If you use GoDaddy’s ManageWP tool to manage multiple WordPress websites, there’s a phishing scam you need to know about. Hackers are buying fake Google Ads that look like the real ManageWP login page. When you click them, you’re redirected to a fake site that looks almost identical to the legitimate one and steals your password and two-factor authentication codes.
What is ManageWP and who should worry?
ManageWP is GoDaddy’s cloud dashboard that lets freelancers, web agencies, and small businesses manage many WordPress websites from one place. If you run a web design agency, manage client websites, or handle multiple online stores, you likely use it. Data on WordPress.org shows more than a million active websites use the ManageWP plugin.
Ghanaian freelancers and small-business owners who build or manage websites for clients are prime targets because they often use ManageWP or similar tools.
How the scam works
Security researchers at Guardio Labs discovered that attackers bought sponsored ads on Google. When someone searches for “ManageWP,” the fake ad appears at the top of results, looking legitimate. If you don’t spot the scam by checking the URL you’re being redirected to, you’re shown a site that looks almost identical to the legitimate one.
If you enter your username and password, the scammers capture it. If you use two-factor authentication (the extra code sent to your phone), they steal that too and send everything to a Telegram account they control.
As of the research date, at least 200 victims had been confirmed.
Red flags to spot
Check the URL before logging in. If the address looks slightly off or you don’t recognize it, don’t enter your credentials. Attackers use various tricks to create URLs that look legitimate at first glance.
Google is supposed to screen ads for phishing, but scammers sometimes slip through. Trust your instincts: if something feels off, close it and go directly to the official website by typing the address yourself.
What to do if you’re affected
If you think you entered your ManageWP password on a fake site, change it immediately. Log into your real ManageWP account and update your password. If two-factor authentication is available, turn it on. Check all connected services to see if anything was changed without your permission.
Also, watch your email and bank account for suspicious activity. If you manage client websites, warn them too.
Protect yourself
Always go directly to websites by typing the address yourself instead of clicking search results. Enable two-factor authentication wherever possible. Use a password manager so you don’t reuse weak passwords. Be extra cautious when logging into financial or admin tools.
What to do now: If you use ManageWP, change your password today. Check your security settings. If you see the fake ad, report it to Google. And if you run a web business in Ghana, share this warning with your clients and colleagues who might be at risk.
Leave a Reply