Guide to WordPress wp-config.php

What is wp-config.php

The wp-config.php file is one of the most important files in a WordPress installation because it contains configuration that controls how WordPress communicates with the database, manages security, handles errors, and allocates system resources. This file is created during WordPress installation and is located in the site's root directory. Unlike admin panel settings stored in the database, wp-config.php settings are applied before WordPress even establishes a database connection.

Understanding wp-config.php is essential for anyone seriously managing a WordPress site. Proper configuration of this file can significantly improve site security, performance, and stability. Errors in wp-config.php can make the site completely unavailable because the file loads before everything else. In this guide, we walk through every important setting with explanations of what it does, what values to use, and when to change it.

Database settings

Basic constants

DB_NAME defines the name of the database WordPress uses. This name is created in the hosting control panel or through the MySQL command line before WordPress installation. DB_USER is the username for database access with sufficient privileges for reading and writing. DB_PASSWORD is the password for that user, which should be strong and unique. Never use the root user for WordPress because that represents a security risk.

DB_HOST is the database server address, usually localhost when the web server and database are on the same server. On some hosting platforms, this value may differ like an IP address or socket path. DB_CHARSET defines the database character set and should be utf8mb4, which supports all Unicode characters including emojis. DB_COLLATE defines rules for text sorting and comparison and is usually left empty so MySQL uses the default collation for the selected charset.

Table prefix

The table_prefix constant defines the prefix for all WordPress tables in the database. The default value is wp_ but it's recommended to change it to something unique like abc123_ during installation. This is a basic security measure that makes SQL injection attacks harder because the attacker can't guess table names. Changing the prefix after installation is possible but requires careful renaming of all tables and updating references in options and user metadata.

Security keys and salts

What are security keys

WordPress uses eight security constants — AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY and their corresponding SALT variants. These keys are used to encrypt information stored in user cookies. Without these keys, user sessions would be vulnerable to interception and identity theft. Each key should be unique, long, and random with a combination of letters, numbers, and special characters.

WordPress provides an online generator at api.wordpress.org/secret-key that generates eight random keys ready to copy into wp-config.php. Periodic key changes are recommended especially after a security incident because changing keys invalidates all existing sessions and forces all users to log in again. This is an effective way to immediately log out all users including a potential attacker who compromised an administrator account.

Proper implementation

Copy the generated keys and replace placeholder values in wp-config.php. Each key must be unique and never use the same keys on two different sites. If you migrate a site to a new server, copy the keys from the old wp-config.php so users don't have to log in again. Keep a backup of keys in a safe place because their loss doesn't cause permanent damage but requires all users to log in again.

Debug mode

WP_DEBUG

The WP_DEBUG constant controls whether WordPress displays PHP errors, warnings, and notices. The default value is false, which hides all errors from visitors. Setting to true activates error display and is useful during development or troubleshooting. On a production site, WP_DEBUG should never be true because displaying errors to visitors reveals information about site structure an attacker can exploit.

WP_DEBUG_LOG

When WP_DEBUG_LOG is set to true, WordPress writes all errors to the wp-content/debug.log file instead of displaying them on screen. This is ideal for production sites where you want to track errors without displaying them to visitors. You can define a custom path with WP_DEBUG_LOG set to an absolute path to the log file. Regularly review the log file and delete it when it becomes too large because it can take up significant disk space.

WP_DEBUG_DISPLAY

WP_DEBUG_DISPLAY controls whether errors are displayed on the HTML page. Set to false in combination with WP_DEBUG true and WP_DEBUG_LOG true so errors are logged but not displayed to visitors. SCRIPT_DEBUG when set to true forces WordPress to use uncompressed versions of CSS and JavaScript files, which is useful for developing themes and plugins but slows down the site in production.

Memory limit

WP_MEMORY_LIMIT

WP_MEMORY_LIMIT defines the maximum amount of PHP memory WordPress can use for processing requests on the frontend. The default value is 40M for standard installations and 64M for Multisite. For sites with many plugins, large media libraries, or WooCommerce, increasing to 128M or 256M is recommended. This value cannot exceed the PHP memory_limit setting on the server because WordPress can't request more memory than PHP allows.

