A Comprehensive Guide To wp-config.php

wp-config.php, as the name suggests, is the configuration file of your WordPress website. 

This file contains the main settings that affect how your website operates. As you’ll see in this article, this file is critical to website operations. In addition, it contains information about database credentials and important website security details. You’ll also see how you can edit this file to optimize your workflow and website operations.

What is wp-config.php

wp-config.php is essential to your website operation. You can see it in the WordPress root folder.

Here’s an interesting fact about this file:

The file is not part of the WordPress installation package you download from the website. Instead, the file is created during installation as you enter information during the setup wizard.

There is a wp-config-sample.php, but it’s just a sample file. You can choose to use it as is by renaming the file to wp-config.php or letting WordPress generate a new file during the installation process.

The Sample wp-config.php File

When you set up a WordPress website, you go through a wizard that asks many questions about the database and table prefix. In response to your answers, WordPress generates a unique wp-config file that contains details such as database credentials, table-related information, and security keys.

Here’s a sample wp-config.php file from the official WordPress GitHub repo:

<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the web site, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * Database settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/support/article/editing-wp-config-php/
 *
 * @package WordPress
 */

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'database_name_here' );

/** Database username */
define( 'DB_USER', 'username_here' );

/** Database password */
define( 'DB_PASSWORD', 'password_here' );

/** Database hostname */
define( 'DB_HOST', 'localhost' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );

/**#@-*/

/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://wordpress.org/support/article/debugging-in-wordpress/
 */
define( 'WP_DEBUG', false );

/* Add any custom values between this line and the "stop editing" line. */



/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
	define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

 The Structure of wp-config.php

Let’s go through this sample wp-config.php file and explore each section in detail. 

The first thing you need to understand is that the file has a specific order in which all the details are arranged. Therefore, when modifying the file’s contents, you need to ensure that this order is not disturbed because it can result in errors. 

The DEFINE statement defines almost all settings in this file. This PHP function defines constants that can be called across the entire website. 

The benefit of defining constants is that the developers can have a standardized way of calling important variables without worrying about using incorrect or outdated information. 

For instance, take the statement that defines the database name:

define( 'DB_NAME', 'database_name_here' );

You can see that this statement takes two parameters, “DB_NAME” and the actual name of the database. Now, any developer writing code involving the WordPress database doesn’t need to know the exact name of the database for the code to function. They simply need to refer to DB_NAME, and WordPress replaces it with the database’s name (the second parameter). This simplifies the development process and sets up a layer of security for your website.

Database

WordPress stores quite a bit of information in the database. Typically, you’d see the posts and pages content, plugin and theme-related information, and general housekeeping data. Database access lies at the center of a WordPress website. 

There is no wonder that the first section of the wp-config file is about the

WordPress database. Here, you’ll see the following six entries in the database.

define( 'DB_USER', 'username_here' );

define( 'DB_PASSWORD', 'password_here' );

define( 'DB_HOST', 'localhost' );

define( 'DB_CHARSET', 'utf8' );

define( 'DB_COLLATE', '' );

Out of these, the first four are important for your website. These entries store the essential details required to connect to the database. 

There is a slight chance of getting the “Error Establishing a Database Connection” error. This could happen when the database server is using an alternate port. If that’s the case, you can simply get the port from your hosting provider and add the new port number to the DB_HOST value. 

define( 'DB_HOST', 'mysql.example.com:3307' );

where:

mysql.example.com is your database server, and 3307 is the port number.

The last two entries are about the character set and database collation. I recommend leaving these two unchanged.

In the case of the DB_CHARSET, UTF8 is an excellent choice because it’s the most popular character set on the internet and covers all character variations of major languages. 

In the case of DB_COLLATE, the default value determines how strings are compared and stored in the database. Therefore, you needn’t change the default value (null) because it allows the MySQL database to determine string collation based on the value of the DB_CHARSET.

