WordPress wp-config.php File - Complete Configuration Guide

The wp-config.php file is the heart of your WordPress installation. It contains critical configuration settings that control database connections, security keys, debugging, and much more. Understanding and properly configuring this file is essential for WordPress security, performance, and functionality.

This comprehensive guide covers everything you need to know about wp-config.php, from basic database setup to advanced security configurations.

Understanding wp-config.php

The wp-config.php file is located in your WordPress root directory (the same folder as wp-content, wp-admin, and wp-includes). This file is created during WordPress installation and contains PHP constants and variables that configure your WordPress site.

Key Characteristics:

• Must be in WordPress root directory
• Contains sensitive information (database credentials)
• Should have proper file permissions (644 or 600)
• Never commit to version control with real credentials
• Back up before making changes

File Structure: The wp-config.php file typically contains:

1. Database configuration constants
2. Security keys and salts
3. Table prefix
4. Debug settings
5. Memory and performance settings
6. Custom constants and configurations

Database Configuration

The database configuration is the most critical part of wp-config.php. These constants define how WordPress connects to your MySQL database:

define( 'DB_NAME', 'database_name_here' );
define( 'DB_USER', 'username_here' );
define( 'DB_PASSWORD', 'password_here' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );

DB_NAME

The name of your WordPress database. This is created in your hosting control panel (cPanel, Plesk, etc.) or via phpMyAdmin.

Example:

define( 'DB_NAME', 'wp_mywebsite' );

DB_USER

The MySQL username that has access to your database. This user must have full privileges (SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, etc.).

Example:

define( 'DB_USER', 'wp_user' );

DB_PASSWORD

The password for the database user. Use a strong, unique password.

Security Note: Never share this password or commit it to version control.

Example:

define( 'DB_PASSWORD', 'your_secure_password_here' );

DB_HOST

The database server hostname. For most hosting providers, this is localhost. Some managed hosting services use different hosts.

Common Values:

• localhost - Standard local or shared hosting
• localhost:/path/to/socket - Unix socket connection
• 127.0.0.1:3306 - IP address with port
• db.example.com - Remote database server

Example:

define( 'DB_HOST', 'localhost' );

DB_CHARSET and DB_COLLATE

Character set and collation for database tables. WordPress 4.2+ uses utf8mb4 by default, which supports emojis and all Unicode characters.

Recommended Settings:

define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );

Note: Leave DB_COLLATE empty unless you have a specific reason to change it.

Security Keys and Salts

Security keys and salts are used to encrypt information stored in cookies and improve overall WordPress security. These should be unique, random strings.

Location in wp-config.php:

define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );

Generating Security Keys

WordPress provides a generator at https://api.wordpress.org/secret-key/1.1/salt/

Best Practices:

1. Generate new keys during initial installation
2. Regenerate keys if you suspect a security breach
3. Use long, random strings (64+ characters)
4. Never reuse keys across multiple sites
5. Store a backup of your keys securely

What Each Key Does

• AUTH_KEY: Used for user authentication cookies
• SECURE_AUTH_KEY: Used for secure authentication cookies
• LOGGED_IN_KEY: Used for logged-in user cookies
• NONCE_KEY: Used for nonce security tokens
• AUTH_SALT: Salt for authentication
• SECURE_AUTH_SALT: Salt for secure authentication
• LOGGED_IN_SALT: Salt for logged-in users
• NONCE_SALT: Salt for nonces

Important: Changing these keys will log out all users, so regenerate during maintenance windows.

Database Table Prefix

The table prefix is a string added before all WordPress database table names. The default is wp_, but changing it improves security.

Default Configuration:

$table_prefix = 'wp_';

Security Benefit: Changing the prefix makes it harder for attackers to guess table names, though it’s not a primary security measure.

Changing the Prefix:

1. Choose a unique prefix (e.g., wp_abc123_)
2. Update wp-config.php:

   $table_prefix = 'wp_abc123_';

3. Rename existing tables in database
4. Update any hardcoded references in plugins/themes

Best Practices:

• Use 3-5 characters plus underscore
• Make it unique and random
• Don’t use common words like “site” or “blog”
• Example: wp_7x9k_ or wp_mysite_

Debug and Development Settings

WordPress debug settings help developers identify issues during development. Never enable these on production sites.

WP_DEBUG

Enables WordPress debug mode, displaying PHP errors, warnings, and notices.

Development:

define( 'WP_DEBUG', true );

Production:

define( 'WP_DEBUG', false );

WP_DEBUG_LOG

Logs errors to wp-content/debug.log file instead of displaying them.

Recommended for Production:

define( 'WP_DEBUG', false );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );

This allows you to monitor errors without exposing them to visitors.

WP_DEBUG_DISPLAY

Controls whether errors are displayed on screen.

Development:

define( 'WP_DEBUG_DISPLAY', true );

Production:

define( 'WP_DEBUG_DISPLAY', false );

SCRIPT_DEBUG

Loads unminified versions of JavaScript and CSS files for debugging.

define( 'SCRIPT_DEBUG', true );

SAVEQUERIES

Saves database queries for analysis. Useful for performance debugging.

define( 'SAVEQUERIES', true );

Note: This adds overhead, only use during development.

Memory and Performance Settings

WP_MEMORY_LIMIT

Sets the PHP memory limit for WordPress admin area.

