wp-config-db.cnf.php file?

Also, just to add a bit more detail, the text inside the file looked liked this:

#!/usr/bin/env php
#<?php /*
[mysqldump]
user={username}
password={password}
#*/?>

seems strange, remove this file as this is not a core file and mysql dump file wount have a username and password.

folow following article to make wordpress more secure and scan your website with sitecheck.sucuri.com

codex.www.ads-software.com/Hardening_WordPress

Thanks – have run the site through sucuri sitechecker already and it hasn’t found anything suspicious.

Also, removed the file as soon as I saw it as I was worried.

I am very keen to work out the root cause of the file though, as I am worried the site in question might have been compromised.

Thanks

i’ll suggest to scan all files under virus/malware scanner.

change your wp-admin password/FTP passwords and keep file permissions as recommended https://codex.www.ads-software.com/Changing_File_Permissions

also update all plugins/themes you have in your website

If you find a file in your root that doesn’t belong there, your site has been hacked. Do you or your hosting company have a full backup of your site? The fastest and most sure way to repair your site is to restore from a backup made before the hack.

Without a backup your only solution is to repair the site. Follow this guide.

When you’re done, you may want to implement some (if not all) of the recommended security measures.

Hi,

Do you have a recommended virus/malware scanner? I found someone else who had this problem and they were running sucuri security and that did not flag anything.

FTP and SSH are only accessible from my IP. All passwords changed.

Plugins and themes are all up to date, as is WP itself.

Thanks

@ wslade

I have many backups – I use vaultpress and I also take manual backups every couple of weeks.

The problem is this: I don’t know if a hack has even taken place, and even if I did, I do not know when it took place…so not sure what backup to restore.

Sucuri does scan files that are publicly acessible and not all files on server, for that you have to scan them via a malware scanner.

i can recommend https://virusscan.jotti.org/en & i have used it a lot of times. dont upload sensitive files like wp-config.php there though.

FTP and SSH are only accessible from my IP. All passwords changed.

this is good thing, but someone was still able to upload a file.i hope you have a Anti-Virus or something similar on ur system too.

you should download your database and get it scanned too ,also check if any of your plugins has a known issue.

The problem is this: I don’t know if a hack has even taken place, and even if I did, I do not know when it took place…so not sure what backup to restore.

did you noticed modification date next to the suspicious file? that would have been a clue and you could have scanned all files on server which were modifed in that week and after that.

Crisis over, it seems it was from VaultPress plugin:

> Could your plugin have made a file in the root of my wordpress install
> called wp-config-db.cnf.php ?
>

Yes — we use this file to pass MySQL credentials to your MySQL process during restores. If you’re concerned about it, you can delete it, and we’ll regenerate one when we attempt a restore.

Best,
Chris

Automattic | WordPress.com | VaultPress