Salts and Keys

The next eight entries of the wp-config.php file store authentication keys and salts.

• Keys are sequences of random characters and numbers that harden the security of your website.
• Salts are random data that is added to passwords to make them difficult to guess and crack. All passwords are “salted” before they’re stored in the database. 

WordPress deploys four keys to protect your website. Each key is further strengthened by adding a corresponding salt to obscure the key further.

• AUTH_KEY: This key is the general key required for making changes to the site. The corresponding salt is AUTH_SALT. 
• SECURE_AUTH_KEY: This key is required for SSL administration and making changes to the website. The corresponding salt is SECURE_AUTH_SALT. 
• LOGGED_IN_KEY: This key is required of the logged-in user. Note that this key is generally not used to authorize website changes. The corresponding salt is LOGGED_IN_SALT. 
• NONCE_KEY: This key is used to sign the nonce (single-use items) on the website. The corresponding salt is NONCE_SALT.

Table Prefix

WordPress allows you to add a prefix to the table names. The general pattern is wp_(prefix). This prefix increases website security by making your table names unique and very hard to guess. The good part here is that you can choose anything as the prefix because WordPress would treat your prefix the same as any system-generated prefix.

A good tip here is to generate a random string using an online random string generator. Next, add it to the line

$table_prefix = 'yourRandomString';

If you wish to change the table prefix for an existing website, you need to do it manually by using the database administrator installed on your hosting server.

By default, WordPress has 11 tables in the database. Plugins and themes can create additional tables as well. It would help if you used SQL queries to find the current table prefix and change it. WP Beginner has a great piece that sums up the process very nicely.

Turn Debugging On

By default, WordPress doesn’t display error messages because it annoys and alarms the users. As such, the default behavior set by the WP_DEBUG is false. However, if you are a developer and the project is under development, turning the debugging option on allows you to see what went wrong. 

This is where the “official” version of wp-config.php ends. 

WordPress has a reputation for extensibility – you can customize the CMS to fit the users’ requirements. Let’s see several ways you can modify the wp-config.php file to improve your WordPress experience.

How wp-config.php Adds Value to Your WordPress Website

In addition to the settings included in the wp-config file, you can add additional code to ensure your WordPress website behaves the way you wish. Technically, wp-config is a PHP file, and you can use the DEFINE statement to set many parameters that can be used to carry out a whole lot of optimization for your website. 

Let’s go through some of the things you can do with wp-config.php

Bypass FTP Connection Requirements

There are times when you face trouble updating the core files, plugins, and themes on your website. You can bypass the FTP requirement by setting the filesystem method to ‘direct’. Here’s the line you need to add to the file

define('FS_METHOD','direct');

Set WordPress Address URL

You can define the path where the WordPress core files are located to reduce (or eliminate) the database calls. Usually, you need to define the path when you install WordPress in a subfolder. For this, you set WP_SITEURL using the following statement in wp-config.

define( 'WP_SITEURL', 'http://yoursite.com/wordpress' );

Note that you need to include ‘http://’ and remove any trailing slashes.

I discourage dynamically setting WP_SITEURL using the $_SERVER[‘HTTP_HOST’] because it could leave your website open to file inclusion attacks 

Next, you can define WP_HOME  and set it to the address people can use to reach your blog. For this, you can use 

define( ‘WP_HOME’, ‘http://yoursite.com’ );

Set PHP Memory Limit

You sometimes get the warning message ‘Allowed memory size of xxx bytes exhausted ‘. This message indicates that the PHP memory allocated to WordPress has been consumed completely. Fortunately, you can change this limit by adding a simple statement to the wp-config file. 

By default, WordPress allocated 40MB to PHP memory for a single site and 64MB to multisite. Since these limits are set as default in /wp-includes/default-constants.php, you need to set values greater than these default values.

Some hosting providers don’t allow setting or increasing the PHP memory limit. If that’s the case with you, you should contact the provider to increase the limit. 

