Optimize wp-config.php: complete guide

The wp-config.php file is the most important configuration file of your WordPress site. This file contains crucial settings for database, security and performance. By optimizing this file smartly, you make your site faster and more secure.

In this guide you'll learn everything about wp-config.php optimization. From basic security to advanced performance tweaks.

What is wp-config.php?

The wp-config.php file contains the most important WordPress configuration. You'll find it in the root directory of your WordPress installation. This file is loaded on every page load.

The file contains among other things:

• Database access credentials
• Security keys and salts
• Table prefix
• Debug settings
• Memory limits

By configuring this file properly you get more control over your site. You can improve performance and secure your site better.

Note: always make a backup before modifying wp-config.php. One mistake can make your entire site inaccessible.

Optimize database settings

The database configuration is at the top of your wp-config.php. These settings are essential for the connection to your database.

Default settings:

define('DB_NAME', 'database_name');
define('DB_USER', 'database_user');
define('DB_PASSWORD', 'password');
define('DB_HOST', 'localhost');
define('DB_CHARSET', 'utf8mb4');
define('DB_COLLATE', '');

Optimize DB_HOST: with many hosting providers you can use a direct socket instead of 'localhost'. This saves DNS lookups and is faster.

Example for TransIP:

define('DB_HOST', 'localhost:/var/run/mysqld/mysqld.sock');

DB_CHARSET: always use 'utf8mb4' for full emoji support. Older installations sometimes have 'utf8' which supports fewer characters.

Debug mode: when on and off

WordPress has built-in debug functionality. This is useful during development but must always be off on production.

Default debug setting:

define('WP_DEBUG', false);

For development: turn on debug to see errors:

define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);
define('SCRIPT_DEBUG', true);

This combination logs errors to wp-content/debug.log without displaying them. SCRIPT_DEBUG loads unminified JavaScript and CSS for easier debugging.

For production: always turn off debug:

define('WP_DEBUG', false);
define('WP_DEBUG_LOG', false);
define('WP_DEBUG_DISPLAY', false);

Debug mode on production makes your site slower. Visitors can also see sensitive information in error messages.

Increase memory limit

WordPress has a limited PHP memory limit by default. For large sites or heavy plugins this is often too little.

Increase default memory limit:

define('WP_MEMORY_LIMIT', '256M');

For the admin dashboard you can set a higher limit:

define('WP_MAX_MEMORY_LIMIT', '512M');

Note: this limit cannot be higher than your server's PHP memory_limit. Check this in your hosting control panel or ask your provider.

For small sites 128M is often enough. Webshops and sites with page builders often need 256M or more.

Replace security keys and salts

Security keys and salts encrypt cookies and sessions. WordPress generates these automatically during installation.

Example:

define('AUTH_KEY', 'unique random string');
define('SECURE_AUTH_KEY', 'unique random string');
define('LOGGED_IN_KEY', 'unique random string');
define('NONCE_KEY', 'unique random string');

Why replace? if these keys are leaked, hackers can hijack sessions. Replace them regularly for better security.

Generate new keys at: https://api.wordpress.org/secret-key/1.1/salt/

Copy the output and paste it in your wp-config.php. Note: all users will be logged out after replacement.

For extra WordPress security you can refresh these keys every 3-6 months.

Force SSL for admin and login

If you have an SSL certificate you can force HTTPS for admin and login pages. This prevents passwords from being sent unencrypted.

Force SSL for admin:

define('FORCE_SSL_ADMIN', true);

For entire site HTTPS: use an .htaccess redirect instead of wp-config. That's more efficient for frontend pages.

Combine this setting with an SSL redirect in your webserver configuration. Also check if your hosting offers automatic SSL.

Configure auto-updates

WordPress can automatically update itself, plugins and themes. You can configure this precisely in wp-config.php.

Core updates: by default WordPress installs minor updates automatically. For major updates:

define('WP_AUTO_UPDATE_CORE', true);

Or disable completely:

define('WP_AUTO_UPDATE_CORE', false);

Plugin and theme updates: from WordPress 5.5 you can configure this per item in admin. For all plugins/themes auto-update:

add_filter('auto_update_plugin', '__return_true');
add_filter('auto_update_theme', '__return_true');

Note: always test updates on staging first. Auto-updates can break your site if plugins are incompatible.

