The Google Ads deception that points to ManageWP: an AitM attack that steals credentials and 2FA to take control of hundreds of WordPress

A phishing attack taking advantage of Google-sponsored ads has put in check to WordPress site administrators using ManageWP, the GoDaddy platform to manage multiple facilities from a single panel. Instead of a static page that only steals credentials, the attackers have deployed a type scheme adversary-in-the-middle (AitM): the fake website acts as a real-time proxy between the victim and the legitimate service, capturing user, password and double factor code when introduced.

The choice of Google Ads as a vector is not casual: security researchers have shown that the malicious result can be shown above the legitimate link when a user seeks "managewp," which explores the confidence and inertia of those who use search engines to locate access to their tools. By using this path the attackers turn daily interaction into an immediate entry door to take control of accounts that usually manage hundreds of sites.

The real risk comes from the very nature of ManageWP: it is a centralized panel with capabilities that include updates, accesses and automations on multiple WordPress. Your "worker" plugin, which provides that control, is active in more than a million facilities according to the official WordPress repository, so a compromised account has the ability to amplify the damage well above a single web https: / / wordpress.org / plugins / worker /. The campaign was publicly reported and documented by security media, which in turn cite the work of the investigators who tracked the attacking infrastructure https: / / www.bleepingcomputer.com /.

In addition to stealing credentials, operators sent the information to a Telegram channel and controlled the scam through an interactive C2 panel that allowed a targeted and real-time operation; it does not appear to be a generic commercial tool but a private framework with interface for the operator. This degree of "human-in-the-loop" increases sophistication: the attacker responds dynamically to the user's steps (for example requesting the 2FA) and completes the account's take-over while the victim still believes it is being authenticated correctly.

The practical implications for agencies, developers and teams that manage customers are serious: a compromised account can give access to plugins and themes, allow the injection of back doors in multiple sites, activate spam campaigns or even deploy ransomware or mass reputation abuses. That is why it is essential to understand that this threat is not just "another phishing mail," but an attack designed to mock the 2FA and capitalize on the centralization of privileges.

If you are a ManageWP administrator or WordPress management to scale, there are concrete and immediate measures that reduce the risk: brand and use only the official service URL(or better, access from a link saved in the password administrator), enable and prioritize hardware-based authentication methods such as FIDO2 / WebAuthn instead of SMS or TOTP codes where possible, and segment accounts: it avoids using the same ManageWP account for the entire inventory if you can delegate permissions. The "worker" plugin and associated API credentials should also be reviewed and updated.

If you suspect that your account was compromised, act quickly: change the password from a clean device, revoke all active sessions and ManageWP tokens, re-establish or reissue the access keys, review activity and audit records for unauthorized actions and perform an integrity scan on managed sites. In case of site intrusion evidence, consider restoring from previous backup and auditing files and administrative users in each installation.

Organizations and suppliers should complement individual practices with technical controls: DNS filters or proxies that block suspicious domains, ad blocking policies in management environments, detection of anomalies in early session and alerts on changes in account settings. It is also vital to report fraudulent ads and pages to Google and GoDaddy / ManageWP to speed up removal, and to warn affected customers to change credentials and review their assets.

Finally, this case highlights a trend: attackers invest in usability and real-time operations to overcome traditional controls and user skepticism. The best defense is not unique, but a combination of digital hygiene (single passwords and managers), strong authentication (prefer FIDO / WebAuthn keys) and organizational controls that limit the blast radius of a stolen credential. Watch access, communicate to your customers and treat centralized management as a critical asset whose security deserves regular policies and reviews.