# Hackers Turn Google Ads into WordPress Management Credential Harvester


A sophisticated phishing campaign is exploiting Google's search advertising platform to deliver credential-stealing attacks targeting ManageWP users — GoDaddy's WordPress site management service. By poisoning search results with malicious paid ads, threat actors are successfully harvesting login credentials from website administrators who believe they're accessing the legitimate platform.


## The Threat


Security researchers have identified an active phishing campaign where attackers purchase Google Ads that appear at the top of search results for "ManageWP login" and similar queries. When users click these ads, they're redirected to convincingly crafted phishing pages designed to steal their ManageWP credentials. Once compromised, attackers gain access to accounts that typically manage dozens or even hundreds of WordPress websites across a single dashboard.


The attack surface is significant: A single compromised ManageWP account gives attackers administrative access to multiple WordPress installations, enabling them to:

  • Deploy malware across dozens of websites simultaneously
  • Inject malicious code into live websites serving thousands of users
  • Exfiltrate customer data from e-commerce sites
  • Launch supply-chain attacks against business customers
  • Install backdoors for persistent access
  • Deface websites for reputational damage

    • The campaign represents a particularly effective abuse of Google's advertising system, where attackers exploit users' trust in search results and the ad platform's inability to catch sophisticated phishing attacks before they go live.


    ## Background and Context


    ManageWP is a popular WordPress management platform acquired by GoDaddy, offering centralized control over multiple WordPress installations. The platform allows developers, agencies, and site administrators to manage updates, backups, security scans, and performance across an entire fleet of WordPress sites — making it an attractive target for attackers seeking broad access.


    This isn't the first time threat actors have abused legitimate search advertising platforms for phishing:


    | Previous Incidents | Target | Method | Impact |

    |---|---|---|---|

    | 2023 | Microsoft/Office 365 | Malicious Bing/Google ads | Enterprise credential theft |

    | 2022 | PayPal/eBay | Sponsored search phishing | Financial account compromise |

    | 2021 | AWS/Azure | Cloud platform ads | Infrastructure access |


    The tactic remains effective because:

  • User trust in ads: Users assume Google's vetting process filters malicious content
  • Search context: Users searching for login pages are primed to enter credentials
  • Speed: Attackers can launch ads quickly before detection
  • Attribution: Ad networks make it difficult to trace perpetrators
  • ROI: Each compromised account can lead to dozens of website breaches

    • ## Technical Details


    ### How the Attack Works


    1. Ad Placement: Attackers purchase Google Ads using spoofed or compromised accounts, bidding on high-intent keywords like "ManageWP login," "manage.wp," and related terms.


    2. Landing Page Redirection: The ad links to a near-perfect replica of the ManageWP login page, hosted on attacker-controlled infrastructure or compromised domains.


    3. Credential Capture: The phishing page harvests the user's email and password when they attempt to log in.


    4. Session Hijacking: Attackers immediately use stolen credentials to log into legitimate ManageWP accounts, often before the real user notices anything unusual.


    5. Persistence and Exploitation: Once inside, attackers add backdoor accounts, extract API tokens, and begin deploying malware across connected WordPress sites.


    ### Why This Works


  • Visual Authenticity: The phishing pages are pixel-perfect replicas of the legitimate ManageWP login interface
  • No Suspicious Links: Users see a Google-owned ad, reducing suspicion
  • Timing: The attack capitalizes on users actively searching for the login page — they're expecting to enter credentials
  • HTTPS Misguidance: Attackers often use SSL certificates on phishing domains, which users incorrectly assume means the site is legitimate

    • ## Implications


    ### For Website Administrators


    Website owners and developers relying on ManageWP face significant exposure. A single compromised account can result in:

  • Malware distribution across all managed sites
  • Data breaches affecting end-users and customers
  • SEO poisoning and search ranking penalties
  • Legal liability for compromised customer data
  • Downtime while sites are cleaned and restored

    • ### For WordPress Ecosystem


    This attack demonstrates a broader vulnerability in centralized management platforms. The WordPress ecosystem depends on tools like ManageWP to scale administration, but that same centralization creates attractive high-value targets for cybercriminals.


    ### Broader Threats


    The success of this campaign highlights systemic vulnerabilities:

  • Search advertising trust: Users inherently trust paid search results, creating a false sense of legitimacy
  • Phishing sophistication: Attackers have become skilled at replicating login interfaces with near-perfect accuracy
  • Supply-chain risk: WordPress sites aren't just individual targets — they're nodes in larger networks
  • Detection gaps: Google's detection mechanisms fail to catch sophisticated phishing before ads go live

    • ## Recommendations


    ### For ManageWP Users


    Immediate Actions:

  • Verify login URLs carefully — Check the address bar before entering credentials. ManageWP's official domain is manage.wp
  • Enable two-factor authentication (2FA) — Even if credentials are compromised, 2FA prevents unauthorized access
  • Review connected sites — Log into ManageWP and confirm all listed sites are legitimate
  • Check for unauthorized accounts — Examine the user management section for unfamiliar admin accounts added by attackers
  • Change your password — Use a unique, strong password different from other accounts
  • Use a password manager — Password managers can detect phishing by refusing to autofill credentials on non-matching domains

    • Ongoing Protection:

  • Use direct bookmarks to the ManageWP login page, bypassing search results entirely
  • Be suspicious of top search results — Legitimate sites don't always appear at the very top
  • Hover over ad links to verify the destination URL before clicking
  • Set up alerts on managed sites to detect suspicious administrative changes

    • ### For Organizations


  • Security awareness training — Teach employees to identify phishing campaigns and verify URLs before logging in
  • Single Sign-On (SSO) — Implement identity federation to reduce credential exposure
  • Audit logs — Enable and regularly review logs of ManageWP account access and changes
  • API token rotation — Regularly rotate API tokens used by ManageWP integrations
  • IP whitelisting — Restrict ManageWP access to trusted IP ranges when possible

    • ### For Google and Ad Platforms


  • Faster phishing detection — Implement machine learning to identify phishing pages linked from ads
  • Domain verification — Require verified ownership of linked domains before approval
  • Advertiser vetting — Strengthen checks on new advertiser accounts
  • User education — Display warnings about phishing risks on high-intent login searches

    • ## Conclusion


    This campaign underscores a critical weakness in how we trust digital infrastructure: the assumption that search results are pre-vetted and safe. As attackers grow more sophisticated in replicating legitimate login interfaces, users and organizations must adopt multi-layered protection strategies — from 2FA and password managers to regular security audits and awareness training.


    For WordPress administrators using centralized management tools, vigilance around credential security isn't optional. In an ecosystem where a single compromised account cascades across dozens of live websites, the cost of a phishing attack can be measured in compromised customer data, reputational damage, and extensive remediation efforts.


    Stay alert when clicking search results, verify URLs before logging in, and maintain strong access controls across all managed infrastructure.