As of February 9, 2017, over 1 million pages have recently shown up in Google search results with messages such as “Hacked By MuhmadEmad” or “hacked by NG689Skw”.

Website owners will be happy to learn that the websites are more or less defaced and the fix is fairly easy and actionable advice is in this article.

How many WordPress posts have been defaced?

The “hackers” (and I hesitate to use that term) have defaced over 1,000,000 WordPress webpages. Actually, what has been defaced are “posts” and not “pages”.

As of February 9, 2017, some exact numbers are below, at least according to Google Search Results.

Please note, this is the number of pages in Google search results. The actual number of domains/websites hacked may be much lower.

Here is a chart with the top 10 defacement messages:

Top 10 WordPress “Hacked By” messages in February 2017.

Here are 17 of the most common defacement messages:

  • Hacked By MuhmadEmad – 444,000
  • By SA3D HaCk3D – 259,000
  • hacked by NG689Skw – 245,000
  • hacked by BALA SNIPER – 139,000
  • Hacked By TheWayEnd – 119,000
  • Hacked By GeNErAL – 87,000
  • HaCkEd By RxR HaCkEr – 65,600
  • Hacked by White HAt Hacker – 62,100
  • Hacked By HolaKo – 51,400
  • Hacked By XwoLfTn – 47,300
  • HaCkeD By Dr.Silnt HilL – 43,300
  • hacked By Fallag Gassrini – 25,900
  • Hacked By W4l3xzy3 – 17,500
  • Hacked By D.R.S Dz Team – 12,700
  • hacked by 3needan – 6,190
  • Hacked By Mr Secret – 4,220
  • Hacked By An0n 3xPloiTeR – 3,010

The “hacked by” text varies depending on which attacker hacked your site.

Is my WordPress website ruined?

Lucky for you, the hack simply targets websites which have no been upgraded to WordPress Version 4.7.2, and the attackers simply edit WordPress posts and change titles, at least in most cases. However, left unrepaired, black hat SEO practitioners could insert code, text, and/or links in to your posts.

Some hacks completely mess up the WordPress database, deliver malware to website visitors, or are used as bots in larger scale attacks. In this case, the solution is fairly simple.

How to fix and repair your WordPress website

The steps to repair this are relatively simple, and there are only two simple steps:

  1. Log in to your site and upgrade to WordPress Version 4.7.2.
  2. Go to your latest blog posts or articles and revert them to the last revision date, and save them.

How to get your posts re-index quickly by Google

In Google search results, your pages will continue to show up as “Hacked By MuhmadEmad” until Google has discovered the new page title. It can take Google days, weeks, or months to re-crawl and re-index those pages and make the changes in Google Search Results. In the mean time, Google could think your website is still hacked. If that happens, you may receive a message from Google about Hacked Content Detected or This Website May Be Hacked.

To quickly get your pages re-indexed follow my instructions here: Have Google Crawl Your Page Right Now.

How did this happen?

Most WordPress hacks are due to outdated versions of WordPress or newly discovered vulnerabilities in outdated plugins.

In this particular case, WordPress 4.7 and 4.7.1 had a major vulnerability.

WordPress knew about it and issued 4.7.2 on January 26, 2017, and began pushing the update out to websites with automatic upgrades enabled.

They then made the vulnerability public on February 1, 2017. While this transparency is a good thing, hackers began exploiting the hole immediately.

Prevent future hacks

I personally have suffered from a site hack many years ago which impacted one of my sites with over 700 articles. I learned my lesson and I now use WordPress hosts which offer a backup solution. Additionally, I protect my WordPress sites with a handful of select tools and always keep them updated. I will make a list of these plugins and add them to this article shortly.

An opportunity for WordPress Website Owners

If you are an active blogger, please email me here. I have been working on creating a small community of bloggers who may be able to promote eachother. You will have to email me for complete details.

(No, I am not selling you anything, unless you are a business that needs help with your WordPress site after being neglected by your current designer or SEO team.)

Please comment below

Did you find this guide helpful? Was your site impacted? Has this happened to you before? Were you able to fix your website yourself?

Len
25 Comments
  1. Thanks Len, this was precisely what I needed. I had the “Hacked By MuhmadEmad” message on my company website!

  2. I had the latest WordPress upgrade and was still hacked…

    • WordPress can be hack for a very wide variety of reasons. The “Hacked By MuhmadEmad” style hacks should only affect users of 4.7 & 4.7.1. What kind of problem did you experience?

    • Same here! Got same hack on 4.7.2 yesterday.

