Hackers are using sponsored Google search results to steal ManageWP credentials, raising fresh concerns over the exposure of agencies, developers and businesses that administer large fleets of WordPress websites through a single GoDaddy-owned dashboard.
The campaign places a fraudulent advertisement above the legitimate ManageWP search result, copying the platform’s branding and directing users to a look-alike login page. Victims who search for ManageWP rather than typing the official address manually are led into an adversary-in-the-middle phishing flow that captures credentials and two-factor authentication codes in real time.
ManageWP is used by web professionals to maintain multiple WordPress installations from one panel, handling updates, backups, uptime monitoring and other administrative tasks. That centralised model gives attackers a potentially large reward from a single successful compromise. The ManageWP Worker plugin is active on more than 1 million websites, while the platform itself says more than 2 million websites are managed through its service.
The attack differs from conventional credential harvesting because the fake site does not merely collect usernames and passwords for later use. Instead, the phishing infrastructure proxies the victim’s login attempt to the genuine ManageWP service as it happens. Once the user submits credentials, the attacker can immediately request a two-factor authentication code through a counterfeit prompt that mirrors the legitimate challenge.
Security researchers who examined the operation found that stolen credentials were being passed to an attacker-controlled Telegram channel, giving operators immediate visibility into each attempted login. The phishing backend also appeared to include an interactive command panel, allowing operators to guide victims through each stage of the login process and adapt to security prompts dynamically.
Such a setup can weaken the protection usually provided by two-factor authentication. One-time codes remain valuable against many attacks, but real-time proxy phishing can defeat them when victims enter the code into a hostile page while an attacker is simultaneously attempting to log in to the genuine service. Passkeys, hardware security keys and domain-bound authentication methods offer stronger resistance because they are designed to validate the real website domain before approving access.
The immediate risk is not limited to the ManageWP account itself. A compromised dashboard could allow attackers to inspect connected sites, change administrative settings, deploy malicious plugins, alter content, disable security tools or create new administrator accounts. For agencies and freelancers, one stolen login could expose dozens or hundreds of client websites. For enterprises, it could create a route into brand sites, campaign pages, customer portals or internal publishing systems.
The abuse of Google Ads also shows how search behaviour has become part of the attack surface. Many administrators rely on search engines to reach routine login pages rather than using bookmarks or password-manager launch links. Criminal groups exploit that habit by buying sponsored placements that appear above organic results, especially for commercial software names, advertising platforms, crypto services, password managers and web administration tools.
Google’s ad policies prohibit misrepresentation, phishing and attempts to collect sensitive information through deceptive destinations. The company has also expanded automated and human review systems to detect malicious advertising at scale. Yet malvertising remains difficult to eliminate because attackers rotate domains, compromise legitimate ad accounts, use cloaking tools and design landing pages that behave differently for reviewers and real targets.
The ManageWP case fits a broader pattern in which sponsored search results are being used to impersonate high-value business tools. Previous campaigns have targeted advertising accounts, remote monitoring products, enterprise software portals and cryptocurrency platforms. Some operations focus on stealing credentials, while others distribute malware or gain control of ad budgets to finance further fraud.
Website owners and agencies are being urged to avoid searching for login portals and instead use saved bookmarks, password managers or direct entry of verified URLs. Administrators should inspect browser address bars before entering credentials, report suspicious sponsored results, rotate passwords after any suspected exposure and review ManageWP account activity for unfamiliar sessions, added users or unexpected changes to connected websites.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
