{ "@context": "https://schema.org", "@type": "Person", "name": "Justine Kingston", "jobTitle": "Founder and Creative Director", "worksFor": { "@type": "Organization", "name": "Just By Design" }, "url": "https://justbydesign.com", "sameAs": [ "https://www.linkedin.com/in/justbydesign/" ] }

Call or Text Us: 541.526.3406

Let’s Chat

Let’s Chat

Call or Text Us: 541.526.3406

Resource Hub

Our Monitoring Caught an Impersonation Attempt on a Client’s Website. Here’s What Every Small Business Should Learn From It.

Author: Justine Kingston

Quick Answer

Earlier this week, our security monitoring flagged a targeted impersonation attempt on a client’s WordPress site. Someone submitted a registration request using a Gmail address designed to look exactly like mine. The attempt was caught immediately, reviewed, and resolved inside an hour. No breach, no damage, no client downtime. The probe was sophisticated enough that most agencies wouldn’t have caught it, which is what makes the underlying pattern worth talking about. This post walks through what happened, why agency-managed sites are now a known target, and what every small business owner with a WordPress site should be asking their web person right now.

What Actually Happened

On a Tuesday morning, our monitoring picked up an unusual registration on a long-time client’s WordPress site. The email used was a Gmail address designed to look almost identical to mine, with a slight variation of my name and our standard email format.

That isn’t my address. The lookalike was deliberate. Someone had researched the relationship between the agency and the client, found my name publicly, and registered a Gmail account designed to slip past anyone who glanced at it without thinking.

It got flagged. Not by accident. By the layered security stack we run on every client site, which is built to catch exactly this kind of probe. Within an hour, the attempt was reviewed, resolved, and the site was audited end to end. Clean. No data exposed. No site downtime. No client impact.

That’s the part that usually doesn’t make headlines. The probe is interesting. The catch is the actual story.

What We Did, Step by Step

Inside the first hour:

  1. Reviewed and resolved the unauthorized registration attempt.
  2. Audited every existing user on the site, looking for stale or unfamiliar accounts.
  3. Forced a precautionary password rotation on every legitimate admin and editor.
  4. Ran a full malware scan to confirm nothing had been altered or planted.
  5. Reviewed plugins, themes, and uploaded files for anything out of place.
  6. Tightened the WordPress login URL.
  7. Reinforced the 2FA requirement across every administrator and editor account, with tightened grace periods to confirm setup was current on every account.
  8. Reported the impersonating Gmail address to Google.
  9. Notified the client with a calm, specific email explaining what happened, what we did, and what we needed from them.

Then we ran a fresh audit across every other site in our portfolio. The same security stack was already in place on every one. We just used the moment to verify, dial up sensitivity, and confirm everything was running the way it should. If it was tried once, it’ll be tried again. We’d rather be ahead of it than behind it.

Why Agencies Are Now an Attack Vector

Here is the part most small business owners miss.

Your web agency, freelancer, or in-house web person is a known entry point to your website. We have admin access, we have your trust, and our relationship with you is often documented publicly through case studies, testimonials, portfolio pages, social media tags, and shared press.

If someone wants into your site, impersonating the trusted person is far easier than brute-forcing your password. They are not attacking your business. They are attacking the relationship between you and the people who manage your digital presence.

This pattern is growing for a few reasons:

  • Small business websites are valuable targets for SEO spam, malware injection, and phishing infrastructure.
  • WordPress powers a huge share of small business websites, and most installations are under-monitored.
  • Agencies and freelancers are easy to identify online, which makes their identities easy to spoof.
  • Tools that automate this kind of reconnaissance and impersonation are cheaper and more accessible every year.

In other words, this is not an exotic threat. It is becoming standard. And the difference between a probe that gets caught and a probe that becomes a breach comes down to whether anyone is actually monitoring.

