Everything You Need to Know About wp-config.php

The wp-config.php file is a significant part of your WordPress site and its security. However, managing the file requires a little bit of expertise. After reading this article, you can wrap your head around WordPress configuration and what crucial benefits you can get from it.

What is the wp-config.php File?

One of the most important files in your WordPress installation is the wp-config.php file. This file is located in the root of your WordPress file directory and contains your website’s base configuration details, such as database-connection information.

When you first download WordPress, the wp-config.php file isn’t included. The WordPress setup process will create a wp-config.php file for you based on the information you provide.

You can manually create a wp-config.php file by locating the sample file named wp-config-sample.php (located in the root install-directory), editing it as required, and then saving it as wp-config.php.

Know about wp-config.php file

The contents of the wp-config-sample.php file are in a very specific order. The order matters. If you already have a wp-config.php file, rearranging the contents of the file may create errors on your blog.

To change the wp-config.php file for your installation, you will need this information:

  • Database Name – Database Name used by WordPress
  • Database Username – Username used to access Database
  • Database Password – Password used by Username to access Database
  • Database Host – The hostname of your Database Server. A port number, Unix socket file path or pipe may be needed as well.

If your hosting provider installed WordPress for you, get the information from them. If you manage your own web server or hosting account, you will have this information as a result of creating the database and user.

wp config.php location in root directory

To change the wp-config.php, you will need an FTP (i.e. FileZilla), or if you use Hostinger, you can use the Hostinger File Manager, as we do. The next step is downloading the file to your hard drive.

Important: Modify wp-config.php only if necessary and don’t forget to create a backup. Messing it up will cause problems.

For example purposes, we’ll use wp-config-sample.php as our source. It is the base version of wp-config.php that is located in your WordPress directory, so both files are not entirely different. The code is described in PHP constant and should look like this:

* The base configuration for WordPress
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
* This file contains the following configurations:
* * MySQL settings
* * Secret keys
* * Database table prefix
* @link https://codex.wordpress.org/Editing_wp-config.php
* @package WordPress

// ** MySQL settings - You can get this info from your web host ** //

/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');

/** MySQL database username */
define('DB_USER', 'username_here');

/** MySQL database password */
define('DB_PASSWORD', 'password_here');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

* Authentication Unique Keys and Salts.
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
* @since 2.6.0
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');


* WordPress Database Table prefix.
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
$table_prefix = 'wp_';

* For developers: WordPress debugging mode.
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
* For information on other constants that can be used for debugging,
* visit the Codex.
* @link https://codex.wordpress.org/Debugging_in_WordPress
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

MySQL Settings for wp-config.php

Your database configuration is written under MySQL settings in wp-config.php, containing your MySQL hostname, database name, username, and password. You might want to change one of these when you move your site to another web hosting provider and decide to update MySQL details. Here’s a snippet:

// ** MySQL settings - You can get this info from your web host ** //

/** The name of the database for WordPress */
define( 'DB_NAME', 'database_name_here' );

/** MySQL database username */
define( 'DB_USER', 'username_here' );

/** MySQL database password */
define( 'DB_PASSWORD', 'password_here' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

Another method to see this information is to search the web hosting control panel. Just log in to your web hosting account, click the Database section, and choose MySQL Databases. In Hostinger’s control panel, it is displayed this way:

MySQL Databases

Besides that, there are several things you can change inside wp-config.php to enhance your website. You can generate Authentication Key and Salts, change your table prefix, enable debugging mode, and move the file for security reasons. We’ll explain them one by one.


Hosting Company DB_HOST Value Guess
1and1 db12345678
A2 Hosting localhost
AN Hosting localhost
Aruba.it localhost or real IP provided with activation mail.
A Small Orange localhost
AT&T xxxxxxxx.carrierzone.com full server name found in PHP MyAdmin.
BlueHost localhost
DreamHost mysql.example.com
GoDaddy – Shared and 4GH Hosting In the Databases menu go to MySQL. To the right of the database name click on Actions and Details. The hostname is at the bottom of the window.
GoDaddy – cPanel Hosting localhost
GoDaddy – Plesk Hosting Use the IP address shown in the Databases Section in Plesk. Do not include :3306
HostGator localhost
ICDSoft localhost:/tmp/mysql5.sock
Infomaniak Network mysql.yourdomain
InMotion Hosting localhost
iPage username.ipagemysql.com
IPower username.ipowermysql.com
Laughing Squid localhost
MediaTemple Grid internal-db.s00000.gridserver.com – (Replace “00000” with the actual site number)
MediaTemple DV localhost
MegaHost localhost
NearlyFreeSpeech.Net username.db
NetworkSolutions mysqlv5
one.com example.com.mysql
pair Networks dbnnnx.pair.com
QTH.com localhost
Rackspace Cloud localhost for unmanaged servers, variable for Cloud Sites like mysqlXY-AB.wcN.dfQ.stabletransit.com where X,Y,A,B,N,Q are variables
SysFix.eu Power Hosting datapower.sysfix.eu
Site5 localhost
Yahoo mysql
Hosts with cPanel localhost
Hosts with Plesk localhost
Hosts with DirectAdmin localhost
Tophost.it sql.your-domain-name.it

Security Keys

wp-config.php is important because you can create Authentication Keys and Salts inside the file. These will protect your website with more advanced methods by encrypting the user’s information.

