Title: wp-config file installed Last modified: August 10, 2018 --- # wp-config file installed * Resolved [danaruth](https://wordpress.org/support/users/danaruth/) * (@danaruth) * [7 years, 10 months ago](https://wordpress.org/support/topic/wp-config-file-installed/) * Hello! I found a second wp-config file installed on my domain and did not receive any notification of this event that replaced the DB parameters. It was only this evening, when trying to login, that I realized the site was down. A malicious wp-config file was the last thing I would be expecting, especially with Wordfence installed and configured. I also found the offending “user” and have no idea how they logged in. I am the only user and the login info is not generic. It didn’t re-direct site visitors elsewhere; instead the page displayed WP logo with country drop-downs. My hosting provider mentioned something about a database connection error and that’s when we found a second wp-config file. I have screenshots if it would be helpful. When trying to bring the site back up I experienced a conflict and had to deactivate my theme and all plugins, including Wordfence. I would like to know how this activity happened and what I could do to protect in the future. This conflict is still present and it appears that I have some major work ahead of me. Not happy 🙁 Thank you for your help! Viewing 3 replies - 1 through 3 (of 3 total) * Thread Starter [danaruth](https://wordpress.org/support/users/danaruth/) * (@danaruth) * [7 years, 9 months ago](https://wordpress.org/support/topic/wp-config-file-installed/#post-10602830) * hello? anyone? i have restored my site, but would like a post-mortem to better understand how this happened or address a vulnerability. thank you 🙂 * [Ambyomoron](https://wordpress.org/support/users/josiah-s-carberry/) * (@josiah-s-carberry) * [7 years, 9 months ago](https://wordpress.org/support/topic/wp-config-file-installed/#post-10602934) * The second wp-config file presumably has a date/time stamp for when it was created. Check your web server access log for suspicious activity around that time. If you find nothing there, perhaps four (s)ftp credentials have been compromised. * Simply restoring the site to its state before the attack will not prevent the same attack from occurring again. Presumably, you have taken other measures. * [wfasa](https://wordpress.org/support/users/wfasa/) * (@wfasa) * [7 years, 9 months ago](https://wordpress.org/support/topic/wp-config-file-installed/#post-10626841) * Hello [@danaruth](https://wordpress.org/support/users/danaruth/), * I second @josiah-s-carberrys suggestion. You’d need to do a forensic analysis on the site to figure out where the additional wp-config.php came from. Since you have restored the site you may have wiped out the evidence at that point. * Hopefully this won’t happen again but if it does, @josiah-s-carberrys suggested procedure above is a good start. * Best of luck for now! Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘wp-config file installed’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) * 3 replies * 3 participants * Last reply from: [wfasa](https://wordpress.org/support/users/wfasa/) * Last activity: [7 years, 9 months ago](https://wordpress.org/support/topic/wp-config-file-installed/#post-10626841) * Status: resolved