security DigitalFixes
Database Security for WordPress: protecting wp-config.php and admin users, securing sensitive data after cleanup on a laptop
WordPress Security

Database Security for WordPress: Protecting wp-config.php, Admin Users, and Sensitive Data After Cleanup

May 21, 2026

One thing I’ve learned from cleaning hacked WordPress sites: removing malware isn’t the hard part. The hard part is making sure the database can’t be abused again right after you “fix” the visible files.

Database Security for WordPress is the difference between a site that stays clean for months and a site that gets reinfected in days. The biggest weak spots are often wp-config.php, your admin users, and the “hidden” stuff stored in the database like password resets, plugin settings, and injected admin accounts.

Below is a practical, step-by-step guide I use after cleanup. It’s written for small business sites that want clear actions, not vague advice.

Database security after malware removal: the fastest path back to a clean site

The takeaway: Your database keeps secrets. If an attacker touched it, you must treat it like it’s still compromised.

After cleanup, you’re usually focused on file changes: hacked themes, backdoors in PHP files, or weird scripts. But most reinfections I’ve seen happen because attackers also altered database entries—especially user records, scheduled tasks, and plugin options.

Database security for WordPress refers to how you lock down access to the database and how you verify the database still matches what your site should have. It includes hardening your WordPress database users, changing credentials if needed, and checking for “poisoned” settings.

In 2026, the most common failure pattern is this: someone removes the obvious malware, then reuses the same database credentials and keeps admin accounts unchanged. If the attacker got the database once, they often keep the access.

Protect wp-config.php and stop database credential leaks

The takeaway: wp-config.php is the key—because it contains database connection details. If it leaks, the attacker doesn’t need your files.

wp-config.php is WordPress’s main config file. It stores the database name, database user, and a database password (sometimes rotated after a hack). Even if the rest of the site looks clean, stolen credentials can give attackers a clean route back inside.

What to check in wp-config.php right after cleanup

The takeaway: Verify secrets first, then lock down file access.

  1. Confirm DB constants: In wp-config.php, check DB_NAME, DB_USER, and DB_PASSWORD. Don’t paste these values into notes or screenshots.
  2. Ensure salts are correct: WordPress salts are keys used to sign sessions and cookies. If salts were changed during an attack, logins can behave strangely or stay “hijackable.” Regenerating salts fixes a lot of weirdness.
  3. Look for hidden includes: Attackers sometimes add lines like include, require, or base64 decode calls. Use a diff tool against your last known clean backup if you have one.
  4. Check file permissions: wp-config.php should not be world-readable. Typical safe settings are 640 or 600 depending on your server setup. If you’re not sure, ask your host for the recommended permission mode.

When I do this on real client sites, I also check whether wp-config.php got copied somewhere else. For example, I’ve seen wp-config.php replicated into uploads folders. If you find duplicates, remove them and search the whole site for “DB_PASSWORD” patterns.

Regenerate WordPress salts (and what it does)

The takeaway: Rotating salts forces logout and makes stolen cookies less useful.

WordPress salts are extra secret keys used to secure sessions. If an attacker can steal them (or trick WordPress into using modified values), they can extend access. Regenerating salts forces users to re-login and breaks old session tokens.

After cleanup, I recommend regenerating salts if there was any chance of database tampering or if an attacker added hidden code to config files.

Important: Regenerating salts can log out users. Plan this during a low-traffic time if you have multiple admins.

Lock wp-config.php from web access

The takeaway: File protection is cheap and it stops a lot of bot scans.

Most hosts already block direct access to wp-config.php, but you should still confirm. If your server supports it, ensure you have the right .htaccess rules (Apache) or the equivalent for your server (Nginx).

What you’re aiming for is simple: requesting wp-config.php from the browser should return a 403 or 404, not the file contents.

Secure admin users: find injected accounts and lock down roles

Security analyst reviewing WordPress admin users on a computer screen
Security analyst reviewing WordPress admin users on a computer screen

The takeaway: If the database is touched, admin users are usually the next place attackers hide.

After cleanup, I always audit WordPress users before I celebrate. Attackers often add a new admin user with a real-looking username, or they change roles and capabilities so the original admin still “looks” normal.

Run a clean user inventory (and compare it to your expectations)

The takeaway: You can’t protect what you can’t list.

  • Open the WordPress admin dashboard → Users → All Users.
  • Look for accounts you didn’t create. Also check “user roles” (Administrator, Editor, Author, etc.).
  • Check for unusual usernames and display names. Attackers often use generic names like “support” or random strings.

Then verify the email addresses for those accounts. A lot of “fake admins” use disposable or look-alike inboxes.

Recheck password resets, email changes, and usermeta

The takeaway: Some attacks don’t add new users—they change account behavior.

WordPress stores extra user details in the database. If the attacker touched usermeta, you may see weird sessions, forced password resets, or altered capabilities.

