Support » Fixing WordPress » Hacker replaced wp-config.php but did no other damage

  • I had an “intrusion” last night on (which we’re about to be announced publicly, so preview for WP users :). The site is based around WordPress and Gallery2 via WPG2. The hacker (aTMaCa) replaced wp-config.php with their own html code. For reference I have uploaded a rar of this replaced file to, but it doesn’t have much information (apart from dentifying the hacker and their political cause).

    We’re hosted on Site5 and are using the latest versions of WordPress and Gallery. There are a reasonable slew of plugins but I think they’re basically up to date, for reference we use:
    Taragana’s Delicious MP3 Player, BDP RSS Aggregator, Customizable Post Listings, WP-Email, Exec-PHP, Fold Page List, Gravatar, Official Comments, PXS Mail, Random File, Google Sitemaps, Smart Archives, Fuzzy Recent Comments, Spam Karma 2, Ultimate Tag Warrior, WPG2, WP Database Backup, WP-phpBB, Permalink Redirect.
    (Wow, there’s more than I thought when I actually type them in)

    Apart from the wp-config.php change there wasn’t any damage. All databases are intact and files seem to be fine. No passwords were changed. I looked at the permissions of wp-config after I uploaded my backup version and it was set to 666, I’ve changed it to 644 but I thought that this wasn’t a huge problem on a shared platform such as Site5.

    I’ve read all the other “my WP site was hacked” threads, but none of them seem to fit what’s happened here.

    So, I’m just wondering if anyone has any ideas how someone could get into wp-config.php but then not damage anything else? Apart from changing the permissions, is there anything else I can do to prevent something like this happening in the future?



Viewing 1 replies (of 1 total)
  • Not sure, but if they had access to your wp-config.php, then they can get your database username and password.

    There’s a way to prevent this from happening by setting the username and password as variables in the $_SERVER array, but I can’t remember the exact mechanism.

    For now, change your database password, and ask your hosts to look into this to see if there’s anything they can do.

Viewing 1 replies (of 1 total)
  • The topic ‘Hacker replaced wp-config.php but did no other damage’ is closed to new replies.