The wp-config.php file is one of WordPress’ most important files. It contains the configuration information required to make WordPress work. As the name suggests, it is written in PHP – the language upon which WordPress is built.
The file is automatically generated when you install WordPress; however, it can be edited at any point after that. While you’re not required to access or edit the file in the ordinary course of managing your WordPress website, you may need to do so in certain circumstances. This is what we will discuss next.
Note: If you’re going to edit the file for any reason, make sure you take a backup first.
Table of contents
- What is the wp-config.php file used for?
- When to edit the wp-config file
- How to access wp-config.php
- How wp-config.php is structured
- Common wp-config edits
What is the wp-config.php file used for?
As mentioned earlier, wp-config is used for configuring different aspects of WordPress. It contains important information such as database connection information – an important aspect of strong WordPress database security.
Some configurations allowed by wp-config are not necessary for most websites, while some configuration options can be handled through the WordPress dashboard. Having said that, there is quite a lot you can configure through wp-config – more than many people might think.
Settings and options that can be configured through wp-config fall into one of two categories – database settings and advanced options. We will look into these two categories separately next.
Database settings
As the name suggests, within the database settings category, we can set a number of database settings. These include:
Database name: The name of the WordPress database.
Database user and password: The username and password WordPress uses to access the database
Database host: Where the database is hosted
Database character set and collation: The character set and collation (how the character set is sorted)
Security keys: Encryption keys and salts used to secure information.
Advanced options
Within advanced options, we find several different configurations. The list is truly extensive, and includes the following:
Table prefix: The prefix for the database table, which is ‘wp_’ by default.
Site and blog URLs: Defines the website and blog URLs
Folder locations: Defines the location of wp-content, plugins, themes, and uploads
Autosave: How often should WordPress autosave post
Revisions: Enable or disable post revisions and the number of post revisions stored
Errors: Configure recovery mode, error logging, and debugging options
Environment type: Set the installation type of environment, such as local, development, staging, or production
Memory: Set the PHP memory limit
Updates: Enable or disable auto updates and upgrade constants
Cron: Enable or disable Cron and Cron timeout and set up an alternative Cron
Plugins and themes: Enable or disable plugin and theme editor, updates, and installations
SSL: Require SSL for the login and admin areas
This list is non-exhaustive. Settings can be added and removed from the wp-config file with new updates. If in doubt, refer to WordPress.org’s latest documentation.
When to edit the wp-config file
Most WordPress administrators and website owners do not need to edit the wp-config file. The file is automatically generated during the initial WordPress setup. The initial configuration is enough for most websites. However, if there is a significant change in your WordPress environment or you need to implement additional settings, you may need to edit the wp-config file.
This article will look at some of the more common configuration edits administrators, and website owners undertake through wp-config.php. Make sure you keep reading to find out more.
How to access wp-config.php
The wp-config file can be accessed in different ways. Depending on how your WordPress is hosted, different access options may apply to you. Typically, you’ll be able to access the file in one of four ways as follows:
FTP
One of the easiest ways to access the wp-config.php file is through FTP/SFTP. Your hosting service provider will provide the connection details. You’ll need an FTP client such as FileZilla; however, some hosting providers offer a web-based interface that’ll allow you to connect just the same.
You should find the wp-config file in the WordPress root directory, typically the public_html folder.
SSH
SSH is another popular option; however, this requires some knowledge of the OS (Operating System) on which the webserver is running. Your hosting service provider will also provide your connection details.
cPanel
If your hosting plan/configuration includes cPanel, you can access the wp-config file through the File Manager.
Hosting provider (managed WordPress)
If you’re on a managed WordPress hosting plan, your service provider might provide you access through their backend. The exact procedure will vary from one service provider to the next. If you’re unsure about this, refer to the documentation provided by your service provider.
How wp-config.php is structured
As the name shows, the wp-config file is written in PHP. This is the same language WordPress is written in – which makes sense. While some knowledge of PHP helps in understanding and editing the file, you do not need to be a developer to do so.
