If you do not want to completely replace your site files, you can still manually remove and replace specific content. However, this is not recommended as it’s much easier to miss any infected files.
Many hackers insert code into the standard WordPress .htaccess file. The best thing to do is to completely remove the old, hacked .htaccess and generate a new one:
- Log into your server via FTP.
- Make sure your FTP client is set to view hidden files.
- Delete the old hacked .htaccess file (if it exists).
- In your WordPress Dashboard, go to 'Setting > Permalinks' and re-save its permalink settings.
- The direct URL for the page is http://example.com/wp-admin/options-permalink.php (replace example.com with your WordPress site).
- This re-creates the base .htaccess.
- If you have WP Super Cache plugin installed, go to 'Settings > WP SuperCache' (http://example.com/wp-admin/options-general.php?page=wpsupercache), and then re-choose "Use mod_rewrite to serve cache files. (Recommended)"
- Click Update Status.
- A yellow pop-up section appears titled "Mod Rewrite Rules":
- At the bottom of that section, click the Update Mod-Rewrite Rules button.
How to handle unused installs
If you have an old install that you don't use, either upgrade it to make it secure or (even better) remove it completely.
Upgrading using the One-Click Installer
View the How to Upgrade a One-Click Install article for details on how to upgrade within the DreamHost panel.
Upgrading in the WordPress dashboard
- If there is a new version of WordPress, there is a notice on every screen that an upgrade is available:
- To update, click on ‘Updates’ in the left-hand column.
- The following page appears:
Upgrading via SSH
Deleting a WordPress install in the DreamHost panel
View the How to Remove a One-Click Install article for details on how to completely remove and delete all files associated with a WordPress installation.
If you have the old WordPress install at example.com and another site at example.com/othersite/, clicking the Delete all Files button will remove everything including the non-WordPress site at example.com/othersite.
Deleting WordPress using FTP
- Make sure your FTP client is set up to view hidden files.
- Delete all files beginning with "wp-".
- Delete all directories beginning with "wp-".
- Delete the following files (if present):
At this point, there should be no remaining items in the directory but files you have uploaded. If there are files still there that you do not recognize, examine them carefully as they may be files placed there by a hacker. If you are certain that you do not want these files, you can delete them.
Deleting a WordPress install using SSH
- Log into your server via SSH.
- Navigate to your WordPress install directory.
- Run the following command all on one line. This deletes all WordPress files:
[server]$ rm wp-*;rm .htaccess;rm index.php;rm xmlrpc.php;rm readme.html;rm license.txt;rm -R wp-*
This command permanently deletes all files and there is no way to retrieve them once the command has ran. Make sure you wish to permanently delete all WordPress files before running this command.
How to manually manage plugins
It’s very important to always keep your plugins up to date. This limits the possibility of getting hacked.
Updating plugins in the WordPress dashboard
The WordPress dashboard notifies you if there are any updates for your installed plugins. You’ll see this in the left hand column next to ‘Plugins’:
- The number of plugins that need to be updated are displayed in a circle next to ‘Plugins’.
- You can update each plugin individually by clicking the ‘update now’ link below the plugin.
- You can also click the dropdown at the top of the list. Select ‘Update’ from the ‘Bulk Actions’ dropdown, and then click ‘Apply’ to update all plugins in that list.
Updating plugins via SSH
You can use the WP CLI interface to update plugins via SSH. View the following page for further details and examples:
Disabling plugins via FTP
You can also disable plugins via FTP. These instructions remove the functionality of these plugins from your WordPress install, without removing the plugin files.
- Log into your server via FTP.
- Navigate to the example.com/wp-content/plugins directory.
- Find the plugin folder you wish to remove.
- Rename the plugin folder. For example if the plugin folder is named /myplugin, rename it to /myplugin_OFF. This disables the plugin.
- Rename it back whenever you wish to re-enable it.
To disable all plugins, just rename the entire /plugins directory to /plugins_OFF. If you rename the plugins directory and then try to install new plugins while the name is changed, you will get an error.
If you want to keep the plugin files in /plugins_OFF and install new plugins, create a new and empty plugins directory at the same time that you rename the old one.
How to manually manage your WordPress theme
It’s very important to always keep your themes up to date, as it limits the possibility of getting hacked.
Updating a theme in the WordPress dashboard
In the left-hand column click ‘Appearance’. A list of all your currently installed themes will show in the main window. Any themes with updates available will show ‘Update Available’ at the top of their box.
- Click on the theme’s box to expand it.
- On the right, you have the option to update it.
Deleting a theme in the WordPress dashboard
It is best to always remove themes you are not using. You should only keep the theme you actively use since you can always reinstall removed themes at any time. By removing themes, you keep their files from being used as attack entry points.
- In the left-hand column click ‘Appearance’.
- A list of themes display:
- Click the theme you wish to remove.
- On the bottom right, click the ‘Delete’ link to remove the theme.
Deleting a theme via FTP
If you cannot access the dashboard, you can still delete the theme via FTP:
- Use the steps described in the FTP article to log into your server.
- Navigate to the /example.com/wp-content/themes directory.
- Delete any theme folder you wish to remove.
It's best to leave WordPress's current default theme as well as your active working theme in place, just to be certain that you have a good fallback theme if needed.
Managing a theme via SSH
You can use the WP CLI interface to manage themes via SSH. View the following page for further details and examples: