Everything You Need to Know About wp-config.php

The wp-config.php file is a significant part of your WordPress site and its security. However, managing the file requires a little bit of expertise. After reading this article, you can wrap your head around WordPress configuration and what crucial benefits you can get from it.

What is wp-config.php File?

First, it is important to know what wp-config.php is. This file stores your database configuration on your website. Information stored within the file is your database names, username, password, and database host.

Actually, wp-config.php doesn’t come prebuilt in WordPress but is created during the installation process. It is made specifically for you. The location of the file is in the root directory of your website. In this example, the location is in /public_html.

To change the wp-config.php, you will need an FTP (i.e. FileZilla), or if you use Hostinger, you can use the Hostinger File Manager, as we do. The next step is downloading the file to your hard drive.

For example purposes, we’ll use wp-config-sample.php as our source. It is the base version of wp-config.php that is located in your WordPress directory, so both files are not entirely different. The code is described in PHP constant and should look like this:

<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/

// ** MySQL settings - You can get this info from your web host ** //

/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');

/** MySQL database username */
define('DB_USER', 'username_here');

/** MySQL database password */
define('DB_PASSWORD', 'password_here');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

/**#@-*/

/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix  = 'wp_';

/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
   define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

MySQL Settings for wp-config.php

Your database configuration is written under MySQL settings in wp-config.php, containing your MySQL hostname, database name, username, and password. You might want to change one of these when you move your site to another web hosting provider and decide to update MySQL details. Here’s a snippet:

// ** MySQL settings - You can get this info from your web host ** //

/** The name of the database for WordPress */
define( 'DB_NAME', 'database_name_here' );

/** MySQL database username */
define( 'DB_USER', 'username_here' );

/** MySQL database password */
define( 'DB_PASSWORD', 'password_here' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

Another method to see this information is to search the web hosting control panel. Just log in to your web hosting account, click the Database section, and choose MySQL Databases. In Hostinger’s control panel, it is displayed this way:

Besides that, there are several things you can change inside wp-config.php to enhance your website. You can generate Authentication Key and Salts, change your table prefix, enable debugging mode, and move the file for security reasons. We’ll explain them one by one.

Security Keys

wp-config.php is important because you can create Authentication Keys and Salts inside the file. These will protect your website with more advanced methods by encrypting the user’s information.

By doing this, you will require a series of strong passwords. You can generate them with the WordPress password generator. Once you have your passwords, paste them one by one inside the apostrophe to replace ‘put your unique phrase here’.

/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

/**#@-*/

The effect after implementation is quite strong as it will log out all users and make current cookies invalid. This way, hackers trying to pick your credentials are forced to get out.

Database Table Prefix

Actually, WordPress sets a predefined table prefix in wp-config.php and you can add more layer of protection by modifying it. It reads like this:

$table_prefix  = 'wp_';

Therefore, we encourage you to change this prefix during the installation process for better security. Replacing existing prefix will make it harder for SQL injections to happen.

Change wp prefix with something random but remember that you can only use underscores, letters, and numbers to do so. For example:

$table_prefix  = 'wp_custom751Admin_';

The best choice is to opt for something complex. Otherwise, it will defeat the purpose of changing database table prefix in the first place.

Debugging Mode

By default, debugging mode is turned off. Turn it on if you are committed to learning about WordPress development.

Debugging mode is to notify developers after codes are being executed. This will help them look out for bugs on their website. However, considering the function, the debugging mode can still be useful for more general users.

The steps to turn on debugging mode are quite simple. You only need to find the line attached below, change debug mode to true where it is originally set to false.

define('WP_DEBUG', false);

Finding and Editing The wp-config.php File Location

Changing the wp-config.php location can be dangerous so performing a backup is a must. But as risky as it is, you might want to move your wp-config.php file to a new location so hackers won’t find it easily. One more safety measure is always welcome, after all.

To change wp-config.php location, grab your FTP application of choice (We use the Hostinger File Manager) and follow these instructions:

1. Locate your wp-config.php in the root directory of your website (as shown earlier).
2. Move wp-config.php to another place by drag-and-dropping it to your intended directory. The more random the final destination the better. In this case, we will put it inside /public_html/wp-admin/user
3. After this process, your website is not accessible because it does not recognize the location of the wp-config file that you just moved. You will have to create another wp-config.php in a text editor in your PC to let your website know where the real file is now located. From our example, the new (or shortcut) wp-config.php file should only contain:

   <?php
   include(‘/domains/hostinger-dev-9.xyz/public_html/wp-admin/user’);
   ?>
   

   Remember to replace the directory above with the new location of your wp-config.php.

4. Upload the new file to your root directory–the place where the original wp-config.php was located. If your backup file is still there, overwrite it.
5. You are done. Your WordPress configuration file is now in a safer place.

Conclusion

You have learned that wp-config.php is crucial for WordPress. It contains sensitive information that you should keep away from people with bad intentions. Fortunately, there are several things you can do to make your website more secure, and get more control. Just remember, you have to be careful when editing it because you might end up with an inaccessible WordPress website.