10 min read
The wp-config.php file is one of the most critical components in WordPress, storing essential settings such as database connection details, security keys, and core configurations that directly impact how your website operates. Editing this file can help improve performance, strengthen security, or resolve system errors, but it also carries risks if done incorrectly.
In this guide, you’ll learn how to properly edit wp-config.php to keep your WordPress site secure and stable.
What is wp-config.php in WordPress?Link to heading
The wp-config.php file is a core configuration file used in every self-hosted WordPress website. Unlike most built-in files, it is not included by default but is created specifically for your site during the installation process.
This file stores essential database information required for your website to function. Without it, WordPress cannot connect to the database, resulting in the “error establishing database connection” message. In addition to database credentials, it also contains several advanced configuration settings.
Because wp-config.php holds sensitive data, developers and security experts generally advise against editing it unless absolutely necessary. However, if you do need to make changes, it’s important to follow the correct steps to avoid breaking your website.
>>> Learn more: Boost website protection with .htaccess file security rules
Where is wp-config.php located?Link to heading
The wp-config.php file is located in the root directory of your WordPress installation. This is the main folder where core files like wp-admin, wp-content, and wp-includes are stored.
In most cases, you can find it here:
/public_html/wp-config.php (on shared hosting)/your-domain-folder/wp-config.php
Important notes before editing the wp-config.php fileLink to heading
Before editing the wp-config.php file in WordPress, the first step is to create a full backup of your website. This file is critical, and even a small mistake can make your site inaccessible. To access it, you will need an FTP application. Windows users can use WinSCP or SmartFTP, while Mac users may choose Transmit or CyberDuck. These tools allow you to transfer files between your server and computer.
To connect via FTP, you will need your login credentials, which are provided by your web hosting service. If you cannot log in or encounter issues, contact your hosting provider for support. The wp-config.php file is typically located in the root directory of your website, alongside folders such as /wp-content/.
Simply right-click the file and select download. Your FTP client will save a copy to your computer, where you can open and edit it using a basic text editor like Notepad or TextEdit.
You should also review the complete default code of the wp-config.php file. If needed, you can refer to a sample version for guidance.
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
/** MySQL database username */
define('DB_USER', 'username_here');
/** MySQL database password */
define('DB_PASSWORD', 'password_here');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
Each section in the wp-config.php file is clearly documented within the file itself. Most settings are defined using PHP constants with the following syntax:
define( 'constant_name' , 'value');
You can review each section to better understand how the configuration works.
MySQL settings in wp-config.phpLink to heading
Your WordPress database connection details are located in the “MySQL Settings” section of wp-config.php. This includes the MySQL host, database name, username, and password:
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
/** MySQL database username */
define('DB_USER', 'username_here');
/** MySQL database password */
define('DB_PASSWORD', 'password_here');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
You can find these database details in your hosting account, typically within the “Databases” section of your control panel.
If you’re unable to locate your WordPress database name, username, or password, contact your hosting provider for assistance.
Authentication Keys and SaltsLink to heading
Authentication Keys and Salts in the wp-config.php file are essential security components that help protect your WordPress website. They enhance encryption for user sessions and cookies, making it significantly harder for unauthorized users to access or compromise your data.
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
/**#@-*/
You can generate new security keys and paste them into this section. This is especially useful if you suspect your WordPress site has been compromised. Updating these keys will log out all currently active users and require them to sign in again.
WordPress Database Table PrefixLink to heading
By default, WordPress uses the prefix “wp_” for all database tables. It is recommended to change this to a random value to make your database structure harder to predict. This reduces the risk of common SQL-based attacks.
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
Note that you cannot change this value for an existing WordPress site without additional steps.
WordPress Debugging ModeLink to heading
This setting is especially useful for users learning WordPress development or testing experimental features. By default, WordPress hides PHP error messages during code execution. If you need to view these hidden notices, simply enable debugging mode by setting it to true. This allows errors and warnings to be displayed clearly, helping developers identify issues and resolve them more efficiently.
define('WP_DEBUG', false);
Absolute Path SettingsLink to heading
At the end of the wp-config.php file, the absolute path is defined. This is used to set up core variables and include essential WordPress files. You typically do not need to modify this section.
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
Useful settings and tips in wp-config.phpLink to heading
There are additional configurations in wp-config.php that can help troubleshoot errors and resolve common WordPress issues.
Change MySQL port and socket settingsLink to heading
If your hosting provider uses a custom MySQL port, you need to update the existing DB_HOST value to include the correct port number.
define( 'DB_HOST', 'localhost:5067' );
Replace 5067 with the port provided by your hosting service.
If your server uses a MySQL socket or pipe (file path), you should configure it like this:
define( 'DB_HOST', 'localhost:/var/run/mysqld/mysqld.sock' );
Change WordPress URL using the wp-config.php fileLink to heading
You may need to update your WordPress URL when moving your site to a new domain or hosting server. Normally, this can be done in Settings > General within the admin dashboard.
However, if you cannot access the admin area due to errors like “Too many redirects,” you can update the URL directly in the wp-config.php file. Simply add the following lines:
define('WP_HOME','http://example.com');
define('WP_SITEURL','http://example.com');
Replace example.com with your actual domain name. Keep in mind that search engines treat www.example.com and example.com as separate addresses. If your site was indexed with the “www” prefix, be sure to use the correct version.
Change the upload directory using the wp-config.php fileLink to heading
By default, WordPress stores uploaded files in the /wp-content/uploads/ folder. If you want to use a different location for media files, you can define a custom path by adding this line:
define( 'UPLOADS', 'wp-content/media' );
Note that this path must be relative to ABSPATH, which WordPress sets automatically. Using an absolute path will not work.
Disable automatic updates in WordPressLink to heading
WordPress introduced automatic updates in version 3.7, allowing sites to install minor updates by default. While this improves security, it can sometimes cause compatibility issues and make your site inaccessible.
To disable all automatic updates, add the following line to your wp-config.php file:
define( 'WP_AUTO_UPDATE_CORE', false );
Limit post revisions in WordPressLink to heading
WordPress automatically saves drafts and revisions for each post. On large websites, this can significantly increase backup size and database load.
To limit the number of revisions stored, add this line to your wp-config.php file:
define( 'WP_POST_REVISIONS', 3 );
You can replace “3” with any number you prefer. WordPress will then remove older revisions automatically, although existing revisions remain stored in the database.
ConclusionLink to heading
In summary, understanding and customizing the wp-config.php file not only gives you better control over how WordPress operates, but also significantly improves your website’s security and performance. With just a few simple configuration lines, you can reduce risks, optimize data, and ensure a more stable system. If you are managing a WordPress website, don’t overlook these essential settings to protect and optimize your platform.
If you’re concerned that editing the wp-config.php file might cause errors, a simpler and safer option is to use a dedicated firewall like W7SFW (WordPress Firewall).
This solution is designed to protect your website without requiring deep technical knowledge. You can install and configure it in just a few steps, making it suitable even for non-technical users. W7SFW automatically blocks malicious traffic, prevents common attack vectors, and strengthens your website’s security layer without manual code changes.