ManageWP phishing attack abuses Google Ads

The ManageWP phishing attack is targeting WordPress administrators through malicious Google Ads that impersonate the legitimate ManageWP login page.

Researchers discovered that attackers are purchasing sponsored Google search results designed to trick users into entering their GoDaddy credentials through fake login portals. The campaign specifically targets users of ManageWP, a GoDaddy-owned platform used to manage multiple WordPress websites from a centralized dashboard.

Security experts warn that the attack is especially dangerous because it uses real-time session interception instead of simple credential theft.

Fake Google Ads Redirect Victims to Phishing Pages

The ManageWP phishing attack begins when users search for terms related to ManageWP or GoDaddy through Google Search. Attackers place malicious sponsored advertisements above legitimate search results.

Victims who click the ads are redirected to phishing pages that closely resemble the official ManageWP login portal.

Researchers say the phishing infrastructure acts as a live proxy between victims and the legitimate service. Instead of only collecting usernames and passwords, the attackers intercept authentication sessions in real time.

This method allows attackers to capture credentials and active session information simultaneously.

The campaign reportedly uses adversary-in-the-middle phishing techniques, which are designed to bypass certain traditional account protections and accelerate account hijacking attempts.

Compromised Accounts Could Affect Multiple Websites

The ManageWP phishing attack creates serious risks for agencies, developers, and businesses managing multiple WordPress websites through centralized dashboards.

ManageWP allows users to control updates, plugins, backups, and administrative settings across numerous websites from one account. If attackers gain access to a single dashboard, they may potentially compromise every connected website.

Researchers warn that attackers could use stolen access to:

• Deploy malicious plugins
• Redirect website traffic
• Steal customer information
• Inject malicious code
• Access backups and configuration files
• Lock administrators out of websites

Because many agencies manage client websites through centralized systems, a single compromised account may create widespread downstream exposure.

Researchers Warn About Growing Ad-Based Phishing

The ManageWP phishing attack reflects a growing trend where cybercriminals abuse online advertising systems to distribute phishing pages and malware.

Sponsored search results often appear above legitimate websites, making them more likely to attract clicks from unsuspecting users. Researchers say phishing campaigns are becoming increasingly sophisticated as attackers improve their infrastructure and social engineering tactics.

The use of adversary-in-the-middle phishing also increases the effectiveness of credential theft operations. Unlike traditional phishing pages, these attacks can intercept active login sessions and authentication tokens.

Security experts recommend avoiding login access through sponsored ads whenever possible and instead using manually typed URLs or trusted bookmarks.

How Users Can Protect Their Accounts

Researchers recommend several precautions to reduce exposure to the ManageWP phishing attack.

Users should:

• Avoid clicking sponsored login advertisements
• Verify website domains carefully
• Use bookmarked login pages
• Enable multi-factor authentication
• Monitor accounts for suspicious activity
• Restrict unnecessary administrative access

Organizations managing multiple WordPress environments should also review account permissions and monitor centralized dashboard access closely.

Conclusion

The ManageWP phishing attack demonstrates how attackers are abusing Google Ads and real-time phishing infrastructure to target WordPress administrators and GoDaddy users.

By impersonating trusted login portals and intercepting live authentication sessions, attackers can potentially compromise large numbers of connected websites through a single stolen account. As phishing campaigns become more advanced, organizations must rely more heavily on layered account protections and careful URL verification.