What is wp-config.php and How to Edit It

73% of WordPress crashes trace to wp-config.php errors. This complete guide shows you how to safely edit this critical file - add security keys, boost performance, fix errors, and optimize settings.

How to edit wp-config.php

Your WordPress site runs on thousands of files, but one controls everything. That file is wp-config.php.

Without it, WordPress won’t even load. With it misconfigured, your site becomes slow, insecure, or crashes entirely.

New to WordPress? Start with our guides on what is WordPress, how to install WordPress, and building your first website.

What is wp-config.php?

wp-config.php is WordPress’s main configuration file. It controls database connections, security settings, and core functionality.

Location: Root directory of your WordPress installation.

Importance: Without this file, WordPress cannot function. 73% of WordPress crashes stem from wp-config.php errors.

Can editing break my site? Yes, one syntax error crashes everything.

Should I edit it anyway? Yes, proper configuration improves security and performance significantly.

Time required: 15-30 minutes for basic optimization.

Why Edit wp-config.php?

Default installations use basic settings. These work but miss critical optimizations:

  • Missing security keys (90% of sites)
  • Low memory limits causing timeouts
  • No debugging setup for troubleshooting
  • Database connections not optimized
  • Security vulnerabilities left open

Do hosting companies optimize this? No, they use generic settings.

File Structure Overview

<?php
// Database settings
define( 'DB_NAME', 'database_name' );
define( 'DB_USER', 'username' );
define( 'DB_PASSWORD', 'password' );
define( 'DB_HOST', 'localhost' );

// Security keys section
define( 'AUTH_KEY', 'put your unique phrase here' );
// ... more keys ...

// Other settings
$table_prefix = 'wp_';

/* That's all, stop editing! Happy publishing. */

Critical rule: All edits go BEFORE “That’s all, stop editing!”

How to Access wp-config.php

Three methods available:

  1. cPanel File Manager – Easiest for beginners
  2. FTP Client (FileZilla) – Most reliable
  3. SSH Terminal – Advanced users only
wp-config.php file in hostinger panel
wp-config.php in File Manager

Never use: WordPress plugin editors or Microsoft Word.

Essential Security Edits

1. Add Security Keys

Most critical edit. Prevents session hijacking and unauthorized access.

Get keys: https://api.wordpress.org/secret-key/1.1/salt/

Replace this section:

define( 'AUTH_KEY',          'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',   'put your unique phrase here' );
define( 'LOGGED_IN_KEY', 'put your unique phrase here' );
define( 'NONCE_KEY',         'put your unique phrase here' );
define( 'AUTH_SALT',         'put your unique phrase here' );
define( 'SECURE_AUTH_SALT',  'put your unique phrase here' );
define( 'LOGGED_IN_SALT',    'put your unique phrase here' );
define( 'NONCE_SALT',        'put your unique phrase here' );

With generated keys:

define('AUTH_KEY',         'Cl~6<PFYvyoBy*v;G&)pzXT&y Za5L]Wga[LrxK?-@oU|<+aGN!G%bv:N Q9)#u?');
define('SECURE_AUTH_KEY',  'k|ZlG/(oi&mU!W~]CuS;w*g12W+nVkHu7)-i6|Bj^kLsvP5|:9HZ%{NLjxi{?m9!');
define('LOGGED_IN_KEY',    ' g}y<aEE2SV)`^+KhmQx]UZl/gp.Ygr1w$4vYp4&R5%f>j=H4|<Lzb@ajpki*uXQ');
define('NONCE_KEY', 'Xik-v)i2@lMMH=f{`(Kz=K|ci-}-s{claGM8@k|%aG9>fqhDW<#>,.}]7OO%zR8E');
define('AUTH_SALT',        'f)P$U k#`^e0t%oXZ`.7v%.i=z!XMGNp(/N3wD5P<if-2X+F]eXhVa21VT!6%l~+');
define('SECURE_AUTH_SALT', 'QE{sOk$@K~(lMV7;,|MS+vZIG}20}SUZo2c0$?nVl.s)NF^P}p?^Q^+NeS/CB*:l');
define('LOGGED_IN_SALT', 'PRA +]FV3@{~k>v%jU1LXt1,&no78<S^+IOnZ;Dn4n.xxkJ%6ME+%XK8J?2+1H[Q');
define('NONCE_SALT',       '+_CAfU7eFL$[@9LlQm]1+`sMSb3T+GPa)N3@<Ye!N=z &2@m69|!wjX5,|T<Ws=~');

Update frequency: Every 3-6 months.

2. Disable File Editing

Prevents admin panel file modifications:

define( 'DISALLOW_FILE_EDIT', true );

3. Force SSL Admin

Encrypts all admin area traffic:

define( 'FORCE_SSL_ADMIN', true );

4. Change Table Prefix

Change from default ‘wp_’ during installation:

$table_prefix = 'wp12_';

Note: Requires database changes if done after installation.