The wp-config file is critical to the proper functioning of WordPress websites. If you’re not 100% sure how to configure the file, take a backup before you make any changes so that you can restore a working version should something happen. You might also want to consider testing changes in a staging environment before editing the wp-config file of your live environment.
It’s important to note that wp-config files can look different from one WordPress to another. While the basics are pretty standard, your hosting provider may include additional entries to satisfy the requirements of their particular setup.
The file starts with the PHP opening statement, telling the interpreter on the webserver that the file is indeed in PHP.
You will also find comments before each setting, telling us what the setting is.
Settings are configured using a variable and a value. The variable is essentially the setting name, while the value defines the setting itself.
Below is a sample wp-config file:
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don’t have to use the web site, you can copy this file to “wp-config.php”
* and fill in the values.
*
* This file contains the following configurations:
*
**Database settings
**Secret keys
**Database table prefix
**Localized language
** ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// Database settings – You can get this info from your web host //
/** The name of the database for WordPress */
define( ‘DB_NAME’, ‘database_name_here’ );
/** Database username */
define( ‘DB_USER’, ‘username_here’ );
/** Database password */
define( ‘DB_PASSWORD’, ‘password_here’ );
/** Database hostname */
define( ‘DB_HOST’, ‘localhost’ );
/** Database charset to use in creating database tables. */
define( ‘DB_CHARSET’, ‘utf8’ );
/** The database collate type. Don’t change this if in doubt. */
define( ‘DB_COLLATE’, ” );
/**#@+
* Authentication unique keys and salts.
*
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
*
* You can change these at any point in time to invalidate all existing cookies.
* This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( ‘AUTH_KEY’, ‘put your unique phrase here’ );
define( ‘SECURE_AUTH_KEY’, ‘put your unique phrase here’ );
define( ‘LOGGED_IN_KEY’, ‘put your unique phrase here’ );
define( ‘NONCE_KEY’, ‘put your unique phrase here’ );
define( ‘AUTH_SALT’, ‘put your unique phrase here’ );
define( ‘SECURE_AUTH_SALT’, ‘put your unique phrase here’ );
define( ‘LOGGED_IN_SALT’, ‘put your unique phrase here’ );
define( ‘NONCE_SALT’, ‘put your unique phrase here’ );
/**#@-*/
/**
* WordPress database table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = ‘wp_’;
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( ‘WP_DEBUG’, false );
/* Add any custom values between this line and the “stop editing” line. */
/* That’s all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( ‘ABSPATH’ ) ) {
define( ‘ABSPATH’, DIR . ‘/’ );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . ‘wp-settings.php’;
Common wp-config edits
As mentioned earlier, the wp-config file allows for all sorts of WordPress configurations. If we had to go through all of them, we’d end up with a book rather than an article. As such, we thought it’d be more valuable if we went through some of the more common settings, highlighting what they mean and which setting needs to be edited in particular to achieve a specific outcome.
Database
One of the most common wp-config edits is database settings. There are quite a few settings that you can configure here, including;
Essential note: Changing the value of a database setting only changes the setting and not the actual value of the resource. For example, changing the database name in wp-config DOES NOT change the actual database name that WordPress uses. It merely tells WordPress to look for a database with such a name (as defined in wp-config) when looking to save or read database data.
As such, if you’re planning on changing any of the database settings, keep in mind that you’ll need to make changes to the wp-config file and the WordPress database itself.
Database name
The database name setting allows us to set the database name in which WordPress stores its tables and data. This is set during installation.
Setting to edit:
define( ‘DB_NAME’, ‘databasenamehere’ );
Database username
The database username tells WordPress which username to use when connecting to the database
Setting to edit:
define( ‘DB_USER’, ‘databaseuserhere’ );
Database password
The database password tells WordPress which password to use in conjunction with the database username to access the database
Setting to edit:
define( ‘DB_PASSWORD’, ‘databasepasswordhere’ );
Database hostname
The database hostname tells WordPress where (on which server) the database is hosted.
