I have a bit of mystery. Maybe it's nothing. But Defender logged a change in wp-config.php that I didn't make and the host has nothing in their logs either. I was able to trace the IP back to my host. So the big question: how did that change to wp-config come about from what seems a system-internal IP address? Could any of the installed plugins have done that or does it point towards a hack?
I've attached a screenshot of the log entry. Full path and IP address are deleted though.
The wp-config.php itself doesn't show anything unusual. But then again, I assume it could be pretty useful, if somebody had a list of sites, where he/she knows they were able to access important files in the past for future endeavours.
There were also some different patterns for bots trying to log in with standard usernames and an old username from an old trial install that was not doing anything.
So this looks like it is a good idea to either never use the admin-user to publish anything or mask the login name for that user. Do you have any advice for that? I was going to edit the login name in wp_user. Is that good enough or am I missing something there? It just feels wrong to handout half the piece of the puzzle for an admin login if the login name is leaking from parts of the install.