Fake WordPress.com / Jetpack site plan suspended, website taken offline, domain expired, or security and backup features disabled due to billing failure phishing

Phishing emails impersonating WordPress.com or Jetpack claiming the site plan has been suspended, the website has been taken offline, the domain renewal has failed, or security and backup features are no longer active due to a billing failure — directing victims to update payment through a credential-harvesting portal. A broad attack category targeting 20M+ paid WordPress.com site owners for whom website downtime has direct business consequences. Key facts: (1) WordPress.com (Automattic) hosts 20M+ paid sites with Personal ($4/month), Premium ($8/month), Business ($25/month), and Commerce ($45/month) plans that include domain registration, SSL, and hosting — a 'site plan suspended, website offline' email creates immediate business impact for e-commerce stores, professional portfolios, and small business websites that depend on their WordPress.com site for revenue and customer acquisition; (2) Automattic (the company behind WordPress.com) sends legitimate renewal reminders that closely resemble the phishing template: real WordPress.com renewal emails include the site URL, the plan name, the billing amount, and a 'Renew Now' CTA button — attackers exploit this familiarity by copying the exact notification format that WordPress.com owners have seen many times; (3) The 'domain will expire' hook is particularly effective because WordPress.com handles domain registration for many sites, and legitimate domain expiry emails do result in site takedowns — users who have previously experienced domain expiry understand the urgency; (4) Jetpack (also by Automattic, $4.97-$50/month) is used by 5M+ WordPress sites for security scanning, automated backups, performance, and CDN — Jetpack Premium and Complete subscribers depend on daily backups and real-time security scanning, making a 'Jetpack subscription expired, security features no longer active' email particularly alarming for site owners who have had a previous security incident; (5) WordPress.com credentials enable account takeover with downstream consequences: WordPress.com uses a unified Automattic/WordPress.com account (WordPress.com ID) that grants access to all Automattic products including WooCommerce (if enabled), the WordPress.com reader, Tumblr (Automattic-owned), and API credentials that may be shared with third-party WordPress plugins — a credential compromise exposes not just site access but all connected Automattic services. Warning signs: sender not wordpress.com, jetpack.com, or automattic.com; genuine WordPress.com billing at wordpress.com/me/purchases; Jetpack billing at cloud.jetpack.com/purchases.