Defender log entry: wp-config.php has changed - but not by my doing.


I have a bit of mystery. Maybe it's nothing. But Defender logged a change in wp-config.php that I didn't make and the host has nothing in their logs either. I was able to trace the IP back to my host. So the big question: how did that change to wp-config come about from what seems a system-internal IP address? Could any of the installed plugins have done that or does it point towards a hack?
I've attached a screenshot of the log entry. Full path and IP address are deleted though.
The wp-config.php itself doesn't show anything unusual. But then again, I assume it could be pretty useful, if somebody had a list of sites, where he/she knows they were able to access important files in the past for future endeavours.

There were also some different patterns for bots trying to log in with standard usernames and an old username from an old trial install that was not doing anything.

So this looks like it is a good idea to either never use the admin-user to publish anything or mask the login name for that user. Do you have any advice for that? I was going to edit the login name in wp_user. Is that good enough or am I missing something there? It just feels wrong to handout half the piece of the puzzle for an admin login if the login name is leaking from parts of the install.


  • Patrick

    Hi there Peter

    I hope you're well today!

    It's recommended to change the salts in your wp-config.php on a regular basis. If you have enabled the Update old security keys feature under Defender > Hardener, is that perhaps what has changed?

    As for the default admin username, it is highly recommended to not use that, ever. Even WordPress cautions against it when it's being installed. :slight_smile:

    Defender also has an option to change that in the Hardener options: Change default admin user account

    And if you notice regular bot activity, you can add those suspicious IP addresses to the blacklist under Defender > IP Lockouts.

  • Peter

    Hi Partrick,

    I don't know the exact settings I picked for the salts etc. but I had literally just installed WP and set up Defender. While having Defender scan the system I tried a few other things but then I got an internal server error and decided to call it a day. Next day (today) I checked the logs and found that entry and couldn't quite place it. Changing salts should not have been on the table for another 60 days.

    Default user name: I've never used any default names. I was rather wondering if you set up an administrator and that account publishes posts e.g. you can read this name in the meta data for the posts. Which then leaves half the puzzle to any possible hack. So I was going to change the login name for that account or only use a regular account without admin access to publish.

    What's the needed minimum and what's overkill?


  • Patrick

    Hi again Peter

    Sure, using a regular user account to publish stuff is a good idea. You can thus mask your activities to the casual visitor or lazy hacker. But you should know that the login name does not appear in post meta-data; it's the display name that appears there. However, if you haven't set your display name in your wp-admin profile, then your WordPress defaults to what it has.

    Pro hackers wouldn't even bother with the front-end of your site though; they'll try to hit your site (or any WordPress site for that matter) programmatically by targeting known or suspected file names.

    And that's why I really like one of the handy one-click features under Defender > Hardener: Prevent PHP execution. That adds an .htaccess file to all directories that shouldn't be fiddled with so bots can't get in to mess with them.

    I would also recommend acting on all recommendations on the Hardener screen; that's really the minimum.

  • Peter

    Hi Patrick,

    thanks for the background information. It's probably one of those things: Deep down you know, that a pro hacker will go directly for the kill somewhere deep in the system. But when you watch the Defender logs you get paranoid when you see that some bot is on a fishing spree trying to log into your backend.

    I still haven't been able to solve the mystery of the wp-config.php access. My host is unwilling or incapable of logging what proccess is actually gaining access to the file. Is there any way I can log that myself if I create localhost install myself and then see what happens?

    I personally suspect it to be Defender. But you know.... it just feels better to know than to guess. And it's going to be a Buddypress community site not just a blog. Feels like I owe a little more due diligence there.
    And yes. I just like to learn and know.

    And maybe you have some more advice for me to keep Buddypress safe on top of using Defender.

  • Patrick

    Hi again Peter

    Oof! BuddyPress security is a whole other can of worms... and a big one to boot. :wink:

    While BuddyPress/WordPress does have a slew of built-in security measures to prevent your site from going kaflooey, you're basically opening it up to any Tom, Dick or Harry who wants to register and post whatever he can, and making it real easy for him to do it.

    At the very least, you'll want to install some additional basic measures like a captcha on the registration form as BP registration attracts spambots like honey does bears. This is a nice simple one that gets that job done:

    You'll also want to tighten up your activity streams just in case bots do get through. See this article on our blog for more on that:

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.