Critical GoDaddy ManageWP Flaw Lets Attackers Steal Credentials
Key Takeaways A sophisticated phishing campaign, dubbed “WrongPress,” is targeting GoDaddy ManageWP users through deceptive Google advertisements. Attackers are using fake sponsored...
Key Takeaways
- A sophisticated phishing campaign, dubbed “WrongPress,” is targeting GoDaddy ManageWP users through deceptive Google advertisements.
- Attackers are using fake sponsored search results to direct users to highly convincing imposter login pages.
- The campaign employs an Adversary-in-the-Middle (AiTM) technique to bypass two-factor authentication and steal credentials in real-time.
- Compromised ManageWP accounts pose a significant risk, potentially granting attackers control over hundreds of WordPress websites.
Cybercriminals are leveraging fraudulent Google advertisements to compromise login credentials for GoDaddy’s ManageWP platform, a critical tool for centralized WordPress website administration. This ongoing operation, identified as “WrongPress” by researchers, positions malicious sponsored search results above legitimate ManageWP listings, effectively luring users into a credential harvesting scheme before they can discern the deception.
Table Of Content
ManageWP is extensively utilized by web developers, digital agencies, and enterprises to oversee numerous client websites simultaneously. The compromise of a single ManageWP account can therefore provide attackers with a substantial foothold across an entire portfolio of web properties. With the ManageWP Worker plugin active on over one million websites, according to WordPress.org, the potential impact of such an attack is exceptionally high.
The “WrongPress” Attack Vector
The attack sequence initiates when a user searches for “managewp” on Google. A malicious sponsored advertisement appears prominently at the top of the search results, directly above the authentic ManageWP listing. Researchers at Guardio Labs were the first to detect this campaign, cautioning that even vigilant users might fall prey due to the convincing placement of the fake result.
The sophistication of this campaign lies in its meticulously crafted fake login page, which is an almost identical replica of the genuine ManageWP interface. This near-perfect mimicry leaves few, if any, discernible red flags for the average user. Upon entering their username and password, victims’ credentials are surreptitiously transmitted to an attacker-controlled Telegram channel.
Hackers Exploit Google Ads for Credential Theft
Guardio Labs confirmed at least 200 unique victims at the time of their report and has been actively informing those affected. The research team also successfully infiltrated the attackers’ command-and-control (C2) infrastructure, providing valuable insights into the real-time operational scale of the campaign.
The infection chain is engineered to evade both Google’s ad review mechanisms and user suspicion. When a victim clicks the malicious ad, they are first routed through a cloaker. This tool selectively filters out automated inspection systems while allowing genuine users to proceed, thereby concealing the true origin of the sponsored result and bypassing Google’s scrutiny. For a detailed technical breakdown, see the Guardio Labs report.
Once a genuine visitor is approved by the cloaker, they are redirected to a fake ManageWP login page where an Adversary-in-the-Middle (AiTM) technique is deployed. The attacker’s server functions as a real-time proxy, forwarding stolen credentials to the legitimate ManageWP platform. The victim is then presented with a fraudulent prompt for their two-factor authentication (2FA) code, which the attacker simultaneously uses to complete the actual login, effectively nullifying the protection offered by 2FA.
The operation’s management is facilitated by a C2 server that provides the attackers with a live dashboard to oversee ongoing phishing sessions. Guardio Labs observed that the phishing kit appears to be a proprietary framework, not a readily available tool on underground markets. A Russian-language disclaimer within the code explicitly disavows responsibility for illegal activities and prohibits targeting systems within Russia.
The Extensive Risk to WordPress Site Owners
The implications of this attack extend significantly beyond the theft of a single password. Given ManageWP’s role as a centralized management hub, a compromised account can grant an attacker control over potentially hundreds of websites concurrently. Nati Tal, head researcher at Guardio Labs, affirmed that each account typically manages numerous sites, enabling attackers to inject malware, redirect traffic, or harvest sensitive visitor data on a massive scale.
What You Should Do
- Avoid Sponsored Search Results: When navigating to login pages for frequently used services, avoid clicking on sponsored ads.
- Bookmark Official URLs: Save the official login page URL as a bookmark in your browser and use it directly.
- Type URLs Directly: Manually enter the official website address into your browser’s address bar.
- Monitor Accounts: Regularly review your ManageWP account and associated WordPress sites for any unusual activity or unauthorized logins.
- Implement Phishing-Resistant 2FA: Where supported, adopt more secure authentication methods such as hardware security keys (e.g., FIDO2/WebAuthn) which are inherently more resistant to AiTM phishing attacks than SMS or app-based 2FA.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.