[quote=“waltzzz, post:1, topic:56536”]On the domains I manage (most of them) I had one username with ftp access, I have now created a separate user name for each site with its own password.
Is that last step useful at all? Good practice?[/quote
Yes and it depends. Obviously with different users programs running as one user can be restricted from accessing files of another. This would have prevented all your sites having malicious .htaccess files planted, for example, when those sites themselves were not vulnerable to what was exploited in your WP blog.
With SFTP the server doesn’t chroot to your home directory. It is not a side effect or temporary.
[quote]I have deleted the .htaccess files or replaced them with older ones I had that looked ok. They got rewritten overnight (before I’d changed all the pwrds.)
Question: is it ok just to delete .htaccess files?[/quote]
That depends on their purpose. It is OK if they weren’t there to begin with, but if you have applications or a particular web server setup (ie, custom error pages, friendly URLs, etc) you might adversely affect site operation.
Also, depending on how you do backups, look into using diff/rsync to detect files that have changed or been added to your user accounts, not to mention keeping copies of the HTTP server logs around longer if you get advanced enough to parse attack URIs.