In many incidents, you’ll find clues in:

  • User sessions and tokens
  • Recent password resets
  • Role and capability settings

If you have access to phpMyAdmin or your host’s database tool, check user records for timestamps and changes around the time the hack happened.

If you don’t have that access, you can still reduce risk by forcing logout and rotating passwords for all admin accounts.

Force all users to re-login after cleanup

The takeaway: Stale sessions are a common reinfection route.

After you regenerate salts, users should be logged out. Then ask every admin to change their password. Don’t do “small tweaks” like changing one character—use a new strong password generated by a password manager.

For real-world client sites, I’ve seen return attacks triggered by one admin reusing the same password from another website. That reuse gives attackers an entry point even if your WordPress files are clean.

Database Security for WordPress: audit options, cron jobs, and injected settings

Close-up of server log screen showing automated scheduled tasks
Close-up of server log screen showing automated scheduled tasks

The takeaway: Your database stores more than posts and pages—it stores settings that can bring malware back.

When attackers gain database access, they often change WordPress options. These options can add code execution via plugin settings, insert scripts into headers, or create hidden scheduled jobs.

Check wp_options for suspicious values

The takeaway: Look for “code-like” strings in plain settings.

The wp_options table is where WordPress stores options for plugins and themes. After cleanup, search for values that include:

  • base64_
  • eval(
  • gzinflate(
  • URL patterns pointing to strange domains
  • Long one-line strings that don’t look like normal text

Also check for option keys that sound harmless but are dangerous in context, like “cache,” “analytics,” or “tracking.” Attackers sometimes place webshell-like instructions into “tracking” options because you won’t notice during a quick theme review.

Inspect cron jobs (wp_cron) and scheduled events

The takeaway: Cron hooks are a common “set and forget” backdoor.

WordPress uses scheduled tasks (cron events). If an attacker created an event that runs every hour or every day, the malware can reappear without any files being changed again.

In the database, look for scheduled events tied to plugin actions that you don’t recognize. Then remove the event and disable the related plugin if you’re unsure.

Most reinfection reports come down to this: the cleanup removed the visible script, but the attacker already created a scheduled trigger that brought it back.

Lock down database access: users, passwords, and permissions

The takeaway: If your database user is too powerful or has a weak password, file cleanup won’t save you.

Database security for WordPress isn’t only about WordPress tables. It’s also about the MySQL/MariaDB account WordPress uses to connect.

Use a strong database password and rotate it when in doubt

The takeaway: Rotate credentials when there’s any sign of database tampering.

If you saw evidence of database changes—new users, altered options, suspicious scheduled tasks—assume the database password was exposed at least once. In that case, you should:

  1. Create a new strong password for the database user.
  2. Update wp-config.php with the new password.
  3. Restart/verify WordPress still connects to the database.

One small tip I use: rotate the database password even if the site “looks fine” after cleanup. It’s cheaper than re-cleaning a reinfected site.

Limit privileges on the database user

The takeaway: The WordPress database account should not have admin-level power.

In a perfect setup, the WordPress database user has only the permissions needed for the site to run. That means it can read/write its tables, but it shouldn’t be able to do everything on the server.

Exact permissions depend on your host, but if you manage your own server, avoid granting broad privileges like SUPER or unnecessary global rights to the WordPress user.

Turn off remote database access unless you really need it

The takeaway: Remote access is an attack surface.

Some setups allow database connections from outside the server. If you don’t need it, disable remote connections or restrict them to your IP addresses. In 2026, a lot of attacks come from bots scanning open database ports.

Compare common post-cleanup mistakes (and what I do instead)

The takeaway: Most people redo the wrong thing after they clean a hack.

Here’s a quick comparison based on what I’ve seen across multiple cleanups.

Post-cleanup mistake Why it’s risky Better approach
Remove hacked files only Database settings and cron jobs can bring it back Also audit wp_options and scheduled events
Keep admin users unchanged Attackers create or modify users for future access Inventory users, reset passwords, regenerate salts
Reuse the same database password If creds leaked once, attacker can re-enter Rotate DB password and update wp-config.php
Don’t check wp-config.php for injected code Small changes can restore access without obvious malware Diff against backups and confirm no includes/evals were added
Assume plugins are safe after updating Settings inside the DB can still hold bad values Review plugin options and remove unknown scheduled events

People Also Ask: common questions about WordPress database security

How do I know if my WordPress database was compromised?

The takeaway: You don’t guess—use signals.

You can suspect database compromise when you notice admin users you didn’t create, login behavior that feels “off,” new scheduled tasks, or sudden changes to plugin settings. You might also see content inserted into pages without editing from the dashboard.

On the database side, look for:

  • Changes in wp_users around the hack time
  • Suspicious option values in wp_options
  • Unusual cron schedules
  • Odd URLs in options that don’t match your site’s normal tools

If your host offers database query logs or you have access to server logs, compare the timestamps to your cleanup window.