Default: 40M (often insufficient)

Recommended:

define( 'WP_MEMORY_LIMIT', '256M' );

Common Values:

• 64M - Minimum for small sites
• 128M - Standard for medium sites
• 256M - Recommended for most sites
• 512M - For large sites with many plugins

WP_MAX_MEMORY_LIMIT

Sets memory limit for admin operations (imports, updates, etc.).

define( 'WP_MAX_MEMORY_LIMIT', '512M' );

WP_CACHE

Enables WordPress caching. Set to true when using caching plugins.

define( 'WP_CACHE', true );

COMPRESS_CSS and COMPRESS_SCRIPTS

Enable compression of CSS and JavaScript (usually handled by plugins).

define( 'COMPRESS_CSS', true );
define( 'COMPRESS_SCRIPTS', true );

File Editing Settings

DISALLOW_FILE_EDIT

Prevents editing of theme and plugin files from WordPress admin. Highly recommended for security.

define( 'DISALLOW_FILE_EDIT', true );

Benefits:

• Prevents unauthorized code changes
• Protects against compromised admin accounts
• Forces proper deployment workflows

DISALLOW_FILE_MODS

Prevents installation, update, and deletion of plugins and themes.

define( 'DISALLOW_FILE_MODS', true );

Useful for managed WordPress hosting or strict security requirements.

Automatic Update Settings

WP_AUTO_UPDATE_CORE

Controls automatic WordPress core updates.

Options:

• true - Enable all automatic updates (minor and major)
• false - Disable all automatic updates
• 'minor' - Enable only minor updates (recommended)

Recommended:

define( 'WP_AUTO_UPDATE_CORE', 'minor' );

This keeps WordPress secure with minor updates while allowing manual control of major updates.

AUTOMATIC_UPDATER_DISABLED

Completely disables the automatic updater.

define( 'AUTOMATIC_UPDATER_DISABLED', true );

WP_AUTO_UPDATE_CORE_FORCED

Forces automatic updates even if VCS (Git, SVN) is detected.

define( 'WP_AUTO_UPDATE_CORE_FORCED', true );

Advanced Configuration Options

WP_HOME and WP_SITEURL

Override the site URL and WordPress URL. Useful for moving WordPress or using different domains.

define( 'WP_HOME', 'https://example.com' );
define( 'WP_SITEURL', 'https://example.com' );

COOKIE_DOMAIN

Sets the domain for cookies. Usually not needed unless using subdomains.

define( 'COOKIE_DOMAIN', '.example.com' );

COOKIEPATH and SITECOOKIEPATH

Set cookie paths. Rarely needed.

define( 'COOKIEPATH', '/' );
define( 'SITECOOKIEPATH', '/' );

FORCE_SSL_ADMIN

Forces SSL for admin area and login.

define( 'FORCE_SSL_ADMIN', true );

Requires: SSL certificate installed on server.

WP_POST_REVISIONS

Controls post revision system.

Disable revisions:

define( 'WP_POST_REVISIONS', false );

Limit revisions:

define( 'WP_POST_REVISIONS', 3 );

AUTOSAVE_INTERVAL

Sets autosave interval in seconds (default: 60).

define( 'AUTOSAVE_INTERVAL', 300 ); // 5 minutes

EMPTY_TRASH_DAYS

Days before WordPress permanently deletes trashed items (default: 30).

define( 'EMPTY_TRASH_DAYS', 7 );

WP_CRON_LOCK_TIMEOUT

Timeout for cron lock (prevents overlapping cron jobs).

define( 'WP_CRON_LOCK_TIMEOUT', 60 );

Security Best Practices

File Permissions

Set proper file permissions for wp-config.php:

Recommended:

• File permissions: 644 or 600
• Owner: Web server user
• Group: Web server group

Command:

chmod 600 wp-config.php

Move wp-config.php (Advanced)

For maximum security, move wp-config.php one directory above WordPress root:

1. Move file: wp-config.php → ../wp-config.php
2. WordPress will automatically find it
3. Update file permissions
4. Test site functionality

Note: This requires careful server configuration and may break some hosting setups.

Environment-Specific Configuration

Use different configurations for development, staging, and production:

if ( file_exists( dirname( __FILE__ ) . '/wp-config-local.php' ) ) {
    include( dirname( __FILE__ ) . '/wp-config-local.php' );
}

Then create wp-config-local.php for local overrides (never commit this file).

Regular Security Audits

1. Review wp-config.php regularly
2. Check for exposed credentials
3. Verify security keys are set
4. Ensure debug is disabled in production
5. Confirm file permissions are correct
6. Backup before making changes

Backup Strategy

Always backup wp-config.php before:

• Making configuration changes
• Updating WordPress
• Migrating sites
• Changing database credentials

Store backups securely and never commit to public repositories.

Conclusion

The wp-config.php file is essential for WordPress functionality, security, and performance. Proper configuration ensures:

• Secure database connections
• Strong encryption for cookies
• Appropriate debug settings
• Optimal performance settings
• Enhanced security measures

Remember to:

• Keep wp-config.php secure (proper permissions)
• Never commit real credentials to version control
• Disable debug mode in production
• Regularly review and update configurations
• Backup before making changes

Mastering wp-config.php gives you complete control over your WordPress installation and is crucial for maintaining a secure, performant website.