WP Umbrella Logo

WP-Config.php File: The Ultimate Guide

The WP Umbrella Team

The wp-config.php file is crucial to your WordPress installation. You’ll find this file at the root of your WordPress file directory and it contains information such as the database connection details of your website.

The file wp-config.php is not included with the first download of WordPress. According to the information you provide in the setup process, WordPress will create this file for you.

In this article, I’ll explain to you all what you should about the wp-config.php file.

Let’s get started!


The wp-config.php file is the central hub for all things WordPress. From database settings and salt keys to advanced configurations like define( ‘concatenate_scripts’, false );, this file is a treasure trove of customization options. Handle with care, and make a backup of your website with WP Umbrella before doing anything!

What is wp-config.php and Why Should You Care?

wp-config.php is a cornerstone file in any WordPress installation. It includes information about the database, such as its name, host, username, and password. WordPress uses this information to interact with the database to store and retrieve data (e.g. Posts, Users, Settings, etc.). Additionally, the file contains advanced settings for WordPress.

Ready to boost your productivity, impress your clients and grow your WordPress agency?

Install WP Umbrella on your websites in a minute and discover a new way to manage multiple WordPress sites.

Get Started for free

Where is the wp-config.php File Located?

The wp-config.php location is typically in the root folder of your WordPress installation, alongside other important folders like /wp-content/.

Creating and Editing the wp-config.php File

The wp-config.php file can be manually created by finding wp-config-sample.php (located in the root install-directory), editing it as needed, and then saving it as wp-config.php.

If you don’t find the wp-config-sample.php, you can copy/paste the code below and save it as wp-config.php in the root folder of your WordPress website.

/* MySQL settings */
define( 'DB_NAME',     'database_name_here' );
define( 'DB_USER',     'username_here' );
define( 'DB_PASSWORD', 'password_here' );
define( 'DB_HOST',     'localhost' );
define( 'DB_CHARSET',  'utf8mb4' );

/* database table prefix. */
$table_prefix = 'wp_';

/* Authentication Unique Keys and Salts. */
/* https://api.wordpress.org/secret-key/1.1/salt/ */
define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );

/* Turning off the debug mode */
define( 'WP_DEBUG', false );

/* Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');

/* Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

Where Is The wp-config.php File Located?

WP-config.php file location

You’ll usually find the wp-config.php file in your website’s root folder along with other folders such as /wp-content/.

How To Edit wp-config File: The Basic Settings

Database settings

The first setting deals with the database connection. Posts and other bits and pieces of WordPress data are stored in a database; they must be accessed to run.

The parameters of a database connection are the host, the username, the password, and the name of the database.

define( 'DB_NAME',     'database_name_here' );
define( 'DB_USER',     'username_here' );
define( 'DB_PASSWORD', 'password_here' );
define( 'DB_HOST',     'localhost' );
define( 'DB_CHARSET',  'utf8mb4' );

As I mentioned earlier, the first four lines represent the four key settings of your database. They can generally be founded in your hosting admin panel.

Character sets relate to languages and how they store specific characters. For example, UTF8 contains special characters like “*”, so it’s a good choice. This setting should be left alone unless you have special knowledge about these things.

Authentication unique keys and salts

key and salts wp config.php

Users logged in to WordPress are protected by security keys. These can be generated using the secret-key API of WordPress.org. You should include them if you do not see them in the file.

You should replace them if you’ve been hacked. There will be no data loss.

How often should I change my salt keys?

Your salt key are just like a locker. If it has not been forced, you don’t necessarily need to change it. Some security experts however advise to update your salt keys at least once a year.

Database prefix

It’s wp_ by default, but you can also type any letters or numbers you want. The last letter must always be an underscore, and it is best if it is a letter and not a number

Security warning: anyone knows that wp_ is the default value and this could open a vulnerability on your website, which can be easily fixed by defining a custom value for $table_prefix when running the set-up.


Debugging WordPress comes next on the list of settings. This is set to false by default, which means that error messages will be hidden. In production, this should be left on “FALSE” because it can help hackers to identify issues and security breaches on your website.

When developing or debugging a site it’s another story: you want to see errors so that you can fix them.

Setting the WP_DEBUG constant to “True” will, for instance, help you figure out why a theme or plugin is giving you the white screen of death.

So keep it on FALSE, unless you need to debug your website.

WP-Config File: The Advanced Settings

It’s absolutely legitimate to add any valid PHP to the config file since it’s just like any other file. Nevertheless, wp-config.php should be edited with care. Don’t add items unless necessary, and be careful when editing it so that your website doesn’t break. 

Let’s not forget, this is the heart of WordPress!

