The way the hacker got in was through the “wp-config.php” when it was readable as plain text. From that, the hacker can get your database name, and your database username and password.Protect it the .htaccess Way. Josiah Cole wrote a nice htaccess tutorial on modifying your. Adding this to your .HTACCESS will prevent access to your wp-config.php file.
deny from all