I would do the following things –
1) Check if any malicious content lives on the site. You can use free tools like – https://sitecheck.sucuri.net/
2) Change folder permission of your WordPress installation to 755 if it’s not set to that already. Also change the wp-config.php file permission to 755 to be on the safe side.
3) You can also try to protect wp-config.php file by using the following rule in your .htaccess file. You have to put it at the bottom of the file; after all other rules
<files wp-config.php>
order allow,deny
deny from all
</files>