WordPress Speed Up Service | WordPress Website Maintenance Packages Reply To: Is a request with wp-config.php in the query string ever legit ?, by catacaustic You are right, all of those are hacker scritps looking for known vunerabilities to download your config file. WordPress doesn’t do a public call over http to the config file. It uses PHP’s internal require_once() function, and that is only done on the file system. Anything that’s called over http should never include that file like that. Reply To: Is a request with wp-config.php in the query string ever legit ?