  3. Have a site that was hacked yesterday in exact same way as MuhmadEmad but the site has 4.7.2. So I think WP is still vulnerable. I can’t find anything on Google more than just update to 4.7.2… The hack left message from “Hacked By Dr.SiLnT HilL”

    • As mentioned above – WordPress disclosed the issue here. The issue was in the REST API, and should be fixed in 4.7.2. They attacker simply modifies “posts”. I am guessing if the messages are on your blog, they were inserted before the 4.7.2 upgrade was complete. The attacks began around Feb 1 2017, so if you upgraded after that you were likely hit before you upgraded. If you still believe your 4.7.2 was hacked please contact me as I would love to take a look at your website.

      Hope this helps.

      Thanks,
      Len

  4. Do you know of an easy way to search sites for this? I have 180+ sites that I manage, most of which are WordPress, and it would be nice to do a methodical search for defaced posts.

    • Hmm… You could use “Hacked By” (in quotes) to search the sites, but I’m not sure if or how you could do a site search for multiple sites.
      eg: search Google for:
      site:http://www.telapost.com/ “hacked by”

      • Thanks, thats what we have a guy doing now, we’re hoping to find something more automated. I appreciate you answering though.

  5. Hey,
    I have a question, if I create a second WordPress database user and take off all database rights of that user, leaving only one SELECT – whether my service will then be protected against any SQL Inject attack?
    Of course, I realize that in this case the service will only display information and no new modification can be implemented until the database user get back the required rights. However, if service has been designed from the ground for display and does not have any active blog, or RSS, is this type of protection can be both efficient and reasonably comfortable?
    Thank you for your analysis and help
    Peter.

    • Hi Peter,

      Probably…? lol I think that would be an interesting approach. I recently ran into a legal mareting company and ALL of their law firm websites are running some old and outdated version of WordPress. The sites can’t be modified and plugins can’t be installed or changed- it is “frozen”. I think they have the sites “jailed” using some sort of program on their cPanel but I honestly have no idea and it is also a lot more effort than most people want to put into it.

      But… Good idea and I “think” it would work.. For some attacks anyways.. I need to prep a list of the hardening plugins but they include WordFence and iThemes Security..

  6. Hi,

    my website was also hacked, but the wordpress version was 4.6, so this is not only 4.7.1

  7. Thank you so much Len, very helpful.

    Mine is hacked by BALA SNIPER. I have a question and will email you with a screenshot, if I won’t bother you.
    Manou

  8. My Site was hacked also by “HaCkEd By RxR HaCkEr”

    I tried the fix that was suggested here and it doesn’t work

    It seems like the page gets redirected to the new content on the page.

    When I go to the wordpress posts to make the modifications there is nothing there to modify and any copy i add does not get reflected.

    Has anyone seems something like this before?
    Any other suggestions?

    Thanks
    Domenic

    • Hi Domenic, Please feel free to email me your URL and a link to the affected page.

      Thanks,
      Len

  9. Over the years I have cleaned many sites clients for them after they had been compromised. There are many reasons for sites being hacked and sometimes it can be a real pain with Malware and so on that keeps reappearing.

    By far one of the most effective ways to ensure hacked / infected sites are clean is by using WordFence to do the job! These guys really know what they are doing and the price they change is a steal in my mind.

    https://www.wordfence.com/wordfence-site-cleanings/

    Hope this helps anyone reading the comments who may be going through such a nightmare!

    Cheers

    – Here is a post in the WordPress Codex for Hardening WordPress too! https://codex.wordpress.org/Hardening_WordPress

    • Thanks Jon! I love WordFence and had no idea they cleaned sites. I will test them out in the future, although I hope it isn’t any time soon. 🙂

  10. Out company website also had this problem and it is completely in ruins 🙁 Luckily, your article worked regarding the ‘Go to your latest blog posts or articles and revert them to the last revision date, and save them. I just have some major work to do now… However, all of our main pages is now posts, so I cannot add them as ‘parent’ and our bradcrumbs are a complte mess… How can I fix this?

    I would love to e-mail with you instead – feel free you to reply back tome back via e-mail – I hope you do!

  11. Dear Len,
    we have same issues but the hacker is ng689skw and we don’t have REST-API installed in our system.
    What do you suggest us to do? have we delete most recent posts in our database? we tried to clean all .php files created by ng689skw but nothing changed.

    We did backup right now (database and web pages), we don’t want to re-install all WP again.

    Best regards
    Valerio

    • REST-API is a little above my head and I leave that to my designers, but it is indeed part of WordPress. So… you do have it! 🙂 But, I will shoot you an email – there are a few hacker removal services which I can recommend to you..

  12. Thank you so much for your article. It is April 2018 and a client of ours gave us the job of getting their site back up. It currently has the HaCkeD by MuhmadEmad on it. I will do what you outlined. A quick question: How can I test that there hasn’t been a black hat script or link inserted in already? Thank you for any help!

    Esteban

    • Please feel free to email me the URL, but they probably just inserted this into some posts and that’s it. 🙂

Leave a Reply