Guide

WordPress wp-config.php was modified — how to detect unauthorized changes

You opened your WordPress site this morning and something is off. Maybe redirects to a sketchy domain. Maybe a strange admin user you do not recognise. Maybe nothing visible — just a gut feeling. You SSH in, run ls -la wp-config.
Anonymized from a real site A one-person agency's WordPress, fronted by a WAF

The WAF blocked it, and the in-process monitor went dark

An attacker IP, routed through a compromised VPS, hit /wp-login.php 321 times in 91 seconds. The site's edge WAF terminated the requests at the HTTP layer before WordPress's authentication code ran. From inside the application, the login hook never fired, no failed-auth event was emitted, and no rule on those events had anything to evaluate. The attack happened, was correctly blocked, and produced a 12-minute silence at the application layer.

Two views side-by-side told the actual story: at the access-log layer, 92 HTTP 503s and 311 HTTP 499s from one IP against /wp-login.php; at the application layer, near-zero failed authentications during the same window. When the first is large and the second is empty, the WAF is doing the work, and that's the layer the attack story has to be read from.

This is the consistent edge case for application-layer behavioral monitoring: the harder the site is secured at the edge, the less an in-process monitor can say about what hit it. The operator wired the WAF's block-event hook into the same monitoring layer as the application signals, so future events flow into one place regardless of where they were stopped.

Related guides

WordPress Brute Force Attack Detection from Logs WordPress REST API hammered with login attempts — how to detect credential stuffing WordPress admin user added without your knowledge — how to detect privilege escalation WordPress file integrity monitoring without a paid plugin

See what's actually happening in your WordPress system

Connect your site. Logystera starts monitoring within minutes.

Request a demo WordPress integration
Logystera Logystera
Behavioral monitoring for the systems your team operates. Read operational state, get told when behavior changes, with the evidence attached. Current integrations: WordPress and Drupal.
Product
Overview How it works Features Integrations Compare Pricing Changelog Status
Guides
WordPress Cron Not Running WordPress Emails Not Sending Log-Based Monitoring WordPress Monitoring Drupal Monitoring Signals Reference Reports Blog Documentation
Solutions
For Agencies For SMEs For Government For Education For Enterprise Services Engagement Models What Logystera Is FAQ
Legal
Privacy Terms Security Cookies
Company
Contact About Why Logystera
Follow us
Twitter LinkedIn
Copyright © 2026 Logystera. All rights reserved.