If you manage WordPress websites through ManageWP and recently searched for it on Google, be careful: attackers are buying sponsored search ads that look identical to the real ones but lead to a convincing fake login page. Over 200 site administrators have already had their credentials stolen. The phishing page works as a live relay — it passes your username and password directly to the attacker in real time, then also captures your two-factor authentication code so they can log in before the code expires.
ManageWP is particularly valuable to attackers because a single account often controls dozens or hundreds of WordPress sites simultaneously. Compromised credentials can lead to malware being injected into every site you manage, affecting your visitors as well as your business. The attack requires no hacking skill on your part — simply clicking a sponsored search result and typing your real credentials is enough.
How to check if you’re affected
Affected products include any ManageWP accounts accessed after clicking a Google Search advertisement rather than typing the URL directly into your browser.
- Log in to ManageWP directly at managewp.com (type the URL — do not click ads).
- Review your account’s recent login history for unfamiliar IP addresses or locations.
- Check all connected WordPress sites for new admin accounts, modified files, or injected scripts you did not add.
- If you used Google search ads to reach ManageWP in recent weeks, treat your password as compromised: reset it immediately and generate new application passwords for all connected sites.
- Enable two-factor authentication if you haven’t already — but note that stolen 2FA codes can still be relayed in real time, so changing your password is the priority.