Setting to edit:
define( ‘DB_HOST’, ‘databasehostnamehere’ );
Database charset
The database charset tells WordPress which character set to use when saving data to the database and reading data from the database. By default, this is set to UTF8, which has been the standard of choice since WordPress version 2.2.
Setting to edit:
define( ‘DB_CHARSET’, ‘utf8’ );
Database collate type
The database collation defines the character set and the sort order used when it comes to sorting and comparison. By default, this is left empty, which allows the MySQL (or MariaDB) server to assign the value.
Setting to edit:
define( ‘DB_COLLATE’, ” );
Database table prefix
Changing the database table prefix often comes up as a security measure you can take to minimize risks. It’s often recommended as a good security practice as everyone knows the default table prefix, which can leave you open to certain vulnerabilities.
The table prefix is set during the initial WordPress installation process. While it can be changed once WordPress is up and running, it is not a matter of just updating the wp-config file with a new value – you also need to manually rename the tables in the MySQL database.
Alternatively, you can use a plugin to help you accomplish this; however, proceed with caution – our research shows that most of these plugins have not been updated in a very long time.
Setting to edit:
$table_prefix = ‘wp_’;
Security
WordPress security is critical in ensuring a healthy and thriving WordPress. To this end, you’ll find a number of WordPress security settings and configurations in the wp-config file, including:
Keys and Salts
Keys and salts are an essential part of WordPress’ security. Key and salts come in pairs and are used to hash session data in user cookies. There are four pairs in total, as follows;
- AUTH_KEY and AUTH_SALT: Authorizes the user to sign in to WordPress and make changes using an unsecured connection (no SSL)
- SECURE_AUTH_KEY and SECURE_AUTH_SALT: Authorizes the user to sign in to WordPress and make changes using a secured connection (SSL)
- LOGGED_IN_KEY and LOGGED_IN_SALT: Authorizes the user to sign in to WordPress but cannot make changes
- NONCE_KEY and NONCE_SALT: Signs the nonce (number used once), preventing replay attacks
Settings to edit:
define( ‘AUTH_KEY’, ‘put your unique phrase here’ );
define( ‘SECURE_AUTH_KEY’, ‘put your unique phrase here’ );
define( ‘LOGGED_IN_KEY’, ‘put your unique phrase here’ );
define( ‘NONCE_KEY’, ‘put your unique phrase here’ );
define( ‘AUTH_SALT’, ‘put your unique phrase here’ );
define( ‘SECURE_AUTH_SALT’, ‘put your unique phrase here’ );
define( ‘LOGGED_IN_SALT’, ‘put your unique phrase here’ );
define( ‘NONCE_SALT’, ‘put your unique phrase here’ );
New keys can be easily generated using WordPress.org’s random key generator. Learn more about WordPress security keys and salts.
SSL
Using an SSL/TLS certificate on WordPress (HTTPS) is one of the most basic security measures you can take. It encrypts all data between your website and users/visitors and will even boost your SEO efforts. Enabling this setting forces WordPress to use SSL to secure logins and the WordPress admin area. Keep in mind that the SSL certificate needs to be configured already.
Setting to edit:
define( ‘FORCE_SSL_ADMIN’, true );
Administration
WordPress is a very powerful system, in part thanks to its many administration tools that allow WordPress to be deployed in various different environments. In this section, we will look at some of the most common administration settings that you can edit through wp-config.
WordPress Debugging
The WordPress debugging tool is a useful tool used to troubleshoot WordPress issues. The tool includes four different settings that enable debugging, logging, and error display.
By default, these are set to false. You’ll need to change this to true to enable debugging. Remember to change it back to false once you’re done debugging.
Settings to edit:
define( ‘WP_DISABLE_FATAL_ERROR_HANDLER’, true ); // 5.2 and later
define( ‘WP_DEBUG’, true );
define( ‘WP_DEBUG_LOG’, true );
define( ‘WP_DEBUG_DISPLAY’, false );
Other debugging options
Script debug
When enabled, script debug loads what WordPress.org refers to as the “dev versions” of CSS (Cascading StyleSheets) and JS (JavaScript) files.
