Ultimate Guide to WordPress Settings wp-config.php – WPQuickies

In this lunchtime #WPQuickies, I talk about the humble yet powerful WordPress settings file wp-config.php.

Ultimate Guide to WordPress Settings wp-config.php – WPQuickies webinar

WordPress Configuration File: wp-config.php

The WordPress configuration file, also known as wp-config.php is one of the WordPress core files.

It is super important and without it, your WordPress website won’t load – period!

You can find the configuration file in the root folder of your hosting plan.  Usually this folder is called public_html or www.

Database Connection

define( 'DB_NAME', 'database_name_here' );

define( 'DB_USER', 'username_here' );

define( 'DB_PASSWORD', 'password_here' );

define( 'DB_HOST', 'localhost' );

define( 'DB_CHARSET', 'utf8' );

define( 'DB_COLLATE', '' );

Outside media assets, WordPress stores content in a database.  That means the WordPress PHP app needs to connect to a database server (usually MySQL or MariaDB) using a database user with login permissions.

The first block of code allows you to set up the database connection by replacing the standard defines with the correct information from your web host.

Database name, user, password should be self explanatory.

 DB_HOST is the machine name or IP where the database server resides. Localhost is a recognized name for the same machine (IP

Unless you are running a different language or for technical reasons you probably won’t need to change DB_CHARSET or DB_COLLATE.

Authentication and Salt Keys

* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}

define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );

Authentication salts help to secure login session and cookie information that is stored on any local machine that you use to login to WordPress.

Authentication keys are used as security checks while salts are used when hashing passwordsKinsta has a great in-depth article on how the keys are used: https://kinsta.com/knowledgebase/wordpress-salts/

I would recommend that you generate a new set of randomly generated keys for each new WordPress website using the link provided in the configuration file:


Here’s an example random key block.

define('AUTH_KEY',         '=K*.8o;H6boq#7h7qECNQSu.]+J_xWZic.Jg{Y*e<+R#2)[g-$l; Pvg#_wOd/pl');
define('SECURE_AUTH_KEY',  'k1|22|hj?UT*x:fhr]M,nDK5e,[HL[x6MX^>I~]&+hW sj[6nv6+8=]SZ$Pn$D8O');
define('LOGGED_IN_KEY',    '4b(}$_oiDWRrU+N~;^y8Sc;9Fl^x6=Wf/p7Lqf?N<.mob-P4$UUDhZ+%v0i+Me?J');
define('NONCE_KEY',        'W_A vjhV!##u+,Xx&ZrGKu4suXR;p/m8+K1)sB39K;2qh|-:,+U{)zx$/p~rA}1$');
define('AUTH_SALT',        '.++e|Lq&Usmno?04z94!b~P^]idu,YXJ.7v>$a#|hdG#HG:][e+Q_c-+^^ 4=|y6');
define('SECURE_AUTH_SALT', '}{w<^b|*7&&,F9`J3k)@|6_=DHs6|B|2,R{fl(/y2%i9&$Lbsh>Hr8J:{{d E|b^');
define('LOGGED_IN_SALT',   'pX]xt|TwDb Z/P/dq{Rq->N;guZ&:hOXdW+fHZ7s^]g[gTlvk^oI$dN/.%Im^F)V');
define('NONCE_SALT',       '@tS<MXXhvkQRQ|[email protected]!vVm?Ly||iK|*>c+*b?{zq2ZxZ4%:a~5p3wk`OH)UucGtv');

Note: if you change these keys for an existing website, it will invalidate all logged in users – they will have to login again and may lose data that was not saved.

ABSPATH and Bootstrapping

/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
	define( 'ABSPATH', __DIR__ . '/' );

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

The last code block sets up the file path on the file system to the core WordPress files and the very last line calls the wp-settings.php file which starts the WordPress app booting up sequence called a bootstrap.

Sometimes WordPress developers test to see if ABSPATH is defined.  If it isn’t then somebody may be trying to run a PHP file outside of WordPress by calling it directly from a URL – nobody wants that!

Remaining Configuration Settings

$table_prefix = 'wp_';

define( 'WP_DEBUG', false );

There are a couple of other lines in the middle of the configuration file.

A PHP variable $table_prefix is set to the string vaule “wp_”. 

This is the database table prefix used to make tables unique in a multisite installation.
There’s no need to change this for a single installation and there’s no additional security benefit so just leave this alone.

The other line tells WordPress not to go into debug mode. 

Let’s look at some additional configuration settings you can add to the WordPRess config file, in particular debug options.

WordPress Debugging Options

define( 'WP_DEBUG', true );
define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_LOG', ABSPATH .  'wp-errors.log' );

/* That's all, stop editing! Happy blogging. */

There are times when you need to get information from WordPress/PHP to try and find an issue that is stopping something from working.  You’ll need to put WordPress into debug mode.

Set WP_DEBUG to true.  By default WordPress will display PHP errors on your website – you probably don’t want that so add


You can force WordPress to log all the errors to a log file which is probably the best idea

Setting WP_DEBUG_LOG to true will generate a debug logfile in your /wp-contents/ folder but you can set a particular file path for the define.Remember to add new lines above the comment “/* That’s all, stop editing! Happy blogging. */”.

