Hacked WordPress websites being used for spam

www.ads-software.com does not providing hosting for sites. Nor does it intervene directly in such cases unless the site owner asks for help here. You could use https://www.whoishostingthis.com to determine where these sites are hosted and contact the site owners or their hosts yourself

In some instances there is a “Contact Us” feature or an email contact, but this is a tedious procedure and I was hoping for something easier.

Here are some recent examples of hacked sites:

https://arigraphix.com/alumnigrayson/
https://blog.ikipiro.com/concoctinconsolable/
https://buyaffordablejewelry.com/hereuntodolan

and the pattern in the others is similar – a bogus directory added, named using a couple of random words.

I appreciate that WordPress has a huge number of users and individual communication is not likely to be practicable, but presumably there is some mode of communication with users in general (notification of upgrades, for example), and a “how to detect hacking” guide could be put in.

Businesses may not suffer directly from hosting spammers, but the breach of security must be a concern.

presumably there is some mode of communication with users in general

Not as such, no. WordPress is software provided freely by www.ads-software.com. www.ads-software.com has no direct connection with any site running this software.

the breach of security must be a concern.

There are many reasons why a site may have been hacked but there are no known security issues in the current version of WordPress

There are many reasons why a site may have been hacked but there are no known security issues in the current version of WordPress

Agreed, and the link is very helpful. My point was, though, that a naive site manager might not think there was much harm in a folder on his site being used to promote ineffective and potential dangerous products, but that the fact that administrator passwords were known to the hackers might suddenly make him less relaxed!

Does the WordPress application prompt site administrators when a new version is released? Could some form of hack detection be advised at that stage?

the fact that administrator passwords were known to the hackers

What admin passwords? All the author urls show is the username.

Does the WordPress application prompt site administrators when a new version is released?

Yes. They have an upgrade notice in their site’s admin area.

Could some form of hack detection be advised at that stage?

No – because every hack is different.

What admin passwords? All the author urls show is the username.

I’m presuming that the creation and population of a new directory in a website requires admin privileges.

No – because every hack is different.

I have encountered several hundred like the examples I gave above. An unfamiliar directory should raise the alarm. A general warning to the site admin about hacking when a new version of WordPress is downloaded, and advice about checking for unfamiliar files in the website’s structure would help.

I should probably just shut up now, and just let my spam filter throw these emails in the bin – it annoys me, though…

I’m presuming that the creation and population of a new directory in a website requires admin privileges.

Yes but these are completely unrelated to the login details for the site itself.

Yes but these are completely unrelated to the login details for the site itself.

I’m not sure what you’re saying here. The admin credentials I’m talking about (which allow the creation of new directories, etc) will give whoever has them read-write capability over every file in the site.

The admin credentials I’m talking about (which allow the creation of new directories, etc) will give whoever has them read-write capability over every file in the site.

No – they won’t. You cannot create new folders or edit any core files from within WordPress.

So the fact that the majority of the sites which have been hacked in this way use WordPress is coincidental, and perhaps merely reflects the large number of WordPress users?

Correct. WordPress is apparently generating something like 13 – 18% of all web sites (exact figures dependant upon which source you read). Throw in the facts that some users refuse to upgrade WordPress, continue to run old, unsafe, versions and/or download plugins & themes from unsafe sources and it’s not surprising that dozens of WP sites get hacked every day.

The same could be said of other open source systems such as Drupal or Joomla – neither of which (like WordPress) is inherently insecure if you keep things up-to-date and only download from trusted sources.

OK – I’ll get back to emptying my spam bucket.