Skip to main content
Back to Blog
Someone Used a Hacked Farm Shop to Phish Me

Someone Used a Hacked Farm Shop to Phish Me.

SecurityPhishingWordPressFreelanceWeb Development
Andreas Schöngruber

Andreas Schöngruber

April 17, 2026·6 min read

On a Sunday evening in March, a contact form submission landed in my inbox. Name, phone number, short message: someone named Ned Hart wanted to enquire about improving his website. Nothing unusual about that.

Except it turned out to be a phishing campaign, running out of a compromised WordPress site belonging to a real farm shop in Lancashire that had been awake all night fielding thousands of calls and emails from all over the world.

Here's how it played out.

The Enquiry

The message was short:

"I'd like to enquire about improving my website"

Name: Ned Hart. UK phone number. The email address was ned.taylorsfarmshop@gmail.com. Not a company domain. A Gmail account styled to look like an employee address.

That's a flag, but not a dealbreaker on its own. Plenty of small business owners use personal Gmail for everything. I replied with my usual set of questions: which site, what are you trying to improve, what's the timeline, do you have a rough budget?

The Response

Ned wrote back the same evening. Polished, professional, no spelling mistakes. He explained that Taylors Farm Shop was looking to improve performance, implement caching, and integrate a CDN for their WordPress setup. Flexible on budget. Preferred email over calls because his schedule was tight.

Then he dropped a link to a PDF with the technical specifications, hosted on taylorsfarmshop.co.uk.

And this is where it gets clever.

The link pointed to the actual Taylors Farm Shop domain. Not a lookalike, not a random file host. A PDF sitting in the WordPress uploads directory of a real, award-winning farm shop in Lancashire. If you glanced at the URL, you'd see a legitimate domain and move on.

I didn't click it.

Why It Felt Off

A few things didn't add up. The language in Ned's email was specific in a way that didn't fit a farm shop owner: performance optimization, caching strategy, CDN integration. These aren't concepts someone running a butcher counter and a deli typically throws around unprompted. They're concepts someone researched before writing a phishing template.

The Gmail address was still nagging at me. Ned also said he preferred email over calls. That detail seems innocent enough, but it matters: phone calls break the illusion fast.

I ran the PDF link through a couple of online scanners. Nothing flagged. I fed it to an LLM. Nothing useful came back. Whatever was in that file, it wasn't obviously malicious to automated tools. I decided to call the farm shop the next morning to verify the enquiry before going any further.

The Second Email Arrived First

Before I could make that call, another message came in.

I should log into the Taylors Farm Shop website, submit my email address, and I would be granted admin access so I could "check everything" before putting together a proposal.

That's the moment the whole thing snapped into focus.

Think about what that flow actually is: visit a compromised WordPress site, type your email address into a form controlled by an attacker. At minimum you've handed over a confirmed, active address to someone running a phishing operation. More likely, the page was designed to harvest credentials directly.

I didn't visit the site. I called the farm shop instead.

What Had Actually Happened

The person who answered confirmed it immediately. Their website had been hacked. They were getting thousands of calls and emails, from developers and agencies across the world who had received the same kind of outreach. They had been awake through the night. If you visit their homepage right now, the warning is still there at the top of the page.

The root cause: an outdated WordPress installation. An attacker used a known exploit to gain admin access, uploaded the PDF to the media library to give it a URL on a clean, legitimate domain, and then used the farm shop's identity to run phishing campaigns targeting IT professionals.

The targeting was deliberate. Web developers and agencies are valuable marks. We have technical access to client systems, we often store credentials, and we're accustomed to receiving technical briefs by email. A farm shop asking a developer to review a performance spec is completely plausible. It's exactly the kind of request we get.

What I Sent the Farm Shop

Once I'd confirmed what had happened, I sent them a quick summary of steps to take immediately. I'm sharing them here because they apply to anyone in the same situation:

  • Change all passwords for the website and hosting account right away
  • Update WordPress core, themes, and every plugin to the latest version
  • Remove any plugins that are outdated, unused, or have known open vulnerabilities
  • Assume a backdoor has been installed. Changing your password alone won't be enough if the attacker left a malicious plugin or a shell behind. Get someone to check for this specifically.

That last point is the one people miss. Attackers routinely install backdoors so they can regain access even after a cleanup. A password change and a round of updates is necessary, but it is not sufficient.

The Red Flags, Looking Back

The signals were there from the start:

Gmail address, not a company domain. A small business might do this, but it's worth a second look.

Technical language that doesn't match the sender's profile. A farm shop owner independently specifying CDN integration and caching strategies is unusual. It sounds like a developer wrote it, because one did.

A PDF hosted at a wp-content/uploads path on their domain. This is how WordPress stores uploaded media. Hosting a payload there is clever: the URL looks completely trustworthy at a glance.

A stated preference for email over calls. Phone calls are hard to fake. Attackers avoid them.

A request to log into a third-party site before any agreement is in place. No legitimate client asks you to do this. Full stop.

The Uncomfortable Part

The scary thing about this campaign is how well-constructed it was. The emails were well-written and context-appropriate. The PDF was hosted on a real domain with a clean reputation and years of history. The back-and-forth felt natural. If I had been rushing through my inbox on a Monday morning, I might have opened that PDF without thinking twice.

The farm shop did nothing wrong except run an outdated WordPress installation. They became collateral damage in someone else's scheme, and paid for it with a night of stress and chaos that affected their whole family.

For anyone running a WordPress site: keeping it updated is not optional housekeeping. It's the difference between your business being used as a launchpad for fraud or not.

And for anyone running a contact form and receiving inbound work enquiries: slow down when something feels slightly off. The cost of a quick phone call to verify is zero. The cost of not making it can be a lot higher.