You don’t have to remember the keys, just make them long, random and complicated — or better yet, use the online generator. You can change these at any point in time to invalidate all existing cookies. This does mean that all users will have to login again.

Example (don’t use these!):

define('AUTH_KEY','t`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8([email protected]}IcnCa|');
define('SECURE_AUTH_KEY','D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj' );
define('LOGGED_IN_KEY','MGKi8Br(&{H*~&0s;{k0<S(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^' );
define('NONCE_KEY','FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe' );
define('AUTH_SALT','7T-!^i!0,w)L#[email protected]{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G' );
define('SECURE_AUTH_SALT','I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #' );
define('LOGGED_IN_SALT','w<$4c$Hmd%/*]`Oom>(hdXW|0M=X={we6;Mpvtg+V.o<$|#_}qG(GaVDEsn,~*4i' );
define('NONCE_SALT','a|#h{c5|P &xWs4IZ20c2&%4!c(/uG}W:mAvy<I44`jAbup]t=]V<`}.py(wTP%%' );

secret key makes your site harder to successfully attack by adding random elements to the password.

In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like “password” or “test” is simple and easily broken. A random, long password that uses no dictionary words, such as “88a7da62429ba6ad3cb3c76a09641fc” would take a brute force attacker millions of hours to crack. A ‘salt is used to further enhance the security of the generated result.

The four keys are required for enhanced security. The four salts are recommended but are not required, because WordPress will generate salts for you


WP_SITEURL allows the WordPress address (URL) to be defined. The value defined is the address where your WordPress core files reside. It should include the http:// part too. Do not put a slash “/” at the end. Setting this value in wp-config.php overrides the wp_options table value for siteurl. Adding this in can reduce the number of database calls when loading your site. Note: This will not change the database stored value. The URL will revert to the old database value if this line is ever removed from wp-configUse the RELOCATE constant to change the siteurl value in the database.

If WordPress is installed into a directory called “wordpress” for the domain example.com, define WP_SITEURL like this:

define( 'WP_SITEURL', 'http://example.com/wordpress' );

Dynamically set WP_SITEURL based on $_SERVER[‘HTTP_HOST’]

define( 'WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST'] . '/path/to/wordpress' );

The domain set in the cookies for WordPress can be specified for those with unusual domain setups. For example, if subdomains are used to serve static content, you can set the cookie domain to only your non-static domain to prevent WordPress cookies from being sent with each request to static content on your subdomain .

define( 'COOKIE_DOMAIN', 'www.example.com' );

Database Table Prefix

Actually, WordPress sets a predefined table prefix in wp-config.php and you can add more layer of protection by modifying it. It reads like this:

$table_prefix = 'wp_';

Therefore, we encourage you to change this prefix during the installation process for better security. Replacing the existing prefix will make it harder for SQL injections to happen.

Change wp prefix with something random but remember that you can only use underscores, letters, and numbers to do so. For example:

$table_prefix = 'wp_custom751Admin_';

The best choice is to opt for something complex. Otherwise, it will defeat the purpose of changing the database table prefix in the first place.

Debugging Mode

By default, debugging mode is turned off. Turn it on if you are committed to learning about WordPress development.

Debugging mode is to notify developers after codes are being executed. This will help them look out for bugs on their website. However, considering the function, the debugging mode can still be useful for more general users.

The steps to turn on debugging mode are quite simple. You only need to find the line attached below, change debug mode to true where it is originally set to false.

define('WP_DEBUG', false);

Finding and Editing The wp-config.php File Location

Changing the wp-config.php location can be dangerous so performing a backup is a must. But as risky as it is, you might want to move your wp-config.php file to a new location so hackers won’t find it easily. One more safety measure is always welcome, after all.

To change wp-config.php location, grab your FTP application of choice (We use the Hostinger File Manager) and follow these instructions:

  1. Locate your wp-config.php in the root directory of your website (as shown earlier).
  2. Move wp-config.php to another place by drag-and-dropping it to your intended directory. The more random the final destination the better. In this case, we will put it inside /public_html/wp-admin/userwp config php new location e1549551870640
  3. After this process, your website is not accessible because it does not recognize the location of the wp-config file that you just moved. You will have to create another wp-config.php in a text editor in your PC to let your website know where the real file is now located. From our example, the new (or shortcut) wp-config.php file should only contain:

    Remember to replace the directory above with the new location of your wp-config.php.