This can be useful when testing changes to default versions of JS or CSS files.
By default, this is set to false
Setting to edit:
define( ‘SCRIPT_DEBUG’, true );
SAVEQUERIES
When enabled, SAVEQUERIES saves all database queries, including execution time and function that called it to an array, stored in $wpdb->queries. By default this is set to false.
Setting to edit:
define( ‘SAVEQUERIES’, true );
WordPress Updates
WordPress updates are a critical component of the WordPress ecosystem. WordPress receives updates that add new functionality, update existing ones, and fix bugs and any security holes that might be present. Updates are so crucial that WordPress offers an automatic updates option to ensure you’re always running the latest version of the software.
Disable automatic updates
If you have a policy of testing updates in a staging environment before rolling them out to production, you may want to disable automatic updates on the production WordPress altogether.
Setting to edit:
define( ‘AUTOMATIC_UPDATER_DISABLED’, true );
Configure updates
You can also choose which updates are rolled out automatically and which ones are not.
Setting to edit:
define( ‘WP_AUTO_UPDATE_CORE’, true );
- If you set the value to true, all updates will be enabled
- If you set the value to false, all updates are disabled
- If you set the value to minor, only minor updates are enabled
WordPress File System
The WordPress file system stores essential data, including the code of the WordPress core, themes, plugins, and uploads. Files are stored in specific locations, which locations are configured in the wp-config file. As such, it is entirely possible to move them, the configure the new locations in wp-config so that WordPress knows where to find them.
Do keep in mind that changing values here will not automatically move the files and folders – you’ll need to do this manually.
Settings to edit:
For the wp-content folder
define( ‘WP_CONTENT_DIR’, dirname(__FILE__) . ‘/blog/wp-content’ );
define( ‘WP_CONTENT_URL’, ‘http://example/blog/wp-content’ );
For the plugins folder
define( ‘WP_PLUGIN_DIR’, dirname(__FILE__) . ‘/blog/wp-content/plugins’ );
define( ‘WP_PLUGIN_URL’, ‘http://example/blog/wp-content/plugins’ );
define( ‘PLUGINDIR’, dirname(__FILE__) . ‘/blog/wp-content/plugins’ );
For the uploads folder
define( ‘UPLOADS’, ‘blog/wp-content/uploads’ );
The themes folder cannot be moved since its path is hardcoded. However, you can create and register a secondary themes folder through the register_theme_directory function.
Content
Content is at the heart of WordPress websites. With WordPress itself being a Content Management System (CMS), there are a number of content-related settings that can be configured through wp-admin. These include:
Autosave
Allows you to set how often WordPress autosave a post. Value indications interval in seconds. The default value is 60 seconds.
Setting to edit:
define( ‘AUTOSAVE_INTERVAL’, 60 );
Post revisions
WordPress automatically keeps a record of posts revisions. This setting can be disabled so that no revisions are kept. You can also specify the maximum number of revisions WordPress should keep for a given post.
Settings to edit:
define( ‘WP_POST_REVISIONS’, true);
define( ‘WP_POST_REVISIONS’, 3 );
Memory limit
WordPress uses PHP memory allocation to run. By default, WordPress will try to allocate 40MB in the case of a single site and 64MB in the case of a multisite. Should WordPress run out of memory, you’ll see an “Allowed memory size of x bytes exhausted” message. In such cases, you may want to increase the memory limit. Keep in mind that hosting providers may put limits on how much memory you can allocate. In the example below, we will allocate 64MB of memory.
Setting to edit:
define( ‘WP_MEMORY_LIMIT’, ’64M’ );
wp-config.php – A file worth knowing
wp-config.php is truly a file worth knowing. As we just saw, It lets you configure several different aspects of WordPress, giving you a fine degree of flexibility and control over the configuration and behavior of your WordPress websites.
It’s important to always refer to WordPress.org’s official documentation before making any changes since the file can change. When in doubt, remember to take a backup and, if possible, test out any changes you’re planning to make on a staging server first. This will help you ensure that changes do not react negatively and your website continues to function.
