Using wp-config.php to configure WordPress is one of the most powerful skills a site owner or developer can have. This single file controls your database connection, security keys, debugging tools, table prefixes, and much more. Whether you are setting up a brand-new installation or fine-tuning an existing site, understanding every section of wp-config.php puts you firmly in control of how WordPress behaves at its core.
What Is wp-config.php and Where to Find It
The wp-config.php file is the primary configuration file for every WordPress installation. It is written in PHP and is loaded before almost anything else when WordPress boots up. Without it, WordPress cannot connect to the database or function at all.
Default Location
By default, WordPress places wp-config.php in the root directory of your installation — the same folder that contains wp-login.php and the wp-content folder. On a typical cPanel host this path looks like /public_html/wp-config.php. On a local XAMPP setup it would be C:\\xampp\\htdocs\\yoursite\\wp-config.php.
Moving wp-config.php for Security
WordPress automatically looks one directory above the root if it cannot find wp-config.php in the root. This means you can move the file to the parent directory as a security measure, keeping it out of the publicly accessible web folder. Simply cut the file and paste it one level up — WordPress will find it automatically on most server configurations.
How to Access and Edit wp-config.php
Before making any changes, always create a backup copy of the file. A single syntax error in wp-config.php will take your entire site offline.
Method 1 — Using cPanel File Manager
- Log in to your hosting control panel and open File Manager.
- Navigate to your WordPress root directory (usually
public_html). - Right-click
wp-config.phpand choose Download to save a backup. - Right-click the file again and choose Edit.
- Make your changes in the editor, then click Save Changes.
Method 2 — Using an FTP or SFTP Client
- Connect to your server with an FTP client such as FileZilla.
- Locate
wp-config.phpin the root WordPress directory. - Download a copy to your computer as a backup.
- Open the local copy in a code editor such as VS Code or Notepad++.
- Edit the file and upload it back to the server, overwriting the original.
Method 3 — Using WP-CLI
WP-CLI provides a convenient way to read and write wp-config.php constants without opening the file manually.
# View a specific constant
wp config get DB_NAME
# Set a constant
wp config set WP_DEBUG true --raw
# List all constants and variables
wp config listConfiguring Database Settings
The most critical section of wp-config.php is the database configuration block. If any of these values are wrong, WordPress will display a database connection error.
Core Database Constants
Open wp-config.php and locate the following four constants near the top of the file:
// ** Database settings ** //
define( 'DB_NAME', 'your_database_name' );
define( 'DB_USER', 'your_database_username' );
define( 'DB_PASSWORD', 'your_database_password' );
define( 'DB_HOST', 'localhost' );Replace each placeholder with the actual values provided by your hosting company. The DB_HOST value is almost always localhost, but some managed hosts use a custom hostname or port such as localhost:3307.
Database Charset and Collation
Below the host setting you will find:
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );Leave these at their defaults (utf8mb4 and an empty string) unless your host specifically instructs you otherwise. The utf8mb4 charset supports the full Unicode character set, including emoji.
Changing the Table Prefix
The table prefix defaults to wp_. Changing it to something less predictable — such as xk72_ — reduces the risk of automated SQL injection attacks that target the default prefix.
$table_prefix = 'xk72_';Important: Only change the prefix before running the WordPress install. Changing it on an existing installation requires renaming every table in the database and updating prefix references in the wp_options and wp_usermeta tables.
Security Keys and Salts
WordPress uses a set of eight cryptographic keys and salts to secure cookies and sessions. These constants should be unique random strings for every site.
Generating Fresh Keys
- Visit the official WordPress secret key service at
https://api.wordpress.org/secret-key/1.1/salt/. - The page will generate eight unique lines of PHP code on every load.
- Copy all eight lines.
- Open wp-config.php and find the existing key block (it starts with
define('AUTH_KEY'). - Select all eight existing lines and paste the new ones over them.
- Save the file.
Replacing the keys immediately invalidates all existing login sessions, which is a useful security measure after a suspected breach.
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');Debugging and Development Settings
WordPress includes a built-in debugging system that is configured entirely through wp-config.php. These constants are invaluable during development but must be disabled on live sites.
