WP-Config.php: Essential WordPress Configuration Guide for Site Owners
Understanding wp-config.php is critical for WordPress site management. Learn how to properly configure your database, security settings, and hosting environment.
# WP-Config.php: Essential WordPress Configuration Guide for Site Owners
What Is wp-config.php?
Wp-config.php is the foundational configuration file for every WordPress installation. Located in your website's root directory, this single PHP file contains database credentials, security keys, debugging settings, and environment variables that WordPress needs to function. Without proper wp-config.php configuration, your site cannot connect to its database or operate correctly.
Think of wp-config.php as your WordPress site's instruction manual. It tells WordPress where your database lives, how to authenticate users, which plugins to load, and how to handle errors. Every WordPress site—whether you're running a personal blog or managing multiple client sites—depends entirely on correct wp-config.php setup.
Critical Database Configuration Settings
The database section of wp-config.php is non-negotiable. Your hosting provider supplies four essential pieces of information during WordPress installation:
DBNAME: Your database name. This is the specific database WordPress will use. Different from your hosting account username, DBNAME is created during WordPress installation or can be created through your hosting control panel (cPanel, Plesk, etc.).
DBUSER: The database user account with permissions to access DBNAME. This account should have full privileges on the specific database.
DBPASSWORD: The secure password for DBUSER. Store this in wp-config.php only—never hardcode credentials elsewhere in your theme or plugin files.
DB_HOST: Usually "localhost" on shared hosting, but some hosts use specific addresses like "127.0.0.1" or custom server names. Your hosting documentation specifies the correct value.
Incorrect database credentials cause immediate 'Error establishing a database connection' messages. Verify each value character-by-character, paying attention to case sensitivity and special characters.
Security Keys and Salts
Security keys (AUTHKEY, SECUREAUTHKEY, LOGGEDINKEY, NONCEKEY) and their corresponding salts encrypt user session tokens and sensitive data. These should be long, random strings—absolutely not "put your unique phrase here" or predictable values.
WordPress provides a generator at api.wordpress.org/secret-key/1.1/salt/. Copy and paste the entire output directly into wp-config.php. Change these keys when migrating sites, upgrading security, or if you suspect compromise. Changing them logs out all users site-wide, so plan accordingly.
Table Prefix Configuration
The $tableprefix variable (typically 'wp') names all WordPress database tables. Changing it from the default provides minimal security benefit but can help if running multiple WordPress installations in one database.
For security through obscurity, some administrators use prefixes like 'app3x_' or custom strings. Change this only during initial setup—altering it on an existing site requires database migration and causes site failure if done incorrectly.
WordPress Debugging and Development Settings
WPDEBUG: Set to 'true' only on development/staging sites. This enables error logging and displays PHP notices that help identify problematic code. Never enable WPDEBUG on production sites—it exposes sensitive information to visitors.
WPDEBUGLOG: Directs errors to /wp-content/debug.log instead of displaying them on-site. Essential for troubleshooting without breaking site visibility.
WPDEBUGDISPLAY: Set to 'false' when WPDEBUGLOG is enabled. This prevents error displays while logging continues.
SCRIPT_DEBUG: Forces WordPress to use unminified CSS and JavaScript files. Useful for theme and plugin development, but creates performance issues on production sites.
Database Optimization Settings
AUTOSAVE_INTERVAL: How often WordPress auto-saves post drafts (default: 60 seconds). Increase this on high-traffic sites to reduce database writes:
```
define('AUTOSAVE_INTERVAL', 300); // 5 minutes
```
WPPOSTREVISIONS: Controls how many post revisions WordPress keeps. Set to a reasonable number rather than unlimited:
```
define('WPPOSTREVISIONS', 5);
```
Unlimited revisions accumulate quickly, bloating your database and slowing queries.
Memory and Performance Optimization
WPMEMORYLIMIT: WordPress memory allocation, typically 64MB. Most shared hosting provides adequate defaults. For plugin-heavy sites, increase gradually:
```
define('WPMEMORYLIMIT', '128M');
```
WPMAXMEMORY_LIMIT: Memory limit for WordPress admin, separate from front-end limits. Default is 256MB, which suits most installations.
EMPTYTRASHDAYS: How long WordPress keeps deleted content before permanently removing it (default: 30 days). Reduce this on high-volume sites:
```
define('EMPTYTRASHDAYS', 7);
```
Common WP-Config.php Mistakes
Leaving Sample Credentials: WordPress installation creates default database credentials as examples. Verify you've updated them with actual hosting values before launching.
Incorrect Localhost References: Shared hosting uses 'localhost', managed WordPress uses 'localhost', but some setups require specific IPs or addresses. Check your hosting control panel.
Editing in Wrong Location: On multisite installations, wp-config.php is in the root directory only—not in individual site folders. Editing the wrong file causes configuration failures.
Publishing wp-config.php Publicly: Never commit wp-config.php to public GitHub repositories. Use .gitignore to exclude it. Exposed credentials allow complete site takeover.
Leaving Debug Mode Enabled: WP_DEBUG enabled on production sites displays error messages containing file paths and database structure to visitors. This information aids hackers.
Migration and Server Transfer Considerations
When moving WordPress to a new host, wp-config.php requires updates:
- New DB_HOST if the new server uses different database connectivity
- New DBUSER and DBPASSWORD if the new host creates different credentials
- Unchanged DB_NAME if you migrate the database and keep the same name
- Unchanged security keys unless implementing new security protocols
Most hosting migration services handle wp-config.php updates automatically. Always verify connectivity immediately after migration by checking the WordPress admin dashboard.
Protecting WP-Config.php
Your hosting server should prevent direct web access to wp-config.php. This file contains database credentials—unauthorized access means site compromise.
Verify protection by attempting to visit yoursite.com/wp-config.php in a browser. You should receive a server error or blank page, not readable code. If code displays, contact your host immediately.
Host-level protections typically prevent wp-config.php access automatically. Additional .htaccess rules provide redundant protection on Apache servers:
```
<files wp-config.php>
order allow,deny
deny from all
</files>
```
When to Edit WP-Config.php
Edit wp-config.php for:
- Initial WordPress installation
- Server/database migrations
- Enabling debugging for troubleshooting
- Implementing security key rotation
- Enabling multisite functionality
- Configuring custom staging environments
Never edit wp-config.php to fix styling issues, plugin conflicts, or theme problems. These belong in other configuration areas.
Verification Checklist
After wp-config.php modifications:
1. Verify WordPress admin loads without database connection errors
2. Check that WP_DEBUG is disabled on production sites
3. Confirm security keys contain random characters, not placeholder text
4. Test database backup functionality if you modified related settings
5. Verify plugin and theme functionality if you adjusted memory limits
6. Check that debug.log file is inaccessible via browser
Essential Takeaways
Wp-config.php is not optional—it's the essential configuration file that makes WordPress function. Correct database credentials, proper debugging configuration, and secure key management prevent common failures. Store credentials securely, enable debugging only on development sites, and update wp-config.php carefully during migrations.
Understood properly, wp-config.php becomes your most reliable tool for WordPress management and troubleshooting across any number of installations.
✦ AI-generated by Claude · Last updated 7/2/2026