WordPress admin makes it easy to manage configurations without touching a line of code. These basic configuration settings are then stored in the
wp-options table inside the database. But, WordPress also has a separate configuration file, called
wp-config.php, that can be used for further customizations.
Wp-config is the file where your custom hosting data (database name, database host, etc.) is saved when you install a self-hosted WordPress site. You can also add other configuration options to this file, with which you can enable or disable features such as debugging, cache, multisite, SSL login, automatic updates, and many others.
When you download WordPress, the
wp-config.php file is not yet present inside the install folder. However, there’s a file called
wp-config-sample.php that you need to copy and rename to
wp-config.php. Then, you need to add your basic connection data (database name, database username, database password, hostname, security keys) to this file.
If your hosting provider uses the Softaculous auto installer (most do so) this process is automated for you and you will find a
wp-config.php and a
wp-config-sample.php file in your root folder when you connect your server via FTP.
Note that the order of settings matters, so don’t rearrange them. When editing the wp-config file, always use a code editor such as Sublime Text, Atom, Notepad++, Visual Studio Code, or TextMate. Word processors (Microsoft Office, Google Docs, LibreOffice, etc.) will mess your file up, never use them to edit code files.
The settings saved into wp-config override the database, in case the same type of configuration is present at both (e.g. home URL)
In this article, you can find 20 code snippets with which you can use to customize your
Most of these configuration options don’t exist in wp-config by default. If you want to use them you need to add them below the starting
tag and code comments, but above the MySQL settings.
You can turn the WordPress debugger on and off in the wp-config file. The first snippet below does exist by default in wp-config (below the database configurations) but its value is set to
false. To turn the debugger on, change its value to
WordPress uses the
wp_ table prefix by default. If you want a more secure database you can choose a more complicated table prefix.
This config option also exists in the wp-config file by default, you only need to change the value of the
$table_prefix variable to a more secure one.
Only change the table prefix if you have a clean install or on a development site, as it’s risky to do so on a production site.
# Creates secure table prefix for database tables # Only numbers, letters, underscores $table_prefix = 'a81kJt_';
You can set the WordPress and home URLs in the WordPress admin, under the
Settings > General menu. However, you can also configure these URLs in the wp-config file.
WP_HOME constants in the wp-config file has two advantages:
WP_SITEURL specifies the URL users can reach your site with, while
WP_HOME defines the root of your WP install. If you installed WordPress into your root folder (this is the default option) they take the same value.
# Specifies site URL define('WP_SITEURL', 'http://www.yourwebsite.com'); # Specifies home URL (the root of the WP install) define('WP_HOME', 'http://www.yourwebsite.com/wordpress');
You can make WordPress to automatically empty your trash after a certain number of dates. The smallest value of this constant is 0, in this case you disable the trash feature.
# Empties trash after 7 days define( 'EMPTY_TRASH_DAYS', 7 );
You can enable WordPress’ built-in caching feature with the following line of code. Most caching plugins, such as W3 Total Cache and WP Super Cache, automatically add this snippet to the wp-config file.
# Enables WP cache define( 'WP_CACHE', true );
By adding the
WP_ALLOW_MULTISITE constant to your wp-config file, you can enable WordPress’ multisite feature that allows you to create a network of WP sites.
# Turns on WordPress Multisite define( 'WP_ALLOW_MULTISITE', true );
Sometimes visitors type a non-existing subdomain or subfolder into the URL bar. You can redirect these users to another page on your domain, for instance to the homepage with the help of the
# Redirects non-existing subdomains and subfolders to homepage define( 'NOBLOGREDIRECT', 'http://www.yourwebsite.com' );
WordPress has a built-in version control system, which means it saves all post revisions you create. A frequently edited post can have as many as 25-30 revisions that can take up a lot of database space after a while.
WP_POST_REVISIONS constant, you can maximize the number of post revisions or completely disable the feature.
# Completely disables post revisions define( 'WP_POST_REVISIONS', false ); # Allows maximum 5 post revisions define( 'WP_POST_REVISIONS', 5 );
WordPress has a built-in database optimization feature you can turn on by adding the following line to the wp-config file.
I wrote in detail about how this tool works in this article. The most important thing to note is that the database optimization screen is available for anyone (even for non-logged in visitors). Enable the feature only for the period of time you want to run the optimization tool, then don’t forget to disable it.
# Turns on database optimization feature define( 'WP_ALLOW_REPAIR', true );
WordPress runs automatic background updates by default for minor releases and translation files.
You can toggle this feature on and off by setting the values of the
AUTOMATIC_UPDATER_DISABLED (for all updates) and
WP_AUTO_UPDATE_CORE (for core updates) constants according to the following rules:
# Disables all automatic updates define( 'AUTOMATIC_UPDATER_DISABLED', true ); # Disables all core updates define( 'WP_AUTO_UPDATE_CORE', false ); # Enables all core updates, including minor and major releases define( 'WP_AUTO_UPDATE_CORE', true ); # Enables core updates only for minor releases (default) define( 'WP_AUTO_UPDATE_CORE', 'minor' );
Sometimes you may want to increase the PHP memory limit your hosting provider has allocated to your site, especially if you get the dreaded “Allowed memory size of xxxxxx bytes exhausted” message. To do so, use
WP_MEMORY_LIMIT for the website and
WP_MAX_MEMORY_LIMIT for the admin area.
Note that some hosts don’t allow to increase the memory limit manually, in this case contact them and ask them to do it for you.
# Sets memory limit for the website define( 'WP_MEMORY_LIMIT', '96M' ); # Sets memory limit for the admin area define( 'WP_MAX_MEMORY_LIMIT', '128M' );
To increase website security, you can force users to log in through SSL every time. The
FORCE_SSL_ADMIN constant makes SSL compulsory for both user logins and admin sessions.
Note that the formerly valid
FORCE_SSL_LOGIN constant was deprecated in WordPress 4.0, so now you always have to use
# Forces SSL login define( 'FORCE_SSL_ADMIN', true );
Administrators can edit plugin and theme files in the WordPress admin area. You can make your site more secure if you disable the plugin and theme editors using the
DISALLOW_FILE_EDIT constant. So, if your site is hacked the hacker won’t have access to your plugin and theme files.
You can also disable the plugin and theme update feature using
DISALLOW_FILE_MODS. This way administrators won’t be able to update plugins and themes in the admin area.
DISALLOW_FILE_MODS also disables the plugin and theme editor, so if you use it you don’t have to add
# Disables the plugin and theme editor define( 'DISALLOW_FILE_EDIT', true ); # Disables the plugin & theme editor PLUS the plugin & theme update define( 'DISALLOW_FILE_MODS', true );
Whenever you edit an image, WordPress saves it in different resolutions. But, if you don’t want to use the earlier sets of images you can remove them by setting the value of the
IMAGE_EDIT_OVERWRITE constant to
As a result, the earlier image files will be overwritten by the new ones when you edit an image and only the last set will be saved in the
# Cleans up image edits define( 'IMAGE_EDIT_OVERWRITE', true );
Although low-level users (subscribers, contributors, authors) can’t publish unfiltered HTML in WordPress, editors and administrators are allowed to do so.
By adding the following line of code to your wp-config file, you can increase security by preventing high-level users from publishing unfiltered HTML.
# Disables unfiltered HTML for admins and editors define( 'DISALLOW_UNFILTERED_HTML', true );