WordPress users are being targeted by a new email phishing scam that encourages them to send their database credentials to attackers, according to cybersecurity firm Sucuri.

The scam email is addressed to “customer” and titled “DataBase Upgrade Required [sic]”. It informs users their WordPress installations are “out-of-date” and must be updated by a set deadline; it also contains a link titled “click here to upgrade WordPress” that takes users to a phishing page.

The emails are littered with typos and have co-opted a footer typically associated with WordPress.com parent company Automattic.

If a user clicks the upgrade button they’ll be taken to a web page and encouraged to enter their database details and click a “Log In” button.

The page delivered after clicking the “Log In” is particularly suspicious as it’s titled “database update required”, despite users having already entered their database details on the previous page.

It also states:

“WordPress has been updated! before [sic] we send you on your way, we have to update your database to the latest version”.

It then asks each user to provide their username, as well as the domain name for the WordPress installation. According to Sucuri, “[this final step] explains how the bad actors are obtaining the site addresses and associating them with the stolen credentials”.

Upon entering their username and domain name, users are then asked to click an “update WordPress database” button, at which point their details will be sent to the attackers.

The malicious emails are allegedly being sent from a compromised website and a server with the IP address 47.49.12.164.

If attackers gain access to a WordPress installation they can engage in any number of malicious practices, including altering website content, stealing users’ personal data or installing malware.

To guard against such attacks, Sucuri warns that users should never trust emails that encourage them to perform an action they never requested. It also advises users to be vigilant about typos and to inspect URLs.