Should I change wp-config.php after a hack?

The takeaway: Yes, at least for secrets.

If there’s any chance the attacker touched database credentials or salts, you should rotate secrets in wp-config.php. That means regenerating WordPress salts and updating the database password if you suspect credential exposure.

Also confirm no extra code was added. A tiny injected line can create a backdoor without changing how pages look.

If you have a clean backup, diff wp-config.php against it. That’s the quickest way to spot “one-line” attacks.

Does changing the WordPress admin password remove a database backdoor?

The takeaway: Not by itself.

Changing an admin password is important, but it doesn’t remove database-level access that the attacker set up. If they created new admin users, changed roles, or added scheduled tasks, your password change won’t stop the behavior.

That’s why the right fix is layered: reset passwords, regenerate salts, audit users, and check wp_options and cron jobs.

What’s the best security step after cleanup: files or database?

The takeaway: After cleanup, you must do the database too.

Files are visible and easy to scan. The database is where attackers hide persistence. If you do files-only cleanup, you can still get hit again when a cron job runs or when injected options keep executing.

As a rule I follow: if a site was compromised enough to require cleanup, I treat database hardening as mandatory.

My post-cleanup checklist for Database Security for WordPress

The takeaway: You need a clear order so you don’t miss something.

Here’s the exact sequence I use in 2026 when a small business site gets cleaned after a WordPress hack. It’s built to reduce reinfection risk fast.

Step-by-step

  1. Take a full backup of files and the database. Keep it before making changes.
  2. Confirm wp-config.php integrity: compare against a clean backup, check for injected includes/evals, and confirm file permissions.
  3. Regenerate WordPress salts and plan for admin re-logins.
  4. Rotate all admin passwords (use a password manager; no reuse).
  5. Inventory WordPress users: remove any accounts you didn’t create.
  6. Check wp_options for suspicious values (base64/eval/url strings, unexpected long blobs).
  7. Inspect scheduled events and remove unknown cron hooks.
  8. Rotate the database password used in wp-config.php if there’s any sign of database tampering.
  9. Restrict database access (disable remote access unless required; limit IPs if possible).
  10. Re-scan files and run a security check again after changes. Don’t stop at the first scan.
  11. Monitor logs for a few days after cleanup. Look for repeated login failures and unusual requests.

How long should you monitor after cleanup?

The takeaway: Give it time—especially for sites with lots of plugins.

I typically recommend monitoring for at least 72 hours after cleanup. If the site is heavily targeted or has many plugins, I’ll stretch it to 7 days. Reinfections often happen quickly when cron tasks are still active or when credentials weren’t rotated.

Tools and hardening tips that pair well with database security

The takeaway: Good tools help you catch future damage, but they don’t replace cleanup.

For WordPress hardening (and to support the database work), these are the types of tools I commonly pair with post-cleanup audits:

  • Web application firewall (WAF): helps block common probes and basic bot attacks.
  • File integrity monitoring: alerts you if wp-config.php or core files change again.
  • Login protection: rate limiting and 2FA reduce brute force attacks.
  • Backups with versioning: gives you a clean “point in time” restore.

When clients ask what I recommend, I usually start with their host’s security stack and only add plugins after we clean and verify the database.

If you want more cleanup and hardening context, you might like our guides in these categories: Malware Removal and WordPress Security. You can also read our case write-ups in Hack Case Studies to see patterns we keep finding across different sites.

Related reading you can use alongside this guide:

  • WordPress malware removal checklist you can trust
  • WordPress hardening tips for admin security
  • Hack case study: how attackers reinfected via database options

When to stop DIY and get help

The takeaway: If you can’t safely access the database, don’t guess.

If your host doesn’t give you database tools, or you don’t know how to safely check wp_options and scheduled events, you can still secure things by rotating admin passwords, regenerating salts, and tightening file access. But you might miss the root cause if the database was the persistence layer.

I recommend professional help when you see any of these:

  • Multiple reinfections after “cleanup”
  • New admin users appearing again
  • Unknown scheduled tasks you can’t trace
  • Suspicious wp-config.php changes you can’t confidently undo

In my experience, guessing is what costs time. A careful database audit ends reinfection loops faster.

Conclusion: database security is the final step that keeps WordPress clean

The takeaway: After cleanup, your database decides whether the site stays safe.

To protect WordPress after a hack, you need more than cleaned files. You must secure wp-config.php (permissions and secrets), audit and lock down admin users (remove injected accounts, reset passwords, regenerate salts), and check sensitive database settings like wp_options and scheduled events.

If you do these steps in order—and monitor for at least 72 hours—you turn cleanup into true recovery. And that’s the goal: not just a website that looks fixed, but one that can’t be quietly taken over again through the database.

Featured image alt text: Database Security for WordPress checklist showing wp-config.php, admin user audit, and wp_options review