Website attacked with many wp- folders

My Opencart 1.5.6 website has recently been attacked and there are many "wp-" folders showing in the root of the FTP.

See screenshot attached.

I've been manually removing newly added spam folders every day.

Upgrading the site is not possible right now. I wonder if there is any way to stop this folders from coming in?

Thank you.

That looks like wordpress files. Change your hosting account passwords, change all your ftp passwords. Contact your host, they can help you track the hackers ip and block it.

Regards,

Marvin M

You have some custom pages outside the OC framework including a contact form. These should be carefully tested for security holes. It's unclear if you have a WP installation in that /blog folder. WP(or plugins) is quite vulnerable as new exploits are discovered every time (query_args function recently). Update all the plugins and core!
Your server is not protected against POODLE, SSL2.0 and more. Tell your host to do his homework.
Quick test, you should examine the logs against the creation time of those folders to see if there's a clue as to how they did it.
Changing passwords is a good idea but will not help if your scripts are unsafe.

Hmm it looks like wp-frle and wp-coment (mis-spelled) have been in there since march.

If you are sure its not because of a vulnerability, or a weak password, then the next step is to tell your host to install a cage/jail/isolation for the multi-tenant servers. This prevents cross account file drops and loads of other things from happening if some other customers install becomes exploited. Many hosts are just amateur resellers with a VPS, they dont really understand what they are doing when it comes to operating a solid server, and they dont run security audits or check customers files for malware.

Thank you all for your kind suggestions. Password change didn't work. I'm contacting my host now and see what they can do. Thanks again!