How to remove malware when Bluehost deactivated account?

  • Resolved Steve Keller

    (@stevekeller)


    6 years, 2 months ago

    Hi,

    I have four sites on my Bluehost account, and last night, I was alerted that artmassagepdx.com was down, and it has not come back up since. I have Wordfence on all four, but I cannot access the admin dashboards. I really need to get the stevekleier.com site back up, immediately, the others not so urgent. I don’t want to engage Sitelock, or pay for this at all…isn’t there a way to determine the bad code, go into the File Manager, delete, and then tell BH to check for malware again? What is the likelihood that other sites have been infected, or how do I deal with that?

    Thanks,
    Steve

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)

  • @stevekeller,

    I’m not with Wordfence but I get an alert when someone says SiteLock three times in a mirror (or on this forum) and thought I’d help point you in the right direction.

    It looks like your site is currently suspended by your host. If that’s the only thing keeping your site from being up, ask them for a list of the infected files. They may have already put a convenient list in a TXT file in the webroot or /stats if you check your file manager. I’d strongly recommend against attempting to clean the website yourself if you don’t have a background in malware remediation, but you sound pretty determined. I hope this helps.

    Do you know if Bluehost has been taking backups of your site? If so, you could ask them to restore your site and unsuspend your account so that you could go immediately into the site and find the problems and fix it.

    If you have (or can get back) ftp access, then you could remove and replace all files with freshly downloaded and known good copies of WordPress, your plugins and themes. Don’t overwrite the files – Remove and replace. Hacks can modify files but hacks can also add new files. If you just overwrote the folders, the new files would be untouched.

    It’s tedious and heavy-handed, but most hacks are file based. If the problem is in the database, changing the files probably won’t help.

    Thread Starter Steve Keller

    (@stevekeller)

    Hey…sorry for the radio silence, but I worked on this over the weekend, with Bluehost. Turns out there was malware on all four sites, and using the Malware.text file on the BH File Manager, I went in and deleted all I could find. I prepared a Word Doc. with status reports on each line of code I deleted, thinking that might be useful, to show which I could find, which I couldn’t.

    Talked to BH on Saturday, they rescanned, and since I had done such a stellar cleaning job (apparently not), they reactivated my account. I wanted to focus on the stevekleier.com account, before checking on the status of the other 2 plus mine (marketingbywebdesign.co). One site was up(daverhein.com), the rest still down, so I called BH again.

    Talking with them, I learned that I may have deleted folders that were key operational folders, like “wp-config” and “index.php”, which I acknowledged had probably happened. So…probably the fifth person I spoke to, recommended doing a restore, back to September 8, first on the Kleier site, and then on the other two (Artmassage, and Marketingbywebdesign). The Kleier site came back! I then did the restore for the last 2 sites (/\). They are still not back, and I thought of redoing the restore, but in talking to person #6, I learned that I was really reinfecting sites by restoring.

    BH said they could do another scan, but if malware shows up, again they would have to deactivate my account. I cannot get into the admin dashboards for the Art and MWD sites, but I did deactivate Wordfence for Kleier and Rhein, and install “Anti-Malware from GOTMLS.NET” on those sites.

    I am stuck and don’t know what direction to go. I do wish Bluehost could segregate website files in a person’s hosting account, so that they would not have to deactivate everything.

    Sorry for the long explanation/description…anyone game to help? I would be forever indebted, and we could figure out a compensation scheme.

    Thanks,
    Steve Keller

    Hi Steve,

    On those sites you have Wordfence on, you can follow this guide to “Clean a Hacked WordPress Site using Wordfence“. I’m sure this should help you cleaning the currently infected files, however if this happened again, then most probably there is a backdoor on the server and you will have to hire a security analyst to clean your websites.

    Thanks.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘How to remove malware when Bluehost deactivated account?’ is closed to new replies.