What can an attacker do if he has access to my wp-config file?

wp-config.php is an important file of the WP installation. It acts as a bridge between the WP file system and the MySQL database. wp-config.php contains the database connection credentials. Apart from this, it can also be used for:

  • Defining the security keys.
  • To specify the database prefix.
  • To set the default language for your admin panel.

If you have been hacked I recommend looking at: https://codex.wordpress.org/FAQ_My_site_was_hacked

Related Posts:

  1. Best practice for versioning wp-config.php?
  2. Password in wp-config. Dangerous?
  3. What’s the difference between WP_MEMORY_LIMIT and WP_MAX_MEMORY_LIMIT?
  4. Turn Off Automatic Trash Deletion?
  5. How can I change preview URL?
  6. Override the wp_siteurl and wp_home not work
  7. Changing WP_CONTENT_DIR and WP_CONTENT_URL in wp-config.php does not register?
  8. Missing a temporary folder despite settings in wp-config.php
  9. How to use live images on local install?
  10. Syntax of FS_CHMOD_DIR and FS_CHMOD_FILE
  11. WordPress PHP error handling and reporting in production environment
  12. Declaratively Configuring WordPress in XML or JSON or YAML
  13. WP_MEMORY_LIMIT didn’t work in wp-config
  14. How to set up gmail SMTP in WordPress
  15. error:-Cannot modify header information – headers already sent by
  16. Changing HTTP URL Port
  17. wp-config.php file permissions
  18. How to update WordPress from the latest trunk
  19. how to use is_admin in wp-config.php
  20. Locked out of WordPress Site Admin after enabling Force SSL on WordPress Https (SSL)
  21. Set wp-content folder to Dropbox folder
  22. Including a 3rd party library in WordPress which needs to be accessible by wp-config
  23. wp-config.php being deleted
  24. Get WP CLI to hide debug warnings and notices in JSON output, same setting as website
  25. Installation Issue WordPress locally – The file ‘wp-config.php’ already exists
  26. What is this file: wp-config-wpe.php?
  27. enable SFTP via SSH keys in wordpress
  28. html lang=”” instead of lang=”en-us” – why?
  29. Why do I get a WAMP homepage when clicking on specific website’s URL on LocalHost?
  30. Creating the wp-config.php file manually
  31. What Does this Code Snippet Do?
  32. WP_Debug not displaying anything
  33. Can I delete `wp-config-sample.php` after installing and configuring WordPress?
  34. How to reliably set file/folder permissions?
  35. Multiple wp-config.php files in one home directory
  36. Why edits to wp-config.php must come before “That’s all” comment
  37. error log cluttered with undefined DB_USER wp-admin/setup-config.php
  38. How to stop fatal error when loading theme template file directly
  39. Should I change wp-config for SSL?
  40. Out of memory errors : how best to track them down
  41. Redefine cookie domain for subdomains
  42. Error in database connection [closed]
  43. Update wp-config.php and lost pages
  44. Conflict with wp_homeurl, wp_siteurl and admin interface settings
  45. error messages in dashboard login
  46. where should I write constants in wordpress?
  47. Issues copying site into local machine
  48. Autosave interval remains default despite wp-config.php defines
  49. Carriage Return control character (^M) found in wp-config-sample.php
  50. Are the wordpress settings (abspath, disable core updates) added by SiteGround of any use after I’ve migrated to a different host?
  51. Need help fixing my wp-config file [closed]
  52. Why was my new WordPress installation’s config page publicly viewable when first installed?
  53. WP_MEMORY_LIMIT didn’t work in wp-config, only within default-constants.php
  54. Cookie set without HttpOnly flag
  55. Changing the wp-config.php broke the site
  56. Publishing WordPress from stage to production server
  57. Define option outside wp-config.php (on WordPress.com)
  58. Site lost all formatting when I attempted to migrate to Bluehost [closed]
  59. Moving wp-config.php one level up – 500 error – Nginx [closed]
  60. How can I configure an SMTP Server?
  61. What should index.php contain on Synology NAS to get external access to WordPress to work?
  62. Remote server does not read `WP_HOME` from wp-config.php when local server does
  63. IP addresses to block to stop WP auto-update?
  64. Not showing old migrated content in website
  65. How to rename the wp-config.php file once under version control?
  66. Read wp-config without loading the rest of WordPress – i.e. wp-settings, etc
  67. Proper way to have multiple installs with a single database
  68. How turn on error reporting without reset?
  69. WordPress installed on a Sub-directory
  70. Editing wp-config.php file asks for another installation
  71. $post->id vs $post->ID problem after using WordPress config bootstrap
  72. ABSPATH not defined?
  73. How to stage a redesigned site on a new webhost while the original site is still live? [closed]
  74. WordPress login redirection not working on Nginx root directory
  75. Plesk login inaccessible after changing site URL
  76. Need help re-connecting local WP-config file to local database
  77. Change of “home” results in timeouts (only on index.php)
  78. wp-config.php randomly will reset to wp-config-sample.php
  79. WP_SITEURL vs WP_HOME link output
  80. How to fix wp-login.php gives error 500 after migration?
  81. Change default wordpress FS owner
  82. Define new constants in wp-config
  83. sudden changing of host IP result in crash of the site
  84. Can you define readability settings in wp-config.php?
  85. Can wp-config move cause dashboard not to load?
  86. Unable to change WordPress language (WordPress 4.2.2)
  87. PressPi (WordPress) Broken Layout
  88. How to change WordPress theme file path to a remote server?
  89. Why is WordPress not using $_SERVER[‘SERVER_NAME’] for ‘WP_SITEURL’ and ‘WP_HOME’ as default?
  90. WordPress Redirect on Name Change
  91. Is there any reason why using the same wp-config file might not work in MAMP?
  92. Best function/method to access wp-config?
  93. WordPress still requires FTP information
  94. “Cannot modify header information” warning?
  95. Why would changing ports from 80 to 8080 cause wordpress to act unexpectedly?
  96. Change URL when visiting wordpress site
  97. max_input_vars not updating through wp-config
  98. Disabling zlib compression and enforcing gzip
  99. Can WP-CLI modify database connection details in existing wp-config file?
  100. How to specify server path in code?