Month: February 2026

Modern phishing attacks have moved well past broken English and suspicious links. Today’s scams are built around realistic workflows, professional communication, and carefully designed environments that mirror legitimate tools developers use every day. If you work with WordPress, this one is worth knowing about.

How It Started

The attack begins with an email that looks like a client enquiry or a plugin review request. The language is polished, the request is reasonable, and there’s a link to what appears to be a staging environment where the developer is asked to review some work before it goes live. Nothing about it screams “scam.”

The Trap

The staging link loads a convincing project preview, often a real-looking website with dummy content. When the developer clicks through to access the WordPress backend, they’re told the site uses Google authentication for secure access. A familiar Google login prompt appears, asking for their Google account credentials.

This is the moment everything is stolen.

The Google login page is a fake, hosted in a way that mimics Google’s actual OAuth flow right down to the URL structure. Once credentials are entered, the attacker captures them silently and gains access not to a staging site, but to the developer’s entire Google account, including Gmail, Drive, and any connected services.

Why It Worked

Using Google login felt legitimate. Many agencies and hosting platforms do use OAuth-based access. The extra authentication step actually made the scam feel more secure, not less.

The Warning Signs

The staging domain was registered recently. The Google login URL didn’t sit on accounts.google.com. There was no prior relationship with the sender and no way to independently verify the request.

How To Protect Yourself

1. Always confirm the Google login URL starts with accounts.google.com before entering anything
2. Use a password manager, which won’t autofill on spoofed domains
3. Verify unsolicited staging requests through a known contact channel
4. Enable two-factor authentication on your Google account
5. Check domain ages with a WHOIS lookup before trusting any new link

If the login method feels unexpected, pause and verify before you type a single character.

These attacks are getting harder to spot, and even experienced developers get caught out. If sharing this stops it from happening to even one person, that’s a good enough reason to put it out there. Stay sharp out there and speak to us if you would like to work with us and have Slate in your corner!

Launching a website properly makes the difference between a slow start and gaining real momentum. At Slate, we’ve seen countless launches over the years, and the biggest mistake people make is going live too soon, before they’ve tested everything thoroughly.

Start by sorting out the technical foundations. Check your site loads quickly on mobile and desktop, test every form and button, and make sure your hosting can handle traffic spikes. Run it past friends or colleagues who’ll give you honest feedback about confusing navigation or broken links. These early issues are much easier to fix before anyone else sees them.

Your content needs to be ready before launch day. This means having all your core pages written, images optimised, and your SEO basics sorted out. Set up Google Analytics and Search Console from the beginning so you’re tracking visitors from day one. You’ll want this data later to understand what’s working.

Think about your launch timing too. Avoid Fridays or holiday periods when you might need technical support and no one’s around. Monday to Thursday tends to work well, and launching early in the day gives you time to monitor things and respond to any problems.

The actual launch should be soft rather than dramatic. Start by telling your existing network through email and social media. This gives you a manageable amount of initial traffic as you iron out any remaining issues. Once you’re confident everything’s running smoothly, you can expand your promotion.

After launch, monitor your site closely for the first weeks. Keep an eye on your analytics, check for error messages, and respond quickly to any feedback. 

The reality is that no website is ever truly finished. You’ll keep improving it based on how people actually use it. Getting these fundamentals right means you’ll launch with confidence rather than crossing your fingers and hoping for the best.  This is why an ongoing Maintenance Plan is so important. 

At helloslate.co.uk, we help businesses through every stage of their website launch, from initial planning to post-launch optimisation. If you need support bringing your new site to life, get in touch with our team.  And we don’t stop there, as we offer ongoing Hosting and Maintenance that keeps your site up to date and performing perfectly.