I was hacked a few days ago and am trying to close things down and clean up. I see lots of information but sometimes need some basic questions answered... I to get some help with this here.
I host about a dozen domains on Dreamhost - one, and its subdomain were shut down (by changing the name of the url) by Dreamhost and there was a Google warning about the subdomain, which has just one Wordpress blog on it.
There are .htaccess files all over the place, not just in the suspicious site that have a script that means if the referrer is Google or Facebook or about 50 others it takes the user to a russian site. From my own computer I can type in the url and I see the site as I should.
I have gone through and changed all users to SFTP and put in new passwords.
On the domains I manage (most of them) I had one username with ftp access, I have now created a separate user name for each site with its own password.
Is that last step useful at all? Good practice?
My original username is still there, and weirdly can access the files in SFTP even though each domain is set to another user... not what I expected, why is that? Perhaps that will stop soon as things change in the Internet tubes?
I have deleted the .htaccess files or replaced them with older ones I had that looked ok. They got rewritten overnight (before I'd changed all the pwrds.)
Question: is it ok just to delete .htaccess files?
Enough for one post. Thanks for your interest.