Default installation permissions for wp-config.php

The web installer writes configuration data into that file. It needs write access for that.

I don’t think this was your backdoor. There was probably a plugin or an old theme with timthumb that had a vulnerability.

Related Posts:

  1. Malware/Permission bug removal?
  2. Is moving wp-config outside the web root really beneficial?
  3. Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
  4. Generate WordPress salt
  5. Garbage in beginning of wp-config.php – was this WP installation compromised?
  6. Securing a multi-user permission structure
  7. How does the “authentication unique keys and salts” feature work?
  8. Securing wp-config leads to sensitive information leak on wp-settings
  9. Is there any point setting the keys and salts in wp-config.php?
  10. What’s the point of forbidding access to wp-config.php?
  11. Where to store OAuth 2.0 client id and secret?
  12. What permissions should I give directories if I want to make WordPress more secure?
  13. Definitive wordpress directory ownership and permissions on linux
  14. How to change permissions of WordPress and/or apache on macOS securely?
  15. Config file with no Keys..?
  16. White screen of death on admin pages after moving wp-config up two levels for security
  17. Storing FTP details in wp-config.php
  18. On new server, site got hacked, permissions a bit strange? Please help
  19. Privilege escalation bugs in 2.9?
  20. My Site keeps crashing due to the wp-confg file being deleted
  21. Moving wp-config.php outside root folder where we have multiple wordpress websites for enhanced security [duplicate]
  22. How to change location of wp-config.php to folder or 2 folders up?
  23. Adding Security Keys?
  24. wp-content – permissions for files/folders created by apache
  25. Remove hacked code – out of ideas! [closed]
  26. Secret keys in SCM
  27. wp-config.php moved above root results in no plugin updates
  28. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  29. Should I change the default file and folder permissions?
  30. Folder Permissions + Security Concerns
  31. wp-config.php file and code injection
  32. Move data from wp-config to another file
  33. SSL Error: unable to get local issuer certificate
  34. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  35. Why does the URL http://a/%%30%30 crash Google Chrome?
  36. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
  37. Can an attacker use inspect element harmfully?
  38. Where does Internet Explorer store saved passwords?
  39. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  40. WordPress 4.7.1 REST API still exposing users
  41. Should I escape wordpress functions like the_title, the_excerpt, the_content
  42. When to use esc_html and when to use sanitize_text_field?
  43. Why does WordPress have more than one salt?
  44. What is the ideal setup to address security concerns?
  45. Will there be security updates for 3.1 once 3.2 is released?
  46. WordPress it’s cleaning a custom query_var to avoid sql injections?
  47. Tips for finding SPAM links injected into the_content
  48. Is WordPress vulnerable to the httpoxy?
  49. Prevent setup-config.php page from appearing when host blocks database
  50. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  51. WordPress and Security
  52. Is there a security risk giving someone temporary access to my blog’s code?
  53. How to properly sanitize/secure a WP Query coming from the front end
  54. brute force attack even though it is limited by IP
  55. What should I do about hacked server?
  56. Which WordPress scripts need to be executable for a fresh installation?
  57. Auth cookie value security risk?
  58. Restricting user login by IP address
  59. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  60. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  61. Moving away from MD5: Where to declare the custom global $wp_hasher?
  62. Changing Table Prefixes – once done, am I good to go going forward?
  63. Should I disable directory listing for wp-includes?
  64. Safety side of storing emoji into database
  65. How can I safely hide the fact that my website runs on WordPress? [closed]
  66. Cannot execute php files in wp-content
  67. Can I Remove xmlrpc.php completely?
  68. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  69. Secure WordPress: Change admin
  70. Changing the default header name
  71. Is it safe to use a global wp nonce per user instead of a nonce per action?
  72. Wordfence detects change in wp-admin/includes/upgrade.php
  73. Will there be security updates for WordPress 4.9.9
  74. Can a WordPress administrator see other users’ passwords?
  75. Why my plugins are updating automatically?
  76. Any known bugs that could cause disappearance of the wp_users table?
  77. 404/500 error on content images if Referer header is from another domain [closed]
  78. Restrict Access without Creating Users
  79. Switching between security plugins is a risk?
  80. How to obfuscate wp-config.php or code
  81. wordpress admin security
  82. Why do people use “admin” username by default? [closed]
  83. Are major WordPress updates mandatory for security?
  84. i moved wp-config.php outside of public html and this broke my website
  85. Is it safe to use the basic administration with reduced rights for private member space
  86. Verifying that I have fully removed a WordPress hack?
  87. Robots.txt file not updating
  88. wordpress security (only one part of the site)
  89. What are WordPress Current Security Issues in 2017?
  90. Password-protect feed and make it usable in major aggregators
  91. Could a user account with a stolen password compromised entire WP site?
  92. how to find the way they hacked my WP site
  93. is this code properly secured
  94. nginx + wordpress: Best practices for configuring it to be secure, reliable, and fast? [closed]
  95. How to get real password (before encrypt) when register a user?
  96. How do you search for backdoors from the previous IT person?
  97. Possible to change email address in keypair?
  98. Why is SSH password authentication a security risk?
  99. Is wp-cron.php vulnerable to external attacks and how to protect it?
  100. How to address security vulnerabilities: LUCKY13, BEAST, and BREACH