Bluehost Deactivate Account Malware

I would download copies of these four things:
phpMyAdmin SQL export of the database tables
/wp-content/ folder and all of its contents
wp-config.php
.htaccess

At that point, I would have BlueHost reset or “nuke” the account, then get a fresh installation of WordPress working, secure it well and put up some kind of maintenance or “Returning soon” notice while going through /wp-content/ locally to prepare it for re-upload. Then when that is ready, I would upload the database as a separate database to see what I have. None of that is nearly as difficult as it might sound, the monetary expense is zero and it is a lot less work than trying to clean the site to BlueHost’s satisfaction. I have BlueHost also, and we can walk through all of that right here if you might be interested.

Hi leejosepho,

Thank you for your help. I will do what you suggested.

1) After I have downloaded my /wp-content/ folder and all its content, do you know of a good free software that can scan the files for infected code and remove them?

This is really a pain for those who has been infected by malwares in their WP account.

I think you need to have a server that block IP address. We’ve been in the market for quite a long time but we appreciate that we we’re not attack by some of this..

After I have downloaded my /wp-content/ folder and all its content, do you know of a good free software that can scan the files for infected code and remove them?

No, but I doubt you will need one…and do not be distracted by that “Malware.txt file which lists hundreds of files [that] might have been infected.” Just delete everything you do not actually need or want, and here is how I would do that:

Make a copy of the entire /wp-content/ folder as a backup and set it aside somewhere;
make a list of the names of all plugins if you might need that for later remembering them;
delete the entire content of the /plugins/ folder…and then do the same with /themes/ other than keeping a copy of any Child Theme you might have been using;
delete from /wp-content/ anything else other than what you have retained in /themes/ and /uploads/.

As to the /uploads/ folder, I would delete anything other than the files you know should be there — keep all sizes of all images — and then add this to /uploads/ as .htaccess:

# BEGIN Wordfence code execution protection
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>

AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
# END Wordfence code execution protection

note: Do not change any file-path structure or nomenclature inside /wp-content/ since your database needs for that to remain exactly as it was.

I think you need to have a server that block IP address.

IP blocks are not typically very effective since the ‘bots just quickly change IPs and come right back. NinjaFirewall does a good job out in front of WordPress, BulletProof Security is great for securing the gate and service doors, then WordFence Security does an excellent job on the inside while also using some dynamic control of IP access for throttling and blocking without loading the server with any kind of massive htaccess file.

Hi leejosepho,

will i be able to restore my blog to what it was or will just wipe out everything and start from scratch?

I’m assuming that after I delete/clean up the site. I can re-connect my database and that will restore its content.

Is this correct.

thank you

I’m assuming that after I delete/clean up the site. I can re-connect my database and that will restore its content.

Is this correct.

Yes. Your actual site is contained within the combination of its database and its /wp-content/ folder, and then wp-config.php is the “connector” that facilitates communication between the two…and with all remaining wp-folders and wp-files being obtainable from a fresh download of WordPress. So as long as you have a copy of the database, /wp-content/ and wp-config.php, you have what you need to again get your site going “just as it was” but likely/hopefully with much less cleanup to do than at present.

Hi,

I can’t find the htaccess file. Do you know where it is?

thanks for your help again.

Your public “root” folder at BlueHost is named /public_html/, and you should be able to find that at cPanel > File Manager.

hi i figured it out. It’s hidden so I had to enable hidden files shown. I had to reset all interface setting in the cpanel for this option to be available.

1) There are a lot of htaccess files.
Do I backup all of them or just the one in public html directory?

2) After bluehost reset the account? Do I have to do anything to make sure the domain name is parked?

3) My hosting is shared. There is another wordpress site in the server. It’s located in a sub-directory of the main site. Do I back it up the same way as the main one?

thanks

1) There are a lot of htaccess files.
Do I backup all of them or just the one in public html directory?

The one in public_html is the only one you need, and you need it mostly because it likely has the BlueHost AddHandler line. You could also save a copy of php.ini if I have not already mentioned that, but the BlueHost Support Techs can later put one there for you if you might actually need it for customization.

2) After bluehost reset the account? Do I have to do anything to make sure the domain name is parked?

I am assuming cPanel will do that automatically during the reset, and then it might or might not automatically re-assign your Primary Domain to public_html after that reset. So if not, you will need to do that. But for the reset, you do not have to be concerned about that.

3) My hosting is shared. There is another wordpress site in the server. It’s located in a sub-directory of the main site. Do I back it up the same way as the main one?

“Shared hosting” means you have neighbors on the same server, and yes, you will need to do the same with that sub-site if you intend to restore it later. And in its own case, the main htaccess file it needs will be in its own “root” (the sub-folder) just like your Primary domain has in public_html.

Thanks! I have the same issue and will work my way through the process. I’ve been hacked three times in the past three months so something continues providing an opening for someone???

Hi, I have just finished with
a) Deleting the unnecessary files or those that might have been infected
b) Add the code into htaccess files to the upload folders

How do you suggest going about uploading the site back to bluehost?

1) Do i upload the database first then the wp-content folder?
2) As for the plugins that I have deleted, can i install them in after I re-upload the site? or I install them first into the default wordpress that bluebost has now after nuking, then copy the plugin folders into the plugin directory of my site locally then upload everything at once?

Thanks for your help,

also with the database

in phpmyadmin

do i have to make sure the username of the database is the same as before?

i think wordpress created a different username when they install wordpress by default.

thanks

1) Do i upload the database first then the wp-content folder?

Either can be first.

2) As for the plugins that I have deleted, can i install them in after I re-upload the site?

Yes, and I would only use fresh downloads, but backups.

do i have to make sure the username of the database is the same as before?

In order to import your database tables, you will first have to make a database at the server. If you wish, you can use the database name in wp-config.php or you can make a new database name at the server and then put that name in wp-config.php. Then after making a new database, you will need to make a new SQL user and then assign that user to your database…and then all of that must be correct in wp-config.php:

MySQL > database name > wp-config.php
MySQL username > wp-config.php
SQL password > wp-config.php

database tables > database
table_prefix > wp-config.php

Hi, it’s been a quite a little journey and learning experience. Thank you leejosepho for all your help. My blog is back up.

[Advertisement moderated]

Thanks again,