Here’s the line you need to add to wp-config

define( 'WP_MEMORY_LIMIT', 'xxxM' );

where xxxM should be replaced with the value you have in mind.

A related idea is setting the maximum limit for this parameter. This often comes in handy when you need more memory for administrative tasks. You need to add the following line to wp-config.

define( 'WP_MAX_MEMORY_LIMIT', 'xxxM' );

where xxxM should be replaced with the value you have in mind.

Set the Duration Content Lives in Trash

When you delete a post, page, or comment, it isn’t removed right away. Instead, WordPress moves it to Trash, a holding location that allows you to recover anything you delete accidentally. The default duration of this holding period is 30 days. If you wish to change the default value, use the following statement.

define( 'EMPTY_TRASH_DAYS', xxx );

where xxx is the number of days items are retained in the trash. 

Using this statement, you can bypass the trash bin and permanently delete an item. For this, use the following statement:

define( 'EMPTY_TRASH_DAYS', 0 );

Disable Automatic Updates

Auto-update is a huge timesaver for WordPress users, who no longer have to waste time worrying about manual updates. 

There are scenarios where you don’t want to update everything on your website automatically. Maybe your organization has a strict security policy and allows only approved updates. Or, your administrator only allows major updates. Whatever the reason behind the decision, you can easily disable automatic updates by adding the following line to wp-config

define( 'AUTOMATIC_UPDATER_DISABLED', true );

You can also control how auto-update works for the WordPress core files. You can disable to disable all core file updates by adding the following line:

define( 'WP_AUTO_UPDATE_CORE', false );

Alternatively, you can allow all updates by adding the following line:

define( 'WP_AUTO_UPDATE_CORE', true );

Manage Image Edits

By default, WordPress creates a new version every time you edit an image. All these versions are not removed and continue to take up space on the server. You can change this behavior by adding the following line to wp-config.

define( 'IMAGE_EDIT_OVERWRITE', true );

With this constant set to true, only one set of edited images is created.

Set Autosave Intervals

WordPress autosaves revisions as you edit a post or page. The default interval between each save is 60 seconds. You can modify this interval by adding the following line:

define( 'AUTOSAVE_INTERVAL', xxx );

where xxx is in seconds.

Enable WordPress Caching

You can enable advanced caching for WordPress by adding the following statement to wp-config

define('WP_CACHE', true);

This includes the wp-content/advanced-cache.php script when executing wp-settings.php.

Set Up Redirection

There are times when visitors try to access subfolders and subdomains that don’t exist on your website. You can set up redirection so that all such visitors can be redirected to a specific address by adding the following line:

define( 'NOBLOGREDIRECT', 'http://yoursite.com' );

Remember to replace yoursite.com with your root domain or a page on your website.

Disable File Editor

Very often, WordPress websites crash when users edit critical files. Similarly, hackers can wreak serious damage by defacing the files when they gain access to a privileged user account on your website. Add the following line to wp-config to disable theme and plugin file editing.

define( 'DISALLOW_FILE_EDIT', true );

Important: When you add this line, some plugins might malfunction because of the restriction imposed by the statement. If the plugin is absolutely essential for your website, comment out this line. Otherwise, opt for an alternative that works with this restriction.

If you wish to take security to the next level by disabling plugin and theme installation and update, setting this value disables installation, updates, and editing of the plugin and theme files. For this, add the following line to wp-config

define( 'DISALLOW_FILE_MODS', true );

It’s a Wrap!

wp-config.php contains several important settings and configuration information that WordPress uses to manage the operations of your website. In addition to managing database operations, you can edit the file to manage how you can use your website for streamlined performance. 

I urge you to back up the original wp-config file before editing it. If you overlook this essential step, you might have to take a long route to restore your website. I suggest making a copy of the file when you set up your website. Then, if your site crashes or starts behaving erratically, you can simply replace the current wp-config file with your backup copy.

Let me know if you need help with the WordPress options and settings.