The single most important file in your entire WordPress Installation is wp-config.php.
Your WordPress website is made up of two elements: a WordPress database, and your WordPress files.
wp-config.php is the one element that links the database and files together.
In this tutorial, we're going to cover:
This is not a comprehensive coding guide, but a general reference to help you understand this file.
At the time of writing this lesson, the current WordPress version is 3.5.1, but most of the below can be used for WordPress versions 2.2 and above. For security reasons, you should always upgrade your WordPress install to the latest version.
It doesn't matter whether you've been using WordPress for 5 minutes or 5 years, always take a backup before you start altering files.
As with all major changes to a website, it is best to implement your changes on a test website first before applying them to a live website.Caution: as mentioned in the WordPress Codex, the lines of code in your wp-config-sample.php (and therefore your wp-config.php) file are in a specific order. The order is important.
Please note that rearranging the lines of code within this file may create errors.
Right, with all the housekeeping bits done, let's take a look at what this marvelous file can do.
wp-config-sample.php - The File That You'll Use to Create Your wp-config.php
Funnily enough, this incredibly important file doesn't actually exist in the downloaded copy of WordPress. Instead you are given a wp-config-sample.php as part of the download package, and WordPress kindly gives you the opportunity to "Create a Configuration File" (i.e. your wp-config.php file) as part of the install.
As most normal users choose to click the nice and easy "Create a Configuration File" button to create their wp-config.php file, the majority won't have seen what the inside of this file looks like.
To do this, you'll need an FTP login (you can get this from your website creator or your hosting company) and an FTP client, such as FileZilla.
Default Location of the wp-config.php File
By default, this file lives in your /public_html folder, along with all your other WordPress files and folders (as shown in the above FileZilla screenshot).
Secure Location of the wp-config.php file
If you've done your security homework, then you'll probably have already moved your wp-config.php file up one level and out of the /public_html folder. This puts your important wp-config.php file out of harms reach, and (more importantly) out of the reach of potential hackers.Important note for subdomains: If you have a subdomain, moving the wp-config.php file up one level will not take it out of the /public_html folder. You may wish to investigate a more bespoke solution such as moving the majority of your wp-config file settings into a different file altogether, which is then called by an "include" statement in the wp-config.php file.
If you haven't done so already, it's time to move this important file out of the public_html folder, and in to a more secure resting place.
To do this is easy. Just open FileZilla (or your FTP program of choice), find your wp-config.php file, click on it and drag it all the way up to the top of your FTP window pane. When you're hovering over the folder labelled ".." (as shown above), you can let go of your file, and "drop" it into the ".." folder.
You should now see your wp-config.php file disappear from the public_html folder, and appear in the folder one level above (to see this folder, click on the ".." folder).
Note: You might not have the permissions to do this yourself. If your FTP login takes you straight to the public_html folder, then you will have to ask your hosting company to do this for you.
What's in the wp-config.php File?
Now that the security bit is done, let's have a look at what's actually in the wp-config.php file.
The items that come with the default wp-config-sample.php file are in blue.
If your hosting provider installed WordPress for you, they will be able to provide this information. If you manage your own hosting, you should already have this information as a result of creating the database and user.
From a security perspective, one of the absolute basics is to replace the put your unique phrase here items with some unique phrases, and pronto.
The easy way to do this, is go to https://api.wordpress.org/secret-key/1.1/salt/ and copy the randomly generated lines into your wp-config.php file.
You don't need to remember these, just set them up once, and then you can forget about them.
You can change them at any point (especially if you get hacked), and if you do it will invalidate all existing user cookies, which will just mean that all users have to log in again.
Some of you may remember that WordPress used to have an area where you could define where your media uploads went to. It may have disappeared from the WordPress administrator, but you can still make the change using the wp-config.php file.
If you don’t want to use the ‘wp-content’ directory then you can use this code instead:
If you have SSL enabled on your website, then it's an awful shame to waste it. Enable SSL on your Administrator area with these two settings
File Permissions of wp-config.php
Really, this is part of the security of your website, however this is such an important aspect, that it earned its own little section.
Nobody (apart from you) would ever need to access this file, so it's best to lock it away as much as you can. The final padlock on the security of your wp-config.php file is to change the access permissions. You can do this through FTP by right-clicking on the file, selecting File Permissions and then changing the permissions by unchecking the relevant boxes (ideally the Numeric value at the bottom should be 400, but this may need to be 440 depending on your hosting provider).
(Side note - don't forget to protect your wp-config.php file using your .htaccess file.)
These two items were added in WordPress v2.2.WARNING: If you have just upgraded from a version earlier than 2.2, please refer to the upgrades section below, as these two items should not be added to your wp-config.php without some additional work first.
English is the default language of WordPress, but it can easily be changed using these two settings:
It's important to note that some hosting companies have an overriding limit on the PHP memory available to you. If this addition doesn't fix the problem, you may have to ask your hosting company very nicely to see if they'll increase the limit in their php.ini file for you.
Once you add this definition you will see a new “Network” page pop up in your wp-admin, which you can find in Tools -> Network.
This is basically detailing the absolute path to the WordPress directory, and then setting up the WordPress variables and files that need to be included.
There should be no need to change this code, but it comes as part of the standard wp-config-sample.php file, so I'm just popping it in in case someone says "Hey, where's that bit of code at the end?"
wp-config.php is one of the few files that is left untouched during normal WordPress upgrades (if you use Fantastico, see note below), so you don't need to worry about it being overwritten.
Why No Closing PHP Tag?
The observant amongst you will have noticed that whilst there's an opening php tag, there's no closing php tag.
This is not a mistake, and your wp-config.php file can be happily left without a closing tag.
Well, believe it or not a very simple issue of "spaces after closing PHP tags" are known to cause a range of various issues including "headers already sent" errors, and breaking other bits and bobs within perfectly well behaved websites.
Several years ago, WordPress decided to make life a little bit easier for everyone by removing the ending PHP tag from the wp-config.php file.
Hopefully this has provided an insight on the numerous things you can do with the wp-config.php file.
The most commonly used definitions are here, however if you're looking for something very bespoke, you can find a full list of definitions in the WordPress Codex here: https://codex.wordpress.org/Editing_wp-config.php.