Enabling WP_DEBUG
// Enable debug mode
define( 'WP_DEBUG', true );
// Log errors to a file instead of displaying them
define( 'WP_DEBUG_LOG', true );
// Suppress error display on screen (use with WP_DEBUG_LOG)
define( 'WP_DEBUG_DISPLAY', false );
// Force scripts and styles to load unminified
define( 'SCRIPT_DEBUG', true );When WP_DEBUG_LOG is set to true, PHP errors are written to /wp-content/debug.log. Set WP_DEBUG_DISPLAY to false at the same time so errors are logged silently rather than shown to visitors.
Disabling the Plugin and Theme Editor
To prevent accidental (or malicious) code edits through the WordPress dashboard, add:
define( 'DISALLOW_FILE_EDIT', true );For an even more restrictive lockdown that also prevents plugin and theme installation or updates from the dashboard, use:
define( 'DISALLOW_FILE_MODS', true );Advanced Performance and Maintenance Settings
Beyond the basics, wp-config.php contains constants that can meaningfully improve performance and simplify maintenance workflows.
Setting Memory Limits
If your site shows memory exhaustion errors, increase the PHP memory available to WordPress:
define( 'WP_MEMORY_LIMIT', '256M' );
// For admin-area operations (defaults to WP_MEMORY_LIMIT + 64M)
define( 'WP_MAX_MEMORY_LIMIT', '512M' );Controlling Automatic Updates
You can fine-tune WordPress automatic updates directly from wp-config.php:
// Disable all automatic updates
define( 'AUTOMATIC_UPDATER_DISABLED', true );
// Allow only minor (security) core updates
define( 'WP_AUTO_UPDATE_CORE', 'minor' );Configuring the WordPress and Content Directories
If you have moved your WordPress core files or the wp-content directory to a custom location, tell WordPress where to find them:
define( 'WP_CONTENT_DIR', dirname(__FILE__) . '/app' );
define( 'WP_CONTENT_URL', 'https://example.com/app' );Enabling Multisite
To convert a single WordPress installation into a Multisite network, add the following constant before the line that reads /* That's all, stop editing! */:
define( 'WP_ALLOW_MULTISITE', true );After saving, visit Tools > Network Setup in your dashboard to complete the multisite configuration.
Putting the Site in Maintenance Mode
While there is no single built-in constant for maintenance mode, you can use a combination of a custom .maintenance file and wp-config.php constants to control upgrade behaviour. For quick database or file operations, setting WP_CACHE to false ensures visitors see fresh content immediately after changes:
define( 'WP_CACHE', false );Mastering wp-config.php gives you granular control over nearly every aspect of your WordPress site — from security hardening to performance tuning. As your site grows, you will find yourself returning to this file again and again. Always keep a backup before editing, use version control where possible, and test changes in a staging environment first.
Frequently Asked Questions
Is it safe to edit wp-config.php directly?
Yes, editing wp-config.php is safe as long as you back up the file first and are careful with PHP syntax. A missing semicolon or quotation mark will cause a fatal error and take your site offline. Download a copy before every edit and test changes on a staging site when possible.
What happens if I delete wp-config.php?
If wp-config.php is missing, WordPress will redirect you to the installation wizard (wp-admin/setup-config.php) as if it were a fresh install. Your database and files remain intact, but WordPress cannot connect to them until a valid wp-config.php is restored. Restoring your backup immediately will bring the site back online.
How do I fix a database connection error caused by wp-config.php?
Double-check the four database constants — DB_NAME, DB_USER, DB_PASSWORD, and DB_HOST — against the credentials in your hosting control panel. Ensure there are no extra spaces inside the quote marks. If you recently changed your database password in cPanel, update DB_PASSWORD to match. If the error persists, contact your host to confirm the correct hostname and port.
Can I add custom PHP code to wp-config.php?
You can add PHP constants and variable definitions to wp-config.php, and they will be available globally throughout WordPress. However, avoid adding complex logic, functions, or code that outputs content — wp-config.php is a configuration file, not a functions file. For custom functionality, use your theme's functions.php or a site-specific plugin instead.
Managing wp-config.php settings manually is powerful, but it requires care and technical confidence. If you would prefer a faster, safer approach, WP AI Agent is a natural-language AI chat tool that can handle WordPress configuration tasks like these — and dozens of others — simply by describing what you need in plain English, with no file editing required.