Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 08, 2026 · 11 min read

Google's Top Result for 'ManageWP' Was a Phishing Site—Each Stolen Login Controls Hundreds of WordPress Sites

Guardio Labs uncovered a sponsored Google Ad ranking above the real GoDaddy ManageWP login. The fake page proxies the credentials in real time, intercepts the 2FA prompt, and hands the operator a live session inside an account that controls hundreds of WordPress sites at once.

A search engine results page with a top sponsored result subtly tinted with a red warning glow above an identical legitimate result, with WordPress site icons fanning out behind the screen

What Happened

On May 6, 2026, Guardio Labs published research on an active phishing campaign targeting ManageWP, GoDaddy's centralized administration platform for WordPress sites. The attack is simple in shape: buy a Google Ad, rank it above the real ManageWP login, and proxy every credential a victim types into a real time adversary in the middle (AiTM) framework.

Guardio researcher Nati Tal infiltrated the attackers' command and control panel and watched the campaign run live. At the time of publication, 200 ManageWP accounts had already been compromised. Each of those accounts is an inflection point. As Tal noted: "each ManageWP account typically hosts hundreds of sites."

The ManageWP plugin is installed on more than one million WordPress sites worldwide. The math is alarming: 200 stolen logins do not represent 200 compromised sites. They represent tens of thousands.

How the Attack Works

The flow is engineered to defeat both user instinct and 2FA. Step by step:

  1. A WordPress agency owner Googles "managewp" because that is faster than typing the URL.
  2. The first result is a sponsored Google Ad styled to match ManageWP's branding. The legitimate domain sits one slot below.
  3. The user clicks the top result and lands on a near pixel perfect clone of the ManageWP login page.
  4. The user types a username and password. The cloned page forwards those credentials to the real ManageWP in real time and brings back the genuine 2FA prompt.
  5. The 2FA code goes through the same proxy. The attacker now has a live, authenticated session.
  6. The credentials—and the active session—are pushed into a Telegram channel that the operator controls.

Guardio characterizes the C2 not as an automated phishing kit but as an interactive panel with dropdown commands. An operator sits behind it and chooses how to handle each victim's session. If the user gets a 2FA prompt that requires an extra input, the operator can request it. If a victim hesitates and tries to hit "back," the operator can show a fake error and try again. The attack is operator driven, not script driven.

The phishing framework appears to be privately built rather than rented. Embedded code contained Russian language disclaimers, suggesting a Russian speaking developer, but no public attribution to a known group.

Why the AiTM Pattern Beats 2FA

For a decade, security guidance on phishing has rested on three pillars: check the URL, check the certificate, turn on 2FA. The AiTM pattern was designed specifically to shrug off all three.

  • The URL. The user did not type a URL—they clicked a Google Ad. The ad's display URL was branded as managewp.com. The destination URL was something else. By the time the user could read the address bar, they were already on the cloned page.
  • The certificate. The cloned page had a valid HTTPS certificate. Free certs from Let's Encrypt are trivial to provision for any domain.
  • The 2FA code. The proxy passed it through to the real site. The real site accepted it. The user got logged in and saw nothing wrong. The attacker got the session token.

AiTM is now the dominant phishing pattern of 2026. The same technique drove the Microsoft 365 "code of conduct" campaign that hit 35,000 users in 72 hours. It is also at the core of ConsentFix v3, the Azure CLI OAuth phishing toolkit that does not even need a password to take over an active session. The ManageWP campaign is the same pattern aimed at a higher value target—a single credential controlling many sites.

Why the Sponsored Ad Layer Matters

Most users learned to be suspicious of phishing emails. Most users have not learned to be suspicious of paid search ads. There is no "this ad is suspicious" muscle memory because Google's branding has spent twenty years training the public that anything Google promotes has been vetted.

It has not been vetted in any meaningful sense. Google Ads' verification covers payment methods and basic identity claims. It does not check whether a fresh advertiser running a "managewp.com" ad is the same entity that owns ManageWP. The same gap drove a long running wave of cryptocurrency wallet phishing, fake Bitwarden installer ads, and the recent Storm-2755 campaign that poisoned "Office 365" search results to redirect employees' paychecks.

The asymmetry is structural. The legitimate brand can spend money to outrank the impostor, but only by paying Google more than the attacker is willing to. The attacker is happy to pay because the average ManageWP account is worth far more than the click cost. As long as that math holds, the attacker keeps showing up at the top of the page.

What Happens to a Compromised ManageWP Account

A WordPress agency that uses ManageWP usually administers 50, 200, or several hundred client sites from one dashboard. The dashboard exists to let agencies push updates, install plugins, run backups, and add admin users across the whole fleet at once.

An attacker with access to that dashboard can:

  • Inject a malicious plugin into every site at once. ManageWP supports bulk plugin installation specifically for legitimate agency workflows. The same workflow ships SEO spam, credit card skimmers, or backdoors to every client site in a single click.
  • Exfiltrate every customer email address stored on those sites. WooCommerce stores in particular hold full order histories with names, addresses, and email addresses.
  • Send phishing emails from every domain in the portfolio. Mail sent from the real domain of a real business clears DKIM, DMARC, and SPF. It is the same problem that made the Amazon SES IAM key leaks so dangerous, except now the attacker controls the entire WordPress site, not just an outbound mail relay.
  • Plant persistence inside themes and core files. Cleaning up a compromised WordPress site requires more than rotating the password. It requires checking every file for a backdoor.

For the end visitors, the consequence is downstream. Every client of the compromised agency now hosts attacker controlled code without knowing it. Every customer email address on those sites is now an attacker harvest.

Indicators and Defensive Steps

If you administer a ManageWP account or work with an agency that does, the steps for the next 24 hours are uncomplicated:

  • Stop reaching login pages through search. Type managewp.com directly. Bookmark it. Do the same for every other admin console—WordPress, Cloudflare, GoDaddy, AWS. Search ads are no longer trustworthy as a navigation tool.
  • Force a session reset. Log out of every active session in ManageWP and re authenticate. AiTM attacks steal session cookies, not just passwords—rotating the password alone leaves the attacker logged in.
  • Move to a phishing resistant 2FA factor. Six digit codes from an authenticator app are still vulnerable to AiTM proxy. Hardware keys (FIDO2/WebAuthn) are not, because the device only releases its assertion to the real domain. ManageWP supports it. Turn it on.
  • Audit the connected sites. Look for newly installed plugins, recently created admin users, and theme files modified in the past 30 days.
  • Check Telegram exposure for your domain. If your credentials were stolen, they sit in an attacker Telegram channel. Treat any password used at ManageWP as exposed and rotate it everywhere.
  • Block ad served navigation through enterprise DNS or browser policy if you can. Some admin teams have started blocking googleadservices.com redirects to break this exact technique. The user experience cost is small. The attack surface reduction is meaningful.

The Bigger Pattern

Phishing in 2026 has stopped being a numbers game and become a leverage game. The volume tactics that defined a decade ago—blast a million emails, hope thousands click—still exist, but the campaigns that matter are the ones that hunt for accounts where one stolen credential controls hundreds of downstream targets.

ManageWP is one example. Salesforce admin accounts were another. SaaS integrator credentials are a third. The shape of the attack does not change. The shape of the target does. The attacker's job is to find a credential whose blast radius is many orders of magnitude larger than the cost of phishing it. The defender's job is to recognize which of their credentials fits that description—and to harden them with hardware backed authentication before someone buys an ad to take them.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.