  4. Upload the new file to your root directory–the place where the original wp-config.php was located. If your backup file is still there, overwrite it.
  5. You are done. Your WordPress configuration file is now in a safer place.

Increasing memory allocated to PHP

WP_MEMORY_LIMIT option allows you to specify the maximum amount of memory that can be consumed by PHP. This setting may be necessary in the event you receive a message such as “Allowed memory size of xxxxxx bytes exhausted”.

This setting increases PHP Memory only for WordPress, not other applications. By default, WordPress will attempt to increase memory allocated to PHP to 40MB (code is at the beginning of /wp-includes/default-constants.php) for single site and 64MB for multisite, so the setting in wp-config.php should reflect something higher than 40MB or 64MB depending on your setup.

WordPress will automatically check if PHP has been allocated less memory than the entered value before utilizing this function. For example, if PHP has been allocated 64MB, there is no need to set this value to 64M as WordPress will automatically use all 64MB if need be.

Note: Some hosts do not allow for increasing the PHP memory limit automatically. In that event, contact your host to increase the PHP memory limit. Also, many hosts set the PHP limit at 8MB.

Increase PHP Memory to 64MB

define( 'WP_MEMORY_LIMIT', '64M' );

Increase PHP Memory to 96MB

define( 'WP_MEMORY_LIMIT', '96M' );

Administration tasks require much memory than usual operation. When in the administration area, the memory can be increased or decreased from the WP_MEMORY_LIMIT by defining WP_MAX_MEMORY_LIMIT.

define( 'WP_MAX_MEMORY_LIMIT', '256M' );

Note: this has to be put before wp-settings.php inclusion.

Enabling SSH Upgrade Access

There are two ways to upgrade using SSH2.

The first is to use the SSH SFTP Updater Support plugin. The second is to use the built-in SSH2 upgrader, which requires the pecl SSH2 extension be installed.

To install the pecl SSH2 extension you will need to issue a command similar to the following or talk to your web hosting provider to get this installed:

pecl install ssh2

After installing the pecl ssh2 extension you will need to modify your PHP configuration to automatically load this extension.

pecl is provided by the pear package in most linux distributions. To install pecl in Redhat/Fedora/CentOS:

yum -y install php-pear

To install pecl in Debian/Ubuntu:

apt-get install php-pear

It is recommended to use a private key that is not pass-phrase protected. There have been numerous reports that pass phrase protected private keys do not work properly. If you decide to try a pass phrase protected private key you will need to enter the pass phrase for the private key as FTP_PASS, or entering it in the “Password” field in the presented credential field when installing updates.

How to Disable the Plugin and Theme Editor using wp-config.php

Occasionally you may wish to disable the plugin or theme editor to prevent overzealous users from being able to edit sensitive files and potentially crash the site. Disabling these also provides an additional layer of security if a hacker gains access to a well-privileged user account.

define( 'DISALLOW_FILE_EDIT', true );

Note: The functionality of some plugins may be affected by the use of current_user_can('edit_plugins') in their code. Plugin authors should avoid checking for this capability, or at least check if this constant is set and display an appropriate error message. Be aware that if a plugin is not working this may be the cause.

Disable Plugin and Theme Update and Installation

This will block users being able to use the plugin and theme installation/update functionality from the WordPress admin area. Setting this constant also disables the Plugin and Theme editor (i.e. you don’t need to set DISALLOW_FILE_MODS and DISALLOW_FILE_EDIT, as on its own DISALLOW_FILE_MODS will have the same effect).

define( 'DISALLOW_FILE_MODS', true );

Require SSL for Admin and Logins

FORCE_SSL_ADMIN is for when you want to secure logins and the admin area so that both passwords and cookies are never sent in the clear. See also Administration_Over_SSL for more details.

define( 'FORCE_SSL_ADMIN', true );

Double Check Before Saving

Be sure to check for leading and/or trailing spaces around any of the above values you entered, and DON’T delete the single quotes!

Before you save the file, be sure to double-check that you have not accidentally deleted any of the single quotes around the parameter values. Be sure there is nothing after the closing PHP tag in the file. The last thing in the file should be ?> and nothing else. No spaces.

To save the file, choose File > Save As > wp-config.php and save the file in the root of your WordPress install. Upload the file to your web server and you’re ready to install WordPress!


You have learned that wp-config.php is crucial for WordPress. It contains sensitive information that you should keep away from people with bad intentions. Fortunately, there are several things you can do to make your website more secure, and get more control. Just remember, you have to be careful when editing it because you might end up with an inaccessible WordPress website.

Check out our latest WordPress tutorial link

2 thoughts on “Everything You Need to Know About wp-config.php”

Leave a Comment