WP AI Agent
Features Pricing Blog Contact Download Plugin Manage Subscription Get Free Key →

How to Use wp-config.php to Configure WordPress: Complete Guide

· · 9 min read

Learning how to use wp-config.php to configure WordPress is one of the most important skills any WordPress site owner or developer can develop. This single file controls nearly every core aspect of your WordPress installation — from database credentials and security keys to debugging modes and performance optimisations. Whether you are setting up a new site, troubleshooting errors, or hardening your security, understanding wp-config.php gives you deep, precise control over how WordPress behaves.

What Is wp-config.php and Why Does It Matter?

The wp-config.php file is the master configuration file for every WordPress installation. It lives in the root directory of your WordPress site and is one of the first files WordPress loads on every page request. Without it, WordPress cannot connect to its database or function at all.

Unlike theme files or plugins, wp-config.php operates at the core level. Changes you make here affect the entire site immediately and globally. This makes it incredibly powerful — and equally important to handle carefully. Always create a backup before editing this file.

Where Is wp-config.php Located?

By default, wp-config.php sits in the root folder of your WordPress installation. For example:

  • Local (XAMPP on Windows): C:\\xampp\\htdocs\\yoursite\\wp-config.php
  • Local (Mac/Linux): /var/www/html/yoursite/wp-config.php
  • Live server via cPanel: /public_html/wp-config.php

As a security best practice, you can move wp-config.php one directory level above the WordPress root. WordPress will automatically detect it there without any extra configuration.

How to Access and Edit wp-config.php

  1. Log in to your hosting control panel (e.g., cPanel, Plesk) or connect via FTP using a client like FileZilla.
  2. Navigate to the root directory of your WordPress installation.
  3. Locate wp-config.php and download a backup copy to your local machine.
  4. Open the file in a plain-text editor such as VS Code, Notepad++, or Nano in the terminal. Never use a rich-text editor like Microsoft Word.
  5. Make your changes carefully, save the file, and re-upload it to the server if editing locally via FTP.

Alternatively, you can edit the file directly via SSH using a command like nano wp-config.php from your site's root directory.

Configuring Database Settings in wp-config.php

The most critical section of wp-config.php is the database configuration block. WordPress needs these credentials to connect to its MySQL or MariaDB database and retrieve all your content, settings, and user data.

The Core Database Constants

Here is what a typical database configuration block looks like:

// ** Database settings ** //
define( 'DB_NAME',     'your_database_name' );
define( 'DB_USER',     'your_database_username' );
define( 'DB_PASSWORD', 'your_database_password' );
define( 'DB_HOST',     'localhost' );
define( 'DB_CHARSET',  'utf8mb4' );
define( 'DB_COLLATE',  '' );
  • DB_NAME: The exact name of your WordPress database.
  • DB_USER: The database user with access to that database.
  • DB_PASSWORD: The password for the database user.
  • DB_HOST: Usually localhost, but some hosts use a custom hostname or port such as localhost:3306.
  • DB_CHARSET: Use utf8mb4 to support the full Unicode character set including emoji.

Changing the Database Table Prefix

By default, WordPress uses the table prefix wp_. Changing this is a simple but effective security measure that makes it harder for automated SQL injection attacks to target your tables.

$table_prefix = 'mywp_';

Important: Only change the table prefix during a fresh installation. If you change it on an existing site, you must also rename all existing tables and update the prefix references stored within the database itself, or your site will break.

Managing Security Keys and Salts

WordPress uses a set of cryptographic keys and salts to secure user sessions and cookies. These are defined as constants in wp-config.php and should be long, random strings unique to each WordPress installation.

Generating New Security Keys

  1. Visit the official WordPress Secret Key Generator at https://api.wordpress.org/secret-key/1.1/salt/.
  2. The page will generate a fresh, random set of eight keys every time you load it.
  3. Copy the entire output.
  4. Open your wp-config.php and find the section that begins with define('AUTH_KEY',.
  5. Replace all eight existing key lines with the newly generated ones.
  6. Save and upload the file. All currently logged-in users (including you) will be logged out immediately, so be ready to log back in.

Refreshing your security keys periodically — especially after a suspected security incident — is a recommended maintenance practice that invalidates all active session cookies.

What the Security Keys Protect

The eight constants — AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, and their matching _SALT variants — are used to hash and verify authentication cookies. Without unique keys, cookies from one WordPress site could theoretically be replayed on another site using the same default values.

Enabling Debugging Mode for Development

One of the most frequently used features of wp-config.php is its ability to enable WordPress debugging. When you are troubleshooting a broken site, a plugin conflict, or developing a custom theme, debugging constants are indispensable.

The WP_DEBUG Constant

// Enable WordPress debugging
define( 'WP_DEBUG', true );

// Log errors to a file instead of displaying on screen
define( 'WP_DEBUG_LOG', true );

// Hide errors from the front end (recommended on live sites)
define( 'WP_DEBUG_DISPLAY', false );

// Suppress PHP notices in scripts
@ini_set( 'display_errors', 0 );

With WP_DEBUG set to true and WP_DEBUG_LOG enabled, all PHP errors, notices, and warnings are written to a file called debug.log inside your /wp-content/ folder. You can inspect this file at any time to diagnose issues without exposing errors to site visitors.

Script and Style Debugging

Two additional constants are useful for front-end development:

  • SCRIPT_DEBUG: Forces WordPress to load unminified versions of its bundled JavaScript and CSS files, making debugging much easier.
  • CONCATENATE_SCRIPTS: When set to false, prevents WordPress from combining admin scripts into a single request, which can help isolate JS conflicts in the dashboard.
define( 'SCRIPT_DEBUG', true );
define( 'CONCATENATE_SCRIPTS', false );

Always set WP_DEBUG back to false before deploying to a live production environment.

