Unlimited Plugins, WordPress themes, videos & courses! Unlimited asset downloads! From $16.50/m
  1. Code
  2. Security

Conquering the wp-config.php File - 11 Good Practices


There are 981 files and 95 folders which come with the WordPress (v3.4.1) package. None of these files need manual modification, except the wp-config.php file. Of course, we don't have to edit the file if we're fine with the default WordPress configuration but it's essential that we learn how to conquer the file in order to apply security precautions, speed tricks and other stuff which we will be studying in this article.

First Things First: Back Up!

Better safe than sorry: Back your content up, right now! Either use the built-in export page or use a plugin or back up from phpMyAdmin, but always have the power of undoing what you did while tweaking your website.

The operations could affect the database but they will not do anything with any of the files except the file we're going to work with, so backing the wp-config.php file up is adequate... but if you haven't backed up your files for more than a month, I suggest doing that too. Frequent backups are always good.

Ready? OK, here we go!

Speed: Disable the Revisions... Now!

The revisions feature for posts is enabled by default, but can lead to significant database bloat. Revisions are there so you can revert to a previous version of a post if you need to. If you don't plan on using revisions to check the "earlier versions" of your posts, you definitely should disable this feature by adding the following line to the wp-config.php file:

However, if you're fine with revisions but you're not going to benefit from unlimited copies of your edited posts, you can limit the maximum number of revisions for each posts with this line of code:

Speed: Set a Cookie Domain

If you serve static content (i.e. your media uploads) from a subdomain, it's a good idea to set a "cookie domain". By doing that, cookies won't be sent each time static content is requested.

Quick Tip: To serve your media uploads from a subdomain, simply point the last two text fields on the Media Options page to the path (for example /home/myblog/public_html/mysubdomain) and URL (for example https://mysubdomain.myblog.com/) of your subdomain.

Speed: Change the Filesystem Method

If you install, update or delete your plugins and themes frequently, chances are you kind of hate entering your FTP password every time you deal with them. The code below makes it easier for you by forcing the filesystem to use direct file I/O request from within PHP - in other words, you won't need to enter FTP credentials anymore.

Please note that this one might not work with every hosting provider and even if it works, it might cause security issues with poorly configured hosts. So make sure that you're using it on a decent server.

Security: Restrict Access to the wp-config.php File

This tip requires you to edit the .htaccess file in your root directory, not the wp-config.php file. It basically prevents evil minded people from loading yourblog.com/wp-config.php directly with a browser:

Just add this to your .htaccess file and you're good to go!

Security: Force SSL on the Admin Panel

Is SSL enabled on your server? Great! You can force WordPress to use a secure connection while you're logging in with this line of code:

And if you're extra paranoid about security (which is a good thing, really), you can make WordPress use SSL on every admin page so everything you do in there is done with an encrypted connection:

You can find additional information about setting up SSL in the WordPress Codex on the Administration Over SSL page.

Security: Change the Database Prefix

If WordPress had a security flaw which allowed evil minded people to use the hacking method known as "SQL injection", they would easily use the default prefixes on your WordPress database tables to delete them. However, if you have a different table prefix than the default (wp_), they wouldn't be able to guess that, would they?

So, while setting up a new WordPress website, either change the default value on the installation page or in the wp-config.php file, change the line below:

Beware: If you want to make this work in an existing WordPress site, you can't just change the prefix on the wp-config.php file - you'll get database connection errors. You should use a plugin for that to change the wp-config.php file AND the database tables AND some specific values inside those tables. I recommend the DB Prefix Change plugin.

Security: Add Security Keys... Now!

Let's just read from the WordPress Codex:

In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like "password" or "test" is simple and easily broken. A random, unpredictable password such as "88a7da62429ba6ad3cb3c76a09641fc" takes years to come up with the right combination. A 'salt is used to further enhance the security of the generated result.

This is one of the most essential security precautions for WordPress - and it's easy as copying and pasting the randomly generated content of this page to your wp-config.php file. The hardest part is finding the default, empty values of these constants and deleting them! :)

Other: Change the Autosave Interval

If you sometimes work on your post for 4 hours, you might find it annoying that WordPress automatically saves the state of your post every 60 seconds. I'll give credit that it's not a bad thing but sometimes it's really, really annoying. Anyways, if you want to set the autosave interval to a higher value, you can do it by defining it in the wp-config.php file like this:

Other: Easily Move Your WordPress Website

WordPress is full of surprises, and this is one of them. If you ever need to move your website to a new domain (or a new subdomain, or a new folder), define this constant on your wp-config.php file before moving your files and database:

After setting this and moving your FTP and database, log in with your WP credentials on yournewwebsite.com/login.php and after that, check if the home URL has changed on the General Options page. After confirming that it has changed, delete the constant in your wp-config.php file. This little trick of WordPress' saves you the burden of editing the database manually.

Tip: While this literally "moves" your website, it doesn't affect the hard-coded links in your content. To replace them, you should use a plugin like Search Regex and change the old links with new ones.

Other: Disable Editing of Plugin & Theme Files

If you're a web designer and using WordPress with your clients' websites, you might want to disable the editing of theme and plugin files by adding the constant below:

Better yet, you can also disable installing new themes and plugins, and updating them:

Just remember that theme and plugin updates are sometimes very important when they fix security flaws. So if you're going to disable updating and installing new plugins/themes, you're going to have to track the updates in a different way.

Other: Enable WP_DEBUG While Developing

This is an easy one: If you're developing a plugin or a theme, it's good practice to enable the debug feature of WordPress to see what kinds of notices and warnings you're getting:

Sometimes it's amazing to see how easy mistakes you can make while developing! :)


We chose 11 great tips and tricks for your WordPress websites but the tricks for the wp-config.php file are, of course, not limited to these ones. Do you have any good tricks to share? Your comments are always welcome!

Looking for something to help kick start your next project?
Envato Market has a range of items for sale to help get you started.