The web installer writes configuration data into that file. It needs write access for that.
I don’t think this was your backdoor. There was probably a plugin or an old theme with timthumb that had a vulnerability.
Related Posts:
- Malware/Permission bug removal?
- Is moving wp-config outside the web root really beneficial?
- Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
- Generate WordPress salt
- Garbage in beginning of wp-config.php – was this WP installation compromised?
- Securing a multi-user permission structure
- How does the “authentication unique keys and salts” feature work?
- Securing wp-config leads to sensitive information leak on wp-settings
- Is there any point setting the keys and salts in wp-config.php?
- What’s the point of forbidding access to wp-config.php?
- Where to store OAuth 2.0 client id and secret?
- What permissions should I give directories if I want to make WordPress more secure?
- Definitive wordpress directory ownership and permissions on linux
- How to change permissions of WordPress and/or apache on macOS securely?
- Config file with no Keys..?
- White screen of death on admin pages after moving wp-config up two levels for security
- Storing FTP details in wp-config.php
- On new server, site got hacked, permissions a bit strange? Please help
- Privilege escalation bugs in 2.9?
- My Site keeps crashing due to the wp-confg file being deleted
- Moving wp-config.php outside root folder where we have multiple wordpress websites for enhanced security [duplicate]
- How to change location of wp-config.php to folder or 2 folders up?
- Adding Security Keys?
- wp-content – permissions for files/folders created by apache
- Remove hacked code – out of ideas! [closed]
- Secret keys in SCM
- wp-config.php moved above root results in no plugin updates
- Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
- Should I change the default file and folder permissions?
- Folder Permissions + Security Concerns
- wp-config.php file and code injection
- Move data from wp-config to another file
- SSL Error: unable to get local issuer certificate
- When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
- Why does the URL http://a/%%30%30 crash Google Chrome?
- When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
- Can an attacker use inspect element harmfully?
- Where does Internet Explorer store saved passwords?
- What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
- WordPress 4.7.1 REST API still exposing users
- Should I escape wordpress functions like the_title, the_excerpt, the_content
- When to use esc_html and when to use sanitize_text_field?
- Why does WordPress have more than one salt?
- What is the ideal setup to address security concerns?
- Will there be security updates for 3.1 once 3.2 is released?
- WordPress it’s cleaning a custom query_var to avoid sql injections?
- Tips for finding SPAM links injected into the_content
- Is WordPress vulnerable to the httpoxy?
- Prevent setup-config.php page from appearing when host blocks database
- wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
- WordPress and Security
- Is there a security risk giving someone temporary access to my blog’s code?
- How to properly sanitize/secure a WP Query coming from the front end
- brute force attack even though it is limited by IP
- What should I do about hacked server?
- Which WordPress scripts need to be executable for a fresh installation?
- Auth cookie value security risk?
- Restricting user login by IP address
- How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
- Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
- Moving away from MD5: Where to declare the custom global $wp_hasher?
- Changing Table Prefixes – once done, am I good to go going forward?
- Should I disable directory listing for wp-includes?
- Safety side of storing emoji into database
- How can I safely hide the fact that my website runs on WordPress? [closed]
- Cannot execute php files in wp-content
- Can I Remove xmlrpc.php completely?
- Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
- Secure WordPress: Change admin
- Changing the default header name
- Is it safe to use a global wp nonce per user instead of a nonce per action?
- Wordfence detects change in wp-admin/includes/upgrade.php
- Will there be security updates for WordPress 4.9.9
- Can a WordPress administrator see other users’ passwords?
- Why my plugins are updating automatically?
- Any known bugs that could cause disappearance of the wp_users table?
- 404/500 error on content images if Referer header is from another domain [closed]
- Restrict Access without Creating Users
- Switching between security plugins is a risk?
- How to obfuscate wp-config.php or code
- wordpress admin security
- Why do people use “admin” username by default? [closed]
- Are major WordPress updates mandatory for security?
- i moved wp-config.php outside of public html and this broke my website
- Is it safe to use the basic administration with reduced rights for private member space
- Verifying that I have fully removed a WordPress hack?
- Robots.txt file not updating
- wordpress security (only one part of the site)
- What are WordPress Current Security Issues in 2017?
- Password-protect feed and make it usable in major aggregators
- Could a user account with a stolen password compromised entire WP site?
- how to find the way they hacked my WP site
- is this code properly secured
- nginx + wordpress: Best practices for configuring it to be secure, reliable, and fast? [closed]
- How to get real password (before encrypt) when register a user?
- How do you search for backdoors from the previous IT person?
- Possible to change email address in keypair?
- Why is SSH password authentication a security risk?
- Is wp-cron.php vulnerable to external attacks and how to protect it?
- How to address security vulnerabilities: LUCKY13, BEAST, and BREACH