Phishing Alert: Fake WordPress Reset from Iranian Server Targets Site Admins

Phishing Alert: Fake WordPress Reset from Iranian Server Targets Site Admins

A cleverly disguised phishing scam is circulating—this time impersonating a WordPress password reset message to lure unsuspecting users into revealing their admin credentials.

The email, appearing to come from [email protected], directs users to what looks like a normal WordPress login page. However, it actually originates from a suspicious shared hosting provider in Iran: hoda.7ho.st.

Scam Red Flags Identified

• Spoofed Identity:
  From Address: [email protected]
  Return-Path: [email protected]
  Mismatched sender and return-path is a classic phishing tactic.
• Origin Server:
  IP: 185.88.177.183
  Host: hoda.7ho.st
  Country: Iran
  This hosting provider has been linked to abuse and spam operations.
• No Anti-Spoofing Records:
  SPF: None
  DMARC: None
  These missing records make the domain easier to spoof.
• Suspicious Encoded Subject:
  Base64 subject in Farsi with “94 175 USD KRAKEN” — targeting crypto users with bait text.
• Dangerous Login URL:
  https://www.taniadoor.com/wp-login.php?login=www.utigrx.blogspot.se%20-%2094%20175%20USD%20KRAKEN&key=axwqkCqQnUd1fE8Pan4w&action=rp
  Designed to mimic a real WordPress login form while stealing credentials.
• Language Mismatch:
  Message body is written in Farsi, a strong signal that this is spam or phishing targeting users outside your region.

What This Scam Is Trying to Do

This phishing email aims to:

• Trick users into clicking a malicious login link
• Harvest WordPress admin login details
• Potentially compromise your site to send spam or inject malware

How to Tell It’s a Phish

• Unexpected email in a foreign language or encoding
• Suspicious or spoofed domain names and mismatched headers
• Financial bait (crypto, money amounts)
• Unusual or long login URLs

What You Should Do

• Do not click the link in the email
• Mark the email as phishing or junk
• Ensure your own domain has SPF, DKIM, and DMARC records set
• Use a password manager—these won’t autofill on fake sites
• Regularly monitor login attempts and admin user lists in WordPress

Need Help Securing Your Email or Website?

If you're unsure whether your email and domain systems are properly protected, get in touch with Mac-PC Assist today. We'll perform a security audit and help you lock down your digital assets before bad actors do.

Stay safe,
Mac-PC Assist