Performance Optimizations

1. Increase Memory Limit

Default 40MB insufficient for modern sites:

define( 'WP_MEMORY_LIMIT', '256M' );
define( 'WP_MAX_MEMORY_LIMIT', '512M' );

Memory requirements:

  • Basic blog: 128M
  • Business site: 256M
  • WooCommerce: 512M

2. Optimize Database Connection

Replace ‘localhost’ with IP for faster connections:

define( 'DB_HOST', '127.0.0.1' );

Speed improvement: 20-30ms per query.

3. Limit Post Revisions

Prevent database bloat:

define( 'WP_POST_REVISIONS', 5 );
define( 'AUTOSAVE_INTERVAL', 300 );

Debug Configuration

Enable error logging without displaying to visitors:

define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );

Log location: /wp-content/debug.log

When to use: Only during troubleshooting.

Common Mistakes to Avoid

  1. Wrong quotes: Use straight quotes (‘) not curly quotes (“)
  2. Missing semicolons: Every line needs ; at the end
  3. Extra spaces: No spaces before <?php
  4. Wrong location: Edits after “stop editing” line ignored
  5. No backup: Always backup before editing

Troubleshooting Guide

1. White Screen After Editing

Cause: Syntax error in code.

Solution:

  1. Access via FTP/cPanel
  2. Replace with backup file
  3. Review code for errors
  4. Try edit again

2. Database Connection Error

Cause: Wrong credentials.

WordPress website database connection error
Broken Database Connection

Solution: Verify with hosting provider:

  • Database name
  • Username
  • Password
  • Host address

3. Site Running Slow

Cause: Low memory or unoptimized settings.

Solution: Apply performance optimizations above.

Advanced Configurations

1. Define Site URLs

Fix URL-related issues:

define( 'WP_HOME', 'https://changetheurl.com' );
define( 'WP_SITEURL', 'https://changetheurl.com' );
WordPress Address and Site Address
Change WordPress and Site Address (URL)

2. Control Updates

Manage automatic updates:

define( 'WP_AUTO_UPDATE_CORE', 'minor' ); // Security updates only

3. Emergency Database Repair

For corrupted databases:

define( 'WP_ALLOW_REPAIR', true );

Access: yoursite.com/wp-admin/maint/repair.php

Warning: Remove immediately after repair.

4. Move wp-content Directory

For enhanced security, move wp-content outside public directory:

define( 'WP_CONTENT_DIR', dirname(__FILE__) . '/secure/wp-content' );
define( 'WP_CONTENT_URL', 'https://example.com/secure/wp-content' );

Note: Requires server configuration changes.

5. Move Uploads Folder

Change default uploads location:

define( 'UPLOADS', 'wp-content/custom-uploads' );

Important: Path is relative to ABSPATH, no leading slash.

6. Cookie Domain Settings

For sites using subdomains or CDNs:

define( 'COOKIE_DOMAIN', 'www.example.com' );

Prevents cookies being sent to static subdomains.

7. Enable Multisite

Transform single site into network:

define( 'WP_ALLOW_MULTISITE', true );

Use case: Managing multiple sites from one installation.

8. Cleanup Image Edits

Stop WordPress from keeping all image edit versions:

define( 'IMAGE_EDIT_OVERWRITE', true );

Benefit: Saves server space by removing old edits when restoring original.

9. Control Trash Settings

Change how long deleted items stay in trash:

define( 'EMPTY_TRASH_DAYS', 7 ); // Empty after 7 days
define( 'EMPTY_TRASH_DAYS', 0 ); // Disable trash completely

Default: 30 days.

10. Block External Requests

Increase security by blocking outbound connections:

define( 'WP_HTTP_BLOCK_EXTERNAL', true );
define( 'WP_ACCESSIBLE_HOSTS', 'api.wordpress.org,*.github.com' );

Use case: Prevent plugins from calling home or external APIs.

11. Fix Scheduled Posts

If scheduled posts aren’t publishing:

define( 'ALTERNATE_WP_CRON', true );

Or disable WP-Cron for server-level cron:

define( 'DISABLE_WP_CRON', true );

Note: Requires server cron job setup when disabled.

Testing Your Changes

After each edit:

  1. Load homepage
  2. Test admin login
  3. Check various pages
  4. Monitor error logs

All working? Edit successful.

Minimum Required Actions

If doing only essential edits:

  1. Add security keys – Prevents most attacks
  2. Increase memory to 256M – Prevents timeout errors

These two changes solve 80% of common issues.

Quick Reference

Setting Purpose Code
Security Keys Prevent hijacking Use generator link
Memory Limit Prevent timeouts define( 'WP_MEMORY_LIMIT', '256M' );
File Edit Block admin editing define( 'DISALLOW_FILE_EDIT', true );
SSL Admin Encrypt logins define( 'FORCE_SSL_ADMIN', true );
Debug Mode Log errors define( 'WP_DEBUG', true );

Backup and Recovery

Before editing:

  1. Download current wp-config.php
  2. Save as wp-config-backup-[date].php
  3. Keep in safe location

If site breaks:

  1. Delete edited file
  2. Rename backup to wp-config.php
  3. Site restored instantly

Final Notes

wp-config.php controls your entire WordPress site. Proper configuration prevents security breaches and performance issues.

Always backup before editing. Test after each change.

Need assistance? Dark Boys Media provides professional wp-config.php optimization.