The WordPress Configuration File

WordPress Workings

The WordPress configuration file is found in the root directory of your hosting account or the root directory of your WordPress installation if you have WordPress installed in a sub-folder. If you manually installed WordPress you are familiar with this file however, if you used your hosting provider’s “5-minute install” procedure the installation process generated the configuration file automatically.

The configuration file is called wp-config.php Manual installations of WordPress will have a file called wp-config-sample.php  which you are directed to rename to remove the -sample and to populate with the information specific to your website.

The first section of the wp-config file contains these lines.

/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress-databse-name' );

/** MySQL database username */
define( 'DB_USER', 'database-user-name' );

/** MySQL database password */
define( 'DB_PASSWORD', 'database-password-for-user' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

As the section header says, this section contains the information that WordPress needs to connect to your website’s database – the location of all of the content that you write on your site. I have colored some information blue to indicate that they are lines where you will need to provide information. If you used an installation script in your hosting account to install WordPress these lines will be populated with the information specific to your installation. The script will have generated a MySQL database with name and password and the hostname will be filled in for your specific hosting company. The Charset is usually set at utf8. Consider it a type of alphabet for the database – the types of characters that can be used.  Finally, as it says, if you are not familiar with the Database Collate type, leave it as the default value. If you are accomplishing a manual installation of WordPress it will be necessary for you to create an empty MySQL database in your hosting account. That database will have an assigned name either selected by you or your hosting provider. You will also have to establish a database username and a password for that user to access the database you established. That will mean specifically assigning that user to the new database. Most installations use localhost as the hostname, however some hosting providers use hostnames specific to their server configurations. You will have to ask your hosting company tech support representative for the correct setting.

The next section of the configuration file looks like this :

/**
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         '$Z]z=faVB-qa@h<wB.<vTY%:G0[~hC:9b-.Me0E3IvxzT=mE_vi~Ms-v_eb$|1Y#');
define('SECURE_AUTH_KEY',  '55y/<,;M E%8X<IG$>0pAf<in3v6G?3&-E|=+C}n}Ii?(_*-Ajof;bjVpxzu<:c1');
define('LOGGED_IN_KEY',    ')G2PL~{2MDW0+&}WzVjT`eJ-0Sa0H1TS]O`|:R)xrAdH>0v>)N,^v|RrJ /LIxp&');
define('NONCE_KEY',        '}b-ge$5Y]&py)0V6QpI6jYoY+$zT-NU~UM0x-N+4|X^>I$N|{wk<K+pr4O#+egP?');
define('AUTH_SALT',        '-,^P!urHVA;@g3Hfn h}3p&^JXqUL7B6|ob>*DIM,^(5i^xf]o5Tvs?0}APq]X|q');
define('SECURE_AUTH_SALT', '=u:zkm*-JEk}3DQ+lx~9uDcX?[4NAF5Tie-403PU3#l-DSnG[2O!I-f)?Qqi%9*p');
define('LOGGED_IN_SALT',   'FelG88Ozch2;V`)4! Kvgb=sIEyS9Q}{`)*()IAB)p`G?R9:FO=[gq|nz{RWhE[]');
define('NONCE_SALT',       '_LI(I8-vJ; ^_[|y| 2_IEJ,$c||T_lNQaZ,MnL!;li~I4qCvE%l0hT>gmbF#5Uv');
define( 'WP_CACHE_KEY_SALT', '|)QuWSE_oM7qRgr]D_nay;n6g,0ODL=2,fKwdIUC:%cO_w#l0(Kny6f}X-(la*R;' );

These WordPress ‘salts’ are used by WordPress to help keep track of a particular website user session. The salt values help WordPress generate a unique session identification character set associated with a user session so that the session cannot be easily ‘stolen’ by someone while the session is in progress.

The installation process for WordPress will populate the salts automatically. If you find that this section is blank you should not leave it that way.  Navigate to the url given in the comment field at the top of the section (https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org). You will receive a section of text that looks like the 8 lines of code shown above. Copy the entire section and then paste it in the configuration file in place of what you see above. Use a text editor such as Notepad, WordPad, Notepad++, Coda, etc. Do Not Use Microsoft Word and try to save the file as a php file.

Adding the salts will make your site more secure  – and it will sign out anyone logged into your site once you save the updated configuration file. The logged out users will just have to log back in to start a new session.  You can change these values at any time or as many times as you desire, just navigate to that url again and get a new set of salts and insert them. Some individuals in the WordPress ecosystem recommend changing the salts at least once a year.

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

The next section of the configuration file deals with the prefix of the tables in the MySQL database used by your WordPress installation. If you used an automated script to install WordPress in your hosting account you may or may not have had the option to set a custom database table prefix. For manual installations you can set it in your configuration file before the installation process is started.

The default prefix is as shown, wp_ . You can change the prefix to whatever you want. Some developers feel that changing the prefix adds a little bit more security to the installation. If a hacker managed to get access to the database server of your hosting account they would probably first run a script looking for all tables with the default table prefix, indicating that they have found a WordPress installation. Then they could start injecting information into the tables to either redirect your site, take it down completely or insert spam links into your content.

I normally change the database prefix to something simple and semi-related to the website, 3-4 characters followed by an underscore. Do Not Forget to include the Underscore.

Can you change the database prefix after the WordPress installation has been completed?  Yes, but… In order to do that you will have to manually change the database prefix for each table in the established WordPress Database and then check to make sure that there are no table references in the wp_options table that need to be changed. Then you can change your config file to match the new table prefix. WPBeginner has an article that walks you through this process.

The final section in the default configuration file looks like this:


define( 'WP_DEBUG', false );
define( 'SCRIPT_DEBUG', false );


/* That's all, stop editing! Happy publishing. */


/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
	define( 'ABSPATH', dirname( __FILE__ ) . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

If you are a developer you would probably want to set the DEBUG variables to true while working on your development or staging server so that you can see code errors displayed. Best not to do this to a live site – this is for development only as any errors in the plugin or theme code will be displayed on the site for all to see – and exploit.

If you wanted to do some custom configuring to your WordPress installation you could place your code just before the Happy publishing line. What sort of customization might you consider?

You can change the interval that WordPress waits to do an automatic save of a post/page you are editing. The default is an automatic save each 60 seconds. This example changes it to 160 seconds.

define('AUTOSAVE_INTERVAL', 160); // in seconds

You can change the number of post/page revisions that WordPress saves of your post/page – you do know that each revision is saved, right? And that you can always revert back to a previous version?  WordPress does not limit the number of revisions that it saves. This can increase the size of your database considerably if you save or update your work a lot. This line limits the number of revisions saved to five. (You can also use a plugin such as WP-Optimize to clear out your database periodically.

define('WP_POST_REVISIONS', 5);

These are just some of the things you can do to customize your installation using the configuration file. You can learn more about editing your wp-config file here in the Support section of WordPress.org.

Scroll to Top