WordPress Address and Site URL

define( ‘WP_SITEURL’, ‘https://wp.local/site1’ );
define( ‘WP_HOME’, ‘https://wp.local’ );

WP_SITEURL corresponds to the “WordPress Address (URL)’ in your dashboard Settings > General

WP_HOME corresponds to the “Site Address (URL)’ in your dashboard Settings > General

If you add these lines to the WordPress configuration file, they will override the dashboard (Database) settings

For more details between these URLs and how they are used refer to my article Difference between WordPress Address (URL)  and Site Address (URL).

Default Theme

define('WP_DEFAULT_THEME', 'twentytwenty');

You can specify a default theme which again overrides the setting in the database.

Use define(‘WP_DEFAULT_THEME’, ‘twentytwenty’); to set the theme to the TwentyTwenty theme or whichever theme you have installed.

This is useful if your theme is broken and you can’t login to the site.

Revisions, Autosaves and Trash

// Disable post revisions
define( 'WP_POST_REVISIONS', false );
// Limit revisions to 2
define( 'WP_POST_REVISIONS', 2 );

define( 'AUTOSAVE_INTERVAL', 300 );

define( 'EMPTY_TRASH_DAYS', 3 );

By default, WordPress saves an unlimited number of post revisions in the database.  This is crazy and gobbles up valuable DB space.

Use WP_POST_REVISIONS to disable or set a limit to post revisions.  I usually set my sites to 2.

You can also change the auto-save interval (defaults to 60 seconds) using AUTOSAVE_INTERVAL. I usually set mine to 5 minutes (300 seconds)

SImilarly, change the number of days WordPress waits between emptying the trash.

Theme/Plugin File Editing & Installation

define( 'DISALLOW_FILE_EDIT', false );

define( 'DISALLOW_FILE_MODS', false );

These two settings are some of my favourite and I add them to all my managed client WordPress websites.

Setting DISALLOW_FILE_EDIT to false, diallows logged in users to edit theme and plugin files directly within the dashboard – maddness!

Setting the DISALLOW_FILE_MODS to false, stops users from installing plugins and themes from the WordPress dashboard.

PHP Memory Allocation

define( 'WP_MEMORY_LIMIT', '32M' );

define( 'WP_MAX_MEMORY_LIMIT', '128M' );

In some rare cases you may need to manually allot more memory to WordPress.  I rarely do these settings as it’s more likely that a badly coded theme or plugin are causing memory issues and not WordPress in general.

Force SSL (https)

define( 'FORCE_SSL_LOGIN', true );

define( 'FORCE_SSL_ADMIN', true );

These two configuration options are ones that I use on all my WordPress sites.

Setting FORCE_SSL_LOGIN to true forces the WordPress login URL (/wp-admin or /wp-login.php) to use https instead of the insecure http.  

Setting FORCE_SSL_ADMIN to true forces WordPress to use https throughout the admin dashboard pages.

WordPress Updates

// Disable all automatic updates:

// Disable all core updates:
define( 'WP_AUTO_UPDATE_CORE', false );
// Enable all core updates, including minor and major:
define( 'WP_AUTO_UPDATE_CORE', true );
// Enable core updates for minor releases (default):
define( 'WP_AUTO_UPDATE_CORE', 'minor' );

You can disable all automatic updates (useful if you are managing a client site) by setting AUTOMATIC_UPDATER_DISABLED to true.

If you want WordPress core to automatically update, you can specify how it is updated by setting WP_AUTO_UPDATE_CORE to

false = disables all core updates

true = enable all core updated including major and minor 

minor = enable core updates for minor releases (default)

The new WordPress 5.5 auto-updates for themes and plugins can only be controlled using filters, not from the WordPress configuration file.

WP Cron

define( 'DISABLE_WP_CRON', true );
define( 'WP_CRON_LOCK_TIMEOUT', 120 );

define( 'DISABLE_WP_CRON', false );

You can make sure the built-in WP Cron scheduler is switched on by setting DSIABLE_WP_CRON to true )default setting) and change the interval, in seconds, between cron jobs.

Or you can disable WP Cron altogether by setting DISABLE_WP_CRON to false.

Why would you want to do that?  

Tune in next week to find out!!!


Join me every Thursday at 1 pm AEST for some more WPQuickies – WordPress tips and tricks in thirty minutes or less.

Broadcasting live on YouTube and Facebook.

Suggest a #WPQuickies Topic

If you have an WordPress topic you’d like to see explained in 30 mins or under, fill out the form below.


Was this article helpful?

Leave a Comment

Your email address will not be published. Required fields are marked *

Keep In Touch With My Weekly Blog Email

A once-per-week daily digest of my posts from the week. No sales, no spam and I will not share your details with anyone else.


Wil is a dad, WordPress consultant, WordPress developer, business coach and mentor. He co-organizes the WordPress Sydney meetup group and has been on the organising committee for WordCamp Sydney since 2014. He speaks at many special events and contributes to the WordPress open source project. His likes are chillies, craft beer and electrogravitics.

Leave a Comment

Your email address will not be published. Required fields are marked *