages can look identical and very believable. However we don’t blame the targets as most have not had sufficient training. The Admins idea of the Pentest is not to make the staff users feel stupid for falling for the phishing pages but to educate them in order to prevent further attacks in the future.

We could use SEToolkit to clone a login page to the WordPress site but this can be unconventional if running listeners from long periods of time using the output PHP from WP-Phishing-Maker script we can store plain text, MySQL Databases etc. This Phishing method will require a Web server to host the files generated by the script.


Linux based operating system

First of all Download WP-Phishing-Maker.

You can download WP-Phishing Maker from the following download location.
First of all we need to navigate to the script directory using cd command (change directory).

For example

cd Desktop/WP-Phishing-Maker
Then we will need to make the WP-Phishing-Maker bash script executable we can do this by using command chmod.

chmod +x WP-Phishin-Master
Now the bash script is ready to run from the same directory run command.

bash WP-Phishing-Maker

Now that WP-Phishing-Maker has loaded use options 1. Start.


The script will then prompt for a output location this can be any directory you would like save the WordPress phishing page generated by WP-Phisher-Maker. I will create a new directory inside root.

Open up a new terminal and create an empty directory using mkdir command.

mkdir /Test

The script will now prompt for a WordPress website to clone as a phishing page.


Choose if target is using HTTP or HTTPS and press Enter when the script has finished generating WordPress phishing page you will see a message telling you that the pages have been completed and ready to use. .



We can now upload the Php files generated by WP-Phishing-Maker to a Webhost.

So we made a clone of a WordPress website that we own for testing purposes called the idea of this type of phishing attack is to trick the website admin into logging into a fake WordPress admin panel.

We have uploaded the generated Php files from the bash scripts output directory to a shared webhost.

Demo (Don’t enter any personal information into this page.)


You will then be able to gather credentials in plain text and receive them from your FTP directory.
Top Bottom