What Every Business Owner Should Ask Their Web Person This Week

If you have a WordPress site and someone else manages it, send these questions to them today:

  1. Who monitors my site for unauthorized registration or login attempts, and how? If the answer is a vague “we have a security plugin installed,” that’s not monitoring. That’s hoping.
  2. Is two-factor authentication required on every administrator and editor account, including mine? “Available” is not the same as “required.”
  3. Is the WordPress login URL still at /wp-admin? If yes, that is the front door, and every bot on the internet is trying to kick it down.
  4. When was the last time someone audited who has admin access? If the answer is “I am not sure” or longer than 6 months ago, that is the answer right there.
  5. Do you have automated, off-site backups, and have they been tested? Backups that have never been restored are a hope, not a plan.
  6. What is the plan if I get an email from “you” that is not really from you? Your agency should have already trained you on how to verify a legitimate request.
  7. Are core, plugins, and themes updated regularly? Outdated software is the most common way WordPress sites get compromised.

If your web person cannot answer those clearly, that is not a security problem. That is an agency problem.

What This Means for AI Visibility

This is the part that doesn’t get discussed enough.

When you build a brand online, you are creating an entity that AI systems like ChatGPT, Perplexity, Google’s AI Overviews, and others use to decide who to trust, who to cite, and who to surface in answers. That entity is built from consistent signals: your website, your reviews, your social profiles, your press, your structured data.

If someone can impersonate your brand, they can introduce conflicting or malicious signals into that entity. They can plant content on your own site that contradicts your positioning. They can publish under your name. They can poison the very signals AI systems rely on to verify you are who you say you are.

Brand entity protection is not a separate concern from AI visibility. It is part of it. The same care that goes into structured data, schema markup, and citation-worthy content has to extend to making sure the foundation of that entity stays clean.

That is the part most agencies are not thinking about yet. We are.

What We Are Doing Differently Going Forward

A few changes we have made in the last week:

  • Tightened thresholds, alert sensitivity, and audit cadence across the security stack we already run on every client site. The baseline was already in place: layered monitoring, hidden login URLs, required 2FA, login attempt limiting, CAPTCHA, malware scanning, off-site backups, and regular user audits. We’re just running it hotter.
  • Built a faster impersonation-attempt response protocol so the next probe is handled in minutes.
  • Made quarterly security reviews a standard line item in long-term retainers, not an upsell.
  • Started auditing publicly visible information about agency-client relationships to reduce the surface area attackers can use.

This is not because something went wrong. It’s because something was attempted, our system did exactly what it was built to do, and the right response to a successful catch is not to celebrate it. It is to make sure the next attempt has even less room to operate.

What You Should Do This Weekend

If you do nothing else from this post, do these three things:

  1. Log into your WordPress site and check the user list. Anyone you do not recognize, ask your web person about. If they cannot vouch for them, delete.
  2. Turn on two-factor authentication on your own administrator account. Use Google Authenticator, Microsoft Authenticator, or 1Password.
  3. Send your web person the seven questions above. Their response will tell you everything you need to know.

If you are a small business owner in Bend, Portland, Central Oregon, or Lake Oswego and you want a second set of eyes on your website, schedule a free consult at justbydesign.com/contact. We have been protecting small business websites since 2001, and we are watching this threat landscape closely so you do not have to.

Justine Kingston
Creative Director | Founder at Just By Design. | 541.526.3406 | justinek@justbydesign.com | Website |  + posts

Justine is the Founder and Creative Director at Just By Design, a Central Oregon–based marketing studio that helps service-driven businesses build standout brands with strategy and purpose. With more than 20 years of experience in digital marketing, SEO, and content strategy, she’s known for combining clear thinking, creative direction, and real-world practicality to help businesses grow with clarity and confidence.

A proud University of Oregon graduate, Justine has called Oregon home for over 40 years. She leads every project personally, collaborating with a close-knit team of expert creatives and developers. Whether you’re launching something new or leveling up an established brand, Justine brings a thoughtful, hands-on approach to turning your vision into visibility—always grounded in strategy, built for real impact, and backed by care.