I am helping someone sort out a site, it suddenly wanted to be installed instead of showing the site itself. I found that the wp-config.php file was missing.
Fortunately there was a backup and I restored the wp-config, about a week later it was deleted again.
This time I extracted the backup zip file to a directory so it would be easily available, copied the wp-config and got the site working.
Today the wp-config has disappeared again. But a ‘smoking gun’ is that the wp-config file in the backup directory has also gone. (yes, I still have the zip).
I suspect there is a plugin on the rampage targetting that file name. I have suggested a fresh install and reinstall all the plugins, it might come to that.
But before doing that, short of disabling them all, any suggestions on how to work out which one plugin it might be? Or what might be doing this?
1 Answer
The problem turned out to be that wp-config was infected with some sort of code. Typical of what you see at the top of infected .php files.
I have cxs running on the server and it was, quite rightly, detecting the malicious (I assume) code and quarantining the file.
When I restored the file, because I didn’t look at the content, I was restoring an infected file each time and cxs was doing its job.
It was pretty frustrating trying to work it out, something twigged for me last night. Hope this helps someone else.
