Hacked WordPress websites being used for spam

In some instances there is a “Contact Us” feature or an email contact, but this is a tedious procedure and I was hoping for something easier.

Here are some recent examples of hacked sites:

http://arigraphix.com/alumnigrayson/
http://blog.ikipiro.com/concoctinconsolable/
http://buyaffordablejewelry.com/hereuntodolan

and the pattern in the others is similar – a bogus directory added, named using a couple of random words.

I appreciate that WordPress has a huge number of users and individual communication is not likely to be practicable, but presumably there is some mode of communication with users in general (notification of upgrades, for example), and a “how to detect hacking” guide could be put in.

Businesses may not suffer directly from hosting spammers, but the breach of security must be a concern.

There are many reasons why a site may have been hacked but there are no known security issues in the current version of WordPress

Agreed, and the link is very helpful. My point was, though, that a naive site manager might not think there was much harm in a folder on his site being used to promote ineffective and potential dangerous products, but that the fact that administrator passwords were known to the hackers might suddenly make him less relaxed!

Does the WordPress application prompt site administrators when a new version is released? Could some form of hack detection be advised at that stage?

What admin passwords? All the author urls show is the username.

I’m presuming that the creation and population of a new directory in a website requires admin privileges.

No – because every hack is different.

I have encountered several hundred like the examples I gave above. An unfamiliar directory should raise the alarm. A general warning to the site admin about hacking when a new version of WordPress is downloaded, and advice about checking for unfamiliar files in the website’s structure would help.

I should probably just shut up now, and just let my spam filter throw these emails in the bin – it annoys me, though…

Yes but these are completely unrelated to the login details for the site itself.

I’m not sure what you’re saying here. The admin credentials I’m talking about (which allow the creation of new directories, etc) will give whoever has them read-write capability over every file in the site.

So the fact that the majority of the sites which have been hacked in this way use WordPress is coincidental, and perhaps merely reflects the large number of WordPress users?

OK – I’ll get back to emptying my spam bucket.