SPAM Hack Targets WordPress Core Install Directories

Do you run your website on WordPress? Have you checked the integrity of your core install lately for SPAM like “Google Pharmacy” stores or other fake stores?

We have been tracking and analyzing a growing trend in SEO Spam (a.k.a., Search Engine Poisoning (SEP)) attacks in which thousands of compromised WordPress websites are being used to hide fake stores and spam doorways. In every case, the attacker is leveraging one of the core install directories – wp-includes.



By default, every WordPress installation comes with 3 main directories: /wp-content, /wp-admin and /wp-includes. Generally, /wp-includes is reserved for generic code and is the heart of WordPress where all major core files are stored. It’s a folder that doesn’t need to be remotely accessed and should not contain any externally accessible or executable HTML or PHP files.

Unfortunately, that is not what we’re seeing. Thousands of WordPress sites seem to have been hacked, and in each case SPAM has been injected into their core directory wp-includes. We have found it’s not specific to Pharmaceuticals either, it includes things like “Payday spam” and “cheap bags”, “cheap watches” and many other forms of SPAM content.

This type of spam injection has 3 main characteristics:

  1. The SPAM pages are hidden inside a random directory inside wp-includes (eg: /wp-includes/finance/paydayloan or /wp-includes/werty/)
  2. The spam is conditional and often based on the referrer
  3. We’ve noticed that, in almost every instance, the websites are running outdated WordPress installs or cPanel – this is obviously conjecture

Here is a small list of 100 WordPress hacked websites with SPAM injected in their wp-includes directories. All of them are publicly accessible by doing some Google searches:–5621.html

This is a very small sample. A quick search on Google using inurl:/wp-includes viagra levitra cialis reveals more than 13,000 pages. As you rotate out the SPAM keywords that number increases dramatically. You quickly start painting a pretty dire picture as you run more scans:

WordPress Wp-includes SPAM

If you find yourself with similar symptoms, we recommend replacing your core install or seeking professional help.

If you are a Do it Yourself’er (DIY’er) then be sure to manually replace the core installs. Don’t just select update in your administrator panel because doing so won’t remove the file and while it may address the issue on the surface, it won’t be getting to the bottom of the issue.

Conditional Redirections

The term Conditional should not be new to most of our readers, but if you’re new we recommend diving into our older posts to better understand how it works. A good place to start is our most recent post on redirects that were occurring only on mobile devices and targeting Porn websites.

If you click on any of these URL’s, you will see doorways for different types of spam. Some are just like the Google Pharmacy screenshot and some with real complex fake stores. However, if you are coming from a Google search, referrer =, they will redirect you to the final SPAM destination.

And what is the final spam destination? These are the ones we have been able to isolate to date:

We don’t know if they are really malicious or being used by affiliate spam, but they appear to be the final destination for all these spam pages.

How are these WordPress sites getting hacked?

While we don’t have definitive proof as we do not have control of these environments, each instance we have analyzed always show one common denominator – out of date software. We cannot stress the importance of patching your software via upgrades and if you can’t, be sure to leverage tools that allow you to operate safely on the web with your out of date software. The last thing any website owner wants is to find out later that their brand and system resources have been used for nefarious acts.

Read more: SPAM Hack Targets WordPress Core Install Directories

Incoming search terms

Story added 24. June 2014, content source with full text you can find at link above.