A targeted adversary-in-the-middle phishing campaign is operating against GoDaddy ManageWP — the WordPress site management platform used by web agencies, developers, and managed hosting providers to centrally manage multiple client WordPress installations. The campaign, discovered by Guardio Labs, places malicious advertisements above legitimate search results for ManageWP-related queries and uses a real-time phishing proxy to steal authenticated session tokens, bypassing any MFA configuration on the target account.
Why ManageWP Is a High-Value Target
ManageWP is a multi-site WordPress management platform that provides centralised access to all WordPress sites registered under a single account. A single ManageWP account at a web agency might control hundreds of client WordPress installations — providing administrative access to all of them from one credential.
From an attacker’s perspective, one ManageWP compromise equals hundreds of WordPress compromises. Post-compromise actions available through a hijacked ManageWP session include: installing plugins across all managed sites simultaneously, modifying site content, redirecting visitor traffic, and accessing database backups containing potentially sensitive client data.
Attack Mechanics
Google Ads placement: The campaign purchases Google search advertisements targeting queries including “managewp login”, “managewp dashboard”, and “my.managewp.com”. The advertisements are designed to appear above the legitimate search result for ManageWP’s actual login page. Victims who click the advertisement without checking the URL reach the phishing proxy.
Real-time AiTM proxy: The phishing site operates a reverse proxy that forwards all authentication steps to the legitimate ManageWP login server, displaying an exact real-time replica of the authentic login flow. When the victim enters credentials and completes MFA, the completed authentication session token is captured by the proxy before being forwarded to the victim — leaving the victim logged in normally while the attacker also holds a valid session token.
Telegram exfiltration: Captured session tokens are immediately transmitted to an attacker-controlled Telegram bot, providing a notification channel and accessible credential store that does not require dedicated C2 infrastructure.
Automated account takeover: The research confirms that automation is used to immediately change the account email and password on stolen sessions, locking out the legitimate administrator before they can react.
Detection and Mitigation
Verify URLs before authenticating: ManageWP’s legitimate login URL is my.managewp.com. The phishing campaign uses domains designed to appear similar in Google Ads displays — where full URLs may be truncated. Always verify the complete URL in the browser address bar before entering credentials.
Enable hardware security keys: FIDO2 hardware authentication keys (YubiKey, Google Titan, etc.) bind authentication cryptographically to the legitimate domain — the key’s challenge-response authentication will fail against a proxy site impersonating the legitimate domain, preventing session token theft even on a successful phishing click.
Monitor ManageWP audit logs: Review the ManageWP audit trail for logins from unexpected geographic locations or IP addresses, and for mass plugin installation or settings changes across managed sites.
Consider IP allowlisting: ManageWP’s administrative access can be restricted to specific IP addresses. For agencies where administrators consistently access from known IP ranges, allowlisting prevents session token use from attacker infrastructure in different geolocations.
For the affected population — web development agencies and managed WordPress providers — the impact radius of a single account compromise is severe. Agencies that have not reviewed ManageWP MFA settings and access controls should do so as a priority; phishing-resistant MFA should be mandatory for any account controlling production client sites.
Share this article