wp-config.php is the most important file in a WordPress install. It holds the database connection, the security keys, and a set of constants that control how WordPress behaves. Getting a few of them right closes off common problems. Here is what matters.
The settings worth getting right
- Authentication keys and salts. The eight unique keys that secure login cookies. Always use fresh, random values, never the defaults.
- Database table prefix. Changing the default
wp_prefix is a small obstacle for automated attacks. - Disable the file editor. Setting
DISALLOW_FILE_EDITto true stops anyone who gains admin access from editing theme and plugin code from the dashboard. - Control debugging. Keep
WP_DEBUGoff in production. When you do need it, log to a file rather than showing errors to visitors. - Force SSL for admin.
FORCE_SSL_ADMINkeeps the dashboard on HTTPS. - Limit post revisions and set autosave. Small tweaks that keep the database from bloating.
Generate a clean config in two steps
- Open the wp-config Generator and choose the options you want.
- Copy the generated file and drop it into your site root, then fill in your database details.
The file is built in your browser; nothing is uploaded.
Keep secrets out of version control
If you keep your site in git, do not commit wp-config.php with real credentials. Use environment variables or a separate untracked config, and never expose database passwords or keys.
Related tools
- Need fresh keys only? Use the WordPress Salt Generator.
- Picking a safe table prefix? Try the DB Table Prefix Generator.
- Tuning server memory next? See the PHP-FPM Calculator.
Set the keys, lock down file editing, keep debug off in production, and your wp-config.php is in good shape.