WP_MAX_MEMORY_LIMIT

WP_MAX_MEMORY_LIMIT defines the memory limit for the admin panel, which usually requires more memory than the frontend due to image processing, updates, and content management. The default value is 256M. If you get errors like "Allowed memory size exhausted" in the admin panel, increase this value. Note that excessively high memory limit can mask a memory leak problem in a plugin or theme instead of solving it.

Advanced constants

Autosave and revisions

AUTOSAVE_INTERVAL defines the interval in seconds between automatic post saves in the editor. The default value is 60 seconds. Decreasing to 30 seconds provides more frequent content backups during writing but increases server requests. WP_POST_REVISIONS controls how many revisions are stored for each post. By default, WordPress keeps an unlimited number of revisions, which can fill the database on content-heavy sites. Set to a specific number like 5 or 10 for a reasonable compromise between content safety and database size.

Trash bin

EMPTY_TRASH_DAYS defines how many days deleted content is kept in the trash before permanent deletion. The default value is 30 days. Reduce to 7 days if you want to automatically clean deleted content faster. Set to 0 to completely disable trash, meaning content is deleted permanently immediately. This isn't recommended because there's no recovery option for accidentally deleted content.

Automatic updates

WP_AUTO_UPDATE_CORE controls automatic WordPress core updates. The value true enables all updates including major versions, minor enables only minor security updates which is the default, and false completely disables automatic updates. AUTOMATIC_UPDATER_DISABLED set to true disables all automatic update processes including plugins and themes with the auto-update option.

SSL and URLs

FORCE_SSL_ADMIN set to true forces HTTPS for login and admin panel. Learn more about setting up SSL certificates. This is mandatory on every site with an SSL certificate because it protects administrator credentials from interception. WP_HOME and WP_SITEURL define the site URL and can be useful when migrating a site to a new address. These constants take priority over database settings, meaning you can use them for quick URL changes without admin panel access.

Cron and scheduled tasks

WordPress uses the wp-cron system for scheduled tasks like publishing scheduled posts, checking updates, and sending email notifications. WP-cron runs on every site visit, which isn't ideal for sites with low or very high traffic. DISABLE_WP_CRON set to true disables this system and requires configuring system cron that runs wp-cron.php at regular intervals usually every 5 or 15 minutes.

ALTERNATE_WP_CRON uses an alternative method for running scheduled tasks that's more reliable in some hosting environments. WP_CRON_LOCK_TIMEOUT defines the time in seconds the wp-cron is locked to prevent simultaneous launching of multiple instances. At BeoHosting, our hosting packages support system cron, which is more reliable than the WordPress internal cron system, and we can configure it for your site.

Security constants

File system protection

DISALLOW_FILE_EDIT set to true disables the built-in theme and plugin editor in the admin panel. This is an important security measure because if an attacker compromises an admin account, they can't use the editor to inject malicious code into theme or plugin files. DISALLOW_FILE_MODS goes a step further and disables theme and plugin installation and updates through the admin panel, forcing all changes to be made through FTP or SSH.

Moving wp-config.php one directory above the site root is possible because WordPress automatically looks for the file in the parent directory. This prevents direct access to the file through the web browser in case PHP stops working and the server starts serving PHP files as text. Combining these measures with proper file permissions 644 for wp-config.php or even 440 on servers where the web server user has access significantly improves security.

Performance optimization

Caching and compression

WP_CACHE set to true activates the mechanism for advanced cache plugins like WP Super Cache or W3 Total Cache. This constant enables loading the advanced-cache.php file that the cache plugin creates for processing requests before WordPress loads all plugins and the theme. Without this constant, cache plugins can't work optimally. Content compression with define COMPRESS_CSS true and define COMPRESS_SCRIPTS true can reduce CSS and JavaScript file size.

Database

SAVEQUERIES set to true records all database queries and execution time in the global variable wpdb queries. This is useful for diagnosing a slow site because you can identify queries taking too long or unnecessarily repeated. Never leave this enabled in production because storing all queries in memory increases resource consumption. Use only temporarily for performance analysis in combination with a plugin like Query Monitor.

Conclusion

The wp-config.php file is the WordPress installation control center defining site behavior at a fundamental level. Proper configuration of security keys, debug mode, memory limits, and advanced constants can significantly improve site security, performance, and stability. Regularly review and update settings according to site growth and infrastructure changes. At BeoHosting, our team can help with wp-config.php settings optimization for maximum performance on our hosting platform.