So your Dreamhost WordPress account is infected, and you’ve received an email that you have to clean it up. What do you do?

DISCLAIMER: If you totally bork your sites, please don’t blame me. This procedure is safe as of the publication date, and tech support can usually undo any great screwups.

I can not tell you the hours I’ve lost attempting to clean infected files on my Dreamhost domains. I use the cheapest VPS option they have, which is cool because (a) it’s the cheapest thing going for unlimited domains (not just unlimited bandwidth), and (b) their customer support is pretty nice and responsive, though they don’t have this infected file cleanup process well-documented, despite lots of documentation. 1

Let me help you.

1. Don’t Panic

Believe it or not, you probably don’t have any injections in your database, and you’ve lost NONE of your images or content. Just don’t go deleting every damned thing.

You may be experiencing some of these symptoms:

  1. You can’t update or add plugins
  2. You can’t updates or add themes
  3. You can’t delete files via ftp.

2. Change your Dreamhost password

Don’t worry about your WordPress passwords yet, but do change your master login password for Dreamhost using the Forgot Password feature.

NOTE: Some people say create a new User for your web sites after a hack. DON’T do that or you will have permission problems when deleting files or reinstalling WordPress. Just use your one master account and make a really good PW, ok?

3. Connect Via FTP and copy all of your media files to your home or network drive

  1. Make sure you are set up for both FTP and SSH by going into your settings at Users > Edit (the user for your site(s))
  2. Update (change) your password there too.
  3. Download a good ftp/ssh product like Bitvise SSH Client (they recommend Putty for SSH, but Bitvise is better because it has both ftp and ssh) 2
  4. Login to your ftp server – Bitvise will open two windows – ftp and ssh (command line), keep both open 3
  5. In the FTP window, on the left-hand side (your computer), create a folder for each domain that you will be backing up.
  6. In the FTP window, under the folder for each domain you host, navigate to the site/wp-content/uploads folder, and copy the dated folders (2017, 2016, etc.) from the right window to the left (i.e. onto your local drive)

4. Delete your domains on the server!

Again, don’t worry, you’ve just rescued your images, and your posts are safe in the database, which is NOT in these folders.

  1. In the Bitvise SSH window (black command line window), type ls to see a list of your directories. See those that look like the name of your sites? Those.
  2. At the prompt type the following to permanently delete an infected directory:  rm -rf [directoryname]  (without the square brackets)

NOTE: Every time WordPress is updated, Dreamhost backs up your old install with a .old copy of your website directory. Delete ALL of those, the infections usually live there.

5. Remove the WordPress Installs

  1. In your Dreamhost panel, go to Goodies > One-click Installs and click Manage One-Click Installs
  2. Click on the affected domains, then choose Delete All Files (again, no database stuff is deleted)

6. Re-install WordPress

  1. For each domain, from the  Goodies > One-click Installs page, install wordpress
  2. NOTE: Choose the existing database that matches the domain, DON’T create a new one. If you have more than one that matches, choose the one with the largest incremental number at the end (1, 2, etc). That’s probably the right one.
  3. Open your site. Are the articles restored? If so, skip to Step 9. If not, move on to Step 7.

7. Fix the Database Prefix

Even though you’ve connected to the right database, there are now more than one set of tables inside your database. If you want your old articles to show, you have work to do. You have to update the wp-config.php file with the right database prefix.

  1. In the FTP window, navigate to your first site’s directory, and right click and Edit this file  > wp-config.php
  2. Leaving that file open for reference, in the Dreamhost panel, head over to Goodies > MySQL Databases, and click on the phpAdmin link next to the domain you are interested in fixing (the same one as in the wp-config.php file)
  3. Use the hostname, username, and password shown in your wp-config.php file to connect, something like this/** MySQL database username */
    define(‘DB_USER’, ‘myusername‘);
    /** MySQL database password */
    define(‘DB_PASSWORD’, ‘CrYpTiCPW1‘);
    /** MySQL hostname */
    define(‘DB_HOST’, ‘mysql.mydomain.com‘);
  4. In the phpAdmin screen, you will see at least two folders in the left-hand navigation – one that says information_schema, and one that has your domain name. Expand the domain name folder.
  5. Notice that the tables have a prefix in front of them, and the prefix changes at least once partway down. Under the first prefixes, look for the Posts table and click on it. Do you see your posts, or just a Hello World? If Hello World, go to the Posts table with the different prefix, moving through the Posts tables until you find the one that has your posts.
  6. Once you find the table with your posts, note the prefix. It is something like this:  wp_xxxxx_.  You need to copy that ‘xxxxx’ part and change the $table_prefix in that wp-config.php file you opened back in step 7.1. The prefix is right at the bottom of the first page of text. Make sure you don’t delete the wp_ or the _ at the end of it. When you are done, the line will look like this:
    $table_prefix = ‘wp_yourprefix_ ‘
  7. Save and close the wp-config.php file.

8. Reset your Username/pw in phpAdmin

Don’t close that phpAdmin screen yet. You’re gonna ignore the email WordPress sent you about your new username, and make sure your old one is working, since that’s the database you are now connected to.

  1. Under the correct prefix, click on the Users table.
  2. See your old username? Or one that you want to edit? Click Edit
  3. Change your Username and Email addresses to whatever you like.
  4. Update your password, but in the Function column (only for this field), choose MD5 (that’s encryption, only your PW is encrypted)
  5. Click GO at the bottom of the page.

9. Go Test Your Login

  1. Go to your domain/wp-admin page, and login. It should work, and you are all done with restoring at least your site and content. If it doesn’t work, go back to Step 7.
  2. Now go reinstall your theme and any other customizations you had. And good luck.

10. Copy your media back to the server

  1. Use the ftp window and copy your dated upload folders back to your wp-content folder so your images in your old posts work.

11. Install site security

My favorite free security plugin is iThemes Security. After you activate it, run setup, and give them your email so that you can have permission to set up THE most important security setting – brute force protection. That’s probably how you got hacked in the first place.

Please let me know if you find this helpful by sharing it or commenting. Thank you.