Spam Hack Targets WordPress Core Install Directories

Do you run your website on WordPress? Have you checked the integrity of your core install lately for SPAM like “Google Pharmacy” stores or other fake stores?

We have been tracking and analyzing a growing trend in SEO spam, or Search Engine Poisoning (SEP) attacks in which thousands of compromised WordPress websites are being used to hide fake stores and spam doorways. In every case, the attacker is leveraging one of the core install directories – wp-includes.


Abusing /wp-includes/ With Spam

By default, every WordPress installation comes with 3 main directories: /wp-content, /wp-admin and /wp-includes. Generally, /wp-includes is reserved for generic code and is the heart of WordPress where all major core files are stored. It’s a folder that doesn’t need to be remotely accessed and should not contain any externally accessible or executable HTML or PHP files.

Unfortunately, that is not what we’re seeing. Thousands of WordPress sites seem to have been hacked, and in each case spam has been injected into their core directory wp-includes. We have found it’s not specific to pharmaceuticals either, it includes things like “Payday spam” and “cheap bags”, “cheap watches” and many other forms of spam content.

This type of spam injection has 3 main characteristics:

  1. The spam pages are hidden inside a random directory inside wp-includes (eg: /wp-includes/finance/paydayloan or /wp-includes/werty/).
  2. The spam is conditional and often based on the referrer.
  3. We’ve noticed that, in almost every instance, the websites are running outdated WordPress installs or cPanel – this is obviously conjecture.

Here is a small list of 100 hacked WordPress websites with spam injected in their /wp-includes directories. All of them are publicly accessible by doing some Google searches:–5621.html

This is a very small sample. A quick search on Google using inurl:/wp-includes viagra levitra cialis reveals more than 13,000 pages. As you rotate out the spam keywords that number increases dramatically. You quickly start painting a pretty dire picture as you run more scans:

WordPress Wp-includes SPAM

If you find yourself with similar symptoms, we recommend replacing your core install or seeking professional help.

If you prefer a Do it Yourself (DIY) method, then be sure to manually replace the core installs. Don’t just select “update” in your administrator panel because doing so won’t remove the file and while it may address the issue on the surface, it won’t be getting to the bottom of the issue.

Conditional Redirects

The term conditional should not be new to most of our readers, but if you’re new we recommend diving into our older posts to better understand how it works. A good place to start is our most recent post on redirects that were occurring only on mobile devices and targeting porn websites.

If you click on any of these URLs, you will see doorways for different types of spam. Some are just like the Google Pharmacy screenshot and some with really complex fake stores. However, if you are coming from a Google search, referrer =, they will redirect you to the final spam destination.

And what is the final spam destination? These are the ones we have been able to isolate to date:

We don’t know if they are really malicious or being used by affiliate spammers, but they appear to be the final destination for all these spam pages.

How Are These WordPress Sites Getting Hacked?

While we don’t have definitive proof, as we do not have control of these environments, each instance we have analyzed always shows one common denominator – out of date software. We cannot stress the importance of patching your software via upgrades and if you can’t, be sure to leverage tools that allow you to operate safely on the web with your out of date software. The last thing any website owner wants is to find out later that their brand and system resources have been used for nefarious acts.

  1. I normally use the following .htaccess code to prevent wp-includes access, although obviously if the hacker has access to FTP thats not likely to help is it ? Could you tell me if this helps or whether ive been using it for no apparent reason lol

    # Block the include-only files.

    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ – [F,L]
    RewriteRule !^wp-includes/ – [S=3]
    RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
    RewriteRule ^wp-includes/theme-compat/ – [F,L]

    # END Block the include-only files.

    IndexIgnore *

    1. For preventing access to parts of WordPress that should never be called directly (oooh, those evil hackers!) I use this in .htaccess (in the WordPress root folder) :

      SetEnvIf Request_URI (?i)^/(wp-includes|wp-content|uploads|wp-admin/includes)/(.*).php$ badRequestString=$0–$1
      SetEnvIf Request_URI (?i)^/wp-includes/ms-files.php$ !badRequestString
      Deny from env=badRequestString

      Using environment variables allows writing exceptions to rules. In this case, allow ms-files.php to be called.

      (I don’t use the test for mod_rewrite. If your host doesn’t have mod_rewrite, Change Hosts! SiteGround, WPEngine, others that have strong emphasis on security.)

  2. Hi. I get the same problem. Sorry i know english badly.

    i understand, that solution need to find in file .htacess rules right?

    i tried change file rules in WP themes from 755 to 444, this help (different spam links don’t appear in site’s footer).

    But i don’t know how to defence wp-includes directory. I’ll be please that you show me solution.

    Thank you!

  3. And counting … with the viagra google dork: “About 36,400 results (0.58 seconds) ” … ehm … sad but lol

  4. Google index checker analyses on how easily and quickly google is able to crawl or index on a website. This tool is also useful in checking the google index stats of multiple websites at a time. It can access about ten URL’s at once

Comments are closed.

You May Also Like