Custom Directory Locations

You can modify the location of various WordPress folders from the config file. This could be useful if you want to:

  • Migrating from a previous system to a site with a similar folder structure 
  • Keeping things secure by not relying on a default structure
  •  Removing clutter from the root directory

Moving the WP-Content folder

define( 'WP_CONTENT_DIR', dirname(__FILE__) . '/site/wp-content' );
define( 'WP_CONTENT_URL', 'http://example.com/site/wp-content' );

The first constant sets the full directory path and the second sets the new directory URL.

Moving the plugins folder

In the same manner, you can move the plugins folder of your WordPress site/

define( 'WP_PLUGIN_DIR', dirname(__FILE__) . '/wp-content/folder/plugins' );
define( 'WP_PLUGIN_URL', 'http://example.com/wp-content/folder/plugins' );

When done, arrange the folders according to your modifications and reload WordPress.

Debug Mode and Saving Queries

In some cases, you may be able to force WordPress to display errors and warnings for theme or plugin debugging purposes. You simply need to set the WP_DEBUG value to true to enable debugging:

define( 'WP_DEBUG', true );

You should disable the debug mode when you are working on a live site as we mentioned earlier. Warnings and errors should never be displayed to site viewers, as this can provide valuable information to hackers. 

However, if you need to debug, you can force WordPress records information about errors and warning in a file, placed in a debug.log file, placed in /wp-content folder.

To do so, you need to add these lines of code in the wp-config file:

define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );
@ini_set( 'display_errors', 0 );

Modify The AutoSave Interval of WordPress

WP uses Ajax to automatically save changes to posts as you edit them. Increasing this setting will delay auto-saving longer, but lowering it will ensure you never lose changes. The default setting is 60 seconds.

define( 'AUTOSAVE_INTERVAL', 30 );

You can also disable the functionality if you want by adding this peace of code:

define( 'WP_POST_REVISIONS', false );

Prevent Anyone From Editing Plugins/Themes From Inside The Admin Dashboard

This is so useful if you are an agency or a freelancer and want to block your customers from messing with your work.

define( 'DISALLOW_FILE_EDIT', true );

Enable WordPress multisite

Multisite networks allow the same WordPress installation to be shared by multiple sites. Each site in the network is a virtual site, meaning that it does not have a separate directory on your server, although it does have its own subdirectory for media uploads within the shared installation, and separate tables in the database.

A multisite install allows you to set up separate WordPress sites based on the same install. This makes managing numerous websites very easy. This is typically used in corporate websites where the company website, shop, and blog are separate. 

To enable multisite, you need to set WP_ALLOW_MULTISITE TRUE:

define( 'WP_ALLOW_MULTISITE', true );

As soon as you have defined this, reload the WordPress admin interface and you will find an option called “Network Setup” under the “Tools” section. WordPress will ask you to set up additional settings in your config file and .htaccess file.

Once you’re finished, you’ll be logged out and a nice new network install will appear when you re-log in

Modify The Allowed PHP Memory Size

In WordPress, if you need more memory than the default allocated space, the allowed memory error will pop up.

The server’s maximum memory size will depend on its configuration.

Assuming you were not able to access the php.ini file, you can still set the WP_MEMORY_LIMIT constant in the wp-config file to increase WordPress memory.

To do so, add the following lines of code:

define( 'WP_MEMORY_LIMIT', '128M' );

By default, the memory limit is 64Mo.

Disable Automatic Updates

From version 3.7 onwards, WordPress integrates automatic security updates. It is an essential feature that allows site admins to secure their website at all times. If you define the following constant, all automatic updates can be disabled:


Advanced Settings for Developers

Several settings in the config file can help developers catch errors or write better code. WP_DEBUG is the most prominent of these constants. Setting this to “True” will force errors to appear.

Furthermore, you may want to make sure that the CSS and Javascript files are served full-size and unaltered on page load by adding this piece of code in the wp-config file.

define( 'SCRIPT_DEBUG', true );
define( 'CONCATENATE_SCRIPTS', false );

Another useful WordPress constant for devs is the SAVEQUERIES one. It will allow you to get access to detailed profiles of the SQL queries performed by WordPress.

Then we can get a quick overview of all the queries by printing $wpdb->queries.

global $wpdb;
echo "<pre>";
print_r( $wpdb->queries );
echo "</pre>";

Protecting wp-config.php

There are easy-to-implement tricks to protect your wp-config.php file from hackers.

Use an FTP client to connect to your website and download the .htaccess file found in the root directory.

Open the .htaccess file with Sublime Text of any other HTML editor.

Copy the code below to your .htaccess file. This should be copied at the bottom of your website’s .htaccess file, after all other entries.

# protect wpconfig.php
<files wp-config.php&gt;
order allow,deny
deny from all

This way, nobody will be able to access your wp-config.php file.

WP-Config.PHP Final thoughts

Throughout this post, I’ve listed several WordPress constants that can be defined in the wp-config file. There are several many constants whose functions can be easily understood.

Additionally, other constants are used for advanced features which require advanced knowledge of WordPress and website management.

If you want to learn more about these, you should give a look at the WordPress Codex.