Malicious or Unsafe wp-config.php

  • Resolved marisakbrantley

    (@marisakbrantley)


    1 year, 5 months ago

    Hello,

    A WordFence scan today found a backdoor on my wp-config.php file:

    Details:?This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is:?<?php\x0a/*25733*/\x0a\x0a@include

    The issue type is:?Backdoor:PHP/payload.add.11956
    Description:?Strange access of internal resources such as malware payloads

    I downloaded the file (VS Code) to search and delete the matched text, but couldn’t find this text. I’ve never edited a wp-config.php file before and would love some help.

    Thank you!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @marisakbrantley, thanks for your detailed message.

    The code that’s been matched looks like the hexadecimal linefeed character which would likely be non-visible characters in VS Code, followed by a PHP comment /*25733*/ and two more linefeeds. However, I can’t confirm the @include part is normal for your site as my wp-config.php starts with @define or a comment about which plugin is defining the variables.

    Firstly, do your Wordfence scan results give you the option to repair/remove the file without having to download and intervene yourself? I would always recommend taking a full backup of your site before attempting to repair/remove anything so that you can restore the site if anything goes wrong.

    In some cases our malware detection signatures match a large enough portion of a file that the malicious portion of the match might not display in the “matched text” section. To get a full assessment if you can’t clean the file, or Wordfence can’t repair it either, I recommend sending a copy to samples @ wordfence . com as they’ll be able to determine whether a wider site-cleaning is required.

    Remember to obscure/remove any passwords or keys/salts in any files you do send to us.

    Thanks,
    Peter.

    Thread Starter marisakbrantley

    (@marisakbrantley)

    Hello @wfpeter,

    Ah, that’s why I can’t see it in VS Code. Good to know.

    The Wordfence scan doesn’t seem to give me the option to repair/remove the file. It says, “This is your main configuration file and cannot be deleted. It must be cleaned manually.”

    My site is backed up. I’ll be sending a copy to the email you provided.

    Thank you so much!

    Marisa

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Malicious or Unsafe wp-config.php’ is closed to new replies.