Performance and Advanced Configuration Options

Beyond the basics, wp-config.php offers a range of constants that can meaningfully improve your site's performance, manage memory, and control file system behaviour.

Increasing the PHP Memory Limit

If you see a "Allowed memory size exhausted" error, increasing WordPress's memory allocation often resolves it:

define( 'WP_MEMORY_LIMIT', '256M' );

For the WordPress admin area, which typically requires more memory than the front end, you can set a separate limit:

define( 'WP_MAX_MEMORY_LIMIT', '512M' );

Note that these values cannot exceed the memory limit set by your PHP configuration. Contact your host if you need to raise the server-level limit.

Controlling Automatic Updates

WordPress automatically applies minor core updates by default. You can fine-tune this behaviour using constants in wp-config.php:

  • Disable all automatic updates: define( 'AUTOMATIC_UPDATER_DISABLED', true );
  • Enable major core auto-updates: define( 'WP_AUTO_UPDATE_CORE', true );
  • Disable only minor auto-updates: define( 'WP_AUTO_UPDATE_CORE', false );

Setting the WordPress and Content Directory URLs

If you have moved WordPress into a subdirectory or are experiencing URL-related issues, you can hardcode the site addresses directly in wp-config.php:

define( 'WP_HOME',    'https://www.yoursite.com' );
define( 'WP_SITEURL', 'https://www.yoursite.com' );

This is particularly useful for recovering a site where the admin dashboard is inaccessible because of a misconfigured URL setting in the database.

Configuring the Trash and Revision Settings

By default, WordPress keeps post revisions indefinitely. On large sites with heavy editorial workflows, this can bloat your database significantly. You can limit revisions and control how long items stay in the trash:

// Keep only the 5 most recent revisions per post
define( 'WP_POST_REVISIONS', 5 );

// Empty trash after 7 days (set to 0 to disable trash)
define( 'EMPTY_TRASH_DAYS', 7 );

Security Hardening Through wp-config.php

Several wp-config.php settings directly strengthen the security posture of your WordPress site, reducing the attack surface available to malicious actors.

Disabling the File Editor

WordPress includes a built-in theme and plugin editor accessible from the admin dashboard. If an attacker gains admin access, this editor can be used to inject malicious code. Disabling it is a simple and effective precaution:

define( 'DISALLOW_FILE_EDIT', true );

Disabling File Modifications Entirely

To go further and prevent WordPress from modifying any files on the server — including plugin and theme updates via the dashboard — use:

define( 'DISALLOW_FILE_MODS', true );

Note that enabling this constant will also disable the built-in update mechanisms for plugins, themes, and WordPress core from the admin UI. Updates would then need to be performed via FTP, SSH, or WP-CLI.

Forcing SSL for the Admin Area

If your site has an SSL certificate installed, you can force all admin logins and dashboard sessions to use HTTPS:

define( 'FORCE_SSL_ADMIN', true );

This ensures that admin credentials and session cookies are never transmitted over an unencrypted connection, protecting against man-in-the-middle attacks on public or shared networks.

Using WP-CLI to Verify Configuration

If you have WP-CLI installed on your server, you can quickly verify key configuration values without opening the file manually:

wp config list

This command outputs all defined constants and their values in a readable table, making it easy to audit your configuration at a glance. You can also set individual values via WP-CLI:

wp config set WP_DEBUG true --raw

Mastering wp-config.php gives you a powerful lever over every WordPress installation you manage. From locking down security to optimising performance and streamlining your debugging workflow, the constants and settings available in this file can save hours of troubleshooting and significantly improve site reliability. As your confidence grows, you will find yourself returning to this file regularly as part of a professional WordPress management routine. For those who want an even faster way to make these kinds of configuration changes and handle other WordPress tasks, WP AI Agent is a tool that lets you manage, configure, and troubleshoot WordPress sites through simple natural-language AI chat — no manual file editing required.

Frequently Asked Questions

Is it safe to edit wp-config.php directly?

Yes, it is safe as long as you take precautions. Always download and keep a backup copy before making any changes. Edit the file using a plain-text editor, never a rich-text word processor. One syntax error — such as a missing semicolon or quote — can make your entire site inaccessible, so double-check your changes before saving.

What happens if I delete wp-config.php by accident?

If wp-config.php is deleted, WordPress will display the installation wizard as if it were a fresh setup. Your database and all its content remain intact, but WordPress cannot connect to it without the configuration file. Restore your backup immediately, or recreate the file using the wp-config-sample.php file included with every WordPress download as a template.

How do I fix a WordPress site that shows a white screen after editing wp-config.php?

A white screen or "Error establishing a database connection" message after editing wp-config.php almost always indicates a syntax error or incorrect database credentials. Access your site via FTP or SSH, restore your backup of the file, and carefully re-apply only the specific change you intended to make. Enable WP_DEBUG temporarily to see the exact PHP error if the white screen persists.

Can I have multiple wp-config.php files for different environments?

WordPress itself only reads one wp-config.php file, but many development workflows use a technique where a base wp-config.php detects the current environment (local, staging, or production) and then includes a separate environment-specific config file. Alternatively, tools like WP-CLI and environment variable management systems allow you to keep sensitive credentials out of version control entirely while still supporting multiple environments cleanly.

Ready to manage WordPress with AI?

Get 100,000 tokens free every month. No credit card required.

Get Your Free License Key →

More from the blog

8 min read

How to Add a Table of Contents to WordPress Posts (Complete Guide)

7 min read

How to Display a Recent Posts Widget in WordPress: Complete Guide

8 min read

How to Create a 404 Error Page in WordPress: Complete Guide