Make sure that the Wordpress core, every Plug-in and Add-on and every Theme (irrespective of whether they are in use or not) are updated to the latest available versions.
Delete any Plug-in, Add-on and Theme that are not being used to reduce your attack surface.
Also audit all the Plug-ins, Add-ons and Themes to ensure they are still being actively supported by their developers ,and have not been abandoned.
Ensure that any additional FTP users have been deleted, or have had their passwords changed as well.
If your web host has enabled your access; disable any PHP options (eg file_uploads, allow_url_open etc) that you don't need, you will have to check what the site and its features needs - the two that I listed were meant only as examples, not suggestions !
Check your logs for any indication of a 'PUT' method around the time your config.php file was changed.
Switch ON ModSecurity if it is available to you.
If you are really unsure about whether the method used to change the file has been blocked or not - download the website file-set and also a copy of the Wordpress core and all plugins and themes from their source and "diff" them to see if any strange code resides in any file.
If all else fails - reinstall Wordpress and all the plugins etc fresh, and reconfigure the site.
Disclose the event to your web host, and ask for help in attempting to ascertain the point of access from logs. It is remotely possible that the access originated through another site altogether, and your web host needs to satisfy himself that the rest of his clients are safe as well.
Hope this helps