For managed WordPress hosting providers often handle updates for you.

Performance tweaks and optimizations

With a few lines of code in wp-config.php you make your site faster and more efficient.

Limit post revisions: WordPress saves every change as a revision. This fills your database quickly:

define('WP_POST_REVISIONS', 5);

Or disable completely:

define('WP_POST_REVISIONS', false);

Increase autosave interval: By default WordPress auto-saves every 60 seconds. Lower this for fewer database queries:

define('AUTOSAVE_INTERVAL', 300);

Trash auto-delete: By default deleted content stays in trash for 30 days. Lower this:

define('EMPTY_TRASH_DAYS', 7);

Optimize cron: WordPress uses wp-cron for scheduled tasks. This runs on every page load. For busy sites a real cronjob is better:

define('DISABLE_WP_CRON', true);

Then set up a server cronjob that calls wp-cron.php every 15 minutes.

Database repair: For database maintenance you can activate repair mode:

define('WP_ALLOW_REPAIR', true);

Then visit /wp-admin/maint/repair.php. Turn this off after use because it's publicly accessible.

Disable file editor

WordPress has a built-in file editor for themes and plugins. This is a security risk because hackers can inject code here.

Disable the editor:

define('DISALLOW_FILE_EDIT', true);

Now admins can no longer modify theme/plugin files via dashboard. Use FTP or SSH for code changes.

For even better security you can also block file uploads:

define('DISALLOW_FILE_MODS', true);

This also blocks plugin/theme installations. Useful for production sites that don't change anymore.

Custom content directory

By default content is in wp-content. You can move this for better organization or security.

Custom content directory:

define('WP_CONTENT_DIR', '/path/to/custom-content');
define('WP_CONTENT_URL', 'https://example.com/custom-content');

Note: physically move the content folder and update these paths. Plugins can break if paths don't match.

This is especially useful for multisite installations or if you run WordPress in a subdirectory.

Change database table prefix

WordPress uses 'wp_' as table prefix by default. Many hackers target this. A custom prefix makes SQL injection harder.

Note: only change this for new installations. For existing sites this is complex and risky.

During installation:

$table_prefix = 'xyz_';

Use a random prefix with letters and underscore. No numbers at the beginning.

For existing sites you can use plugins but make a full backup first. Database problems can break your entire site.

Multisite configuration

For WordPress Multisite you need extra configuration in wp-config.php.

Activate multisite:

define('WP_ALLOW_MULTISITE', true);

After network setup via admin you add this:

define('MULTISITE', true);
define('SUBDOMAIN_INSTALL', false);
define('DOMAIN_CURRENT_SITE', 'example.com');
define('PATH_CURRENT_SITE', '/');
define('SITE_ID_CURRENT_SITE', 1);
define('BLOG_ID_CURRENT_SITE', 1);

SUBDOMAIN_INSTALL is true for subdomain network, false for subdirectory.

More about multisite in our multisite installation guide.

Prevent common mistakes

Syntax errors: one wrong character breaks your entire site. Always check syntax with a validator before upload.

Memory limit too high: if you set more than server allows you get a white screen. Know your server limits.

Debug on production: this shows sensitive data to visitors. Always turn off debug on live sites.

Wrong file permissions: wp-config.php should never be 777. Use 600 or 640 for better security.

No backup: always make a backup before modifying wp-config.php. One mistake can make your site inaccessible.

Extra tips for advanced users

WordPress address vs site address:

define('WP_HOME', 'https://example.com');
define('WP_SITEURL', 'https://example.com');

Useful if you have WordPress in a subdirectory but want to display on root.

Cookie domain for multisite:

define('COOKIE_DOMAIN', '.example.com');

This makes cookies work on all subdomains.

FTP credentials: With some hosts WordPress asks for FTP credentials for updates. Define them directly:

define('FS_METHOD', 'direct');

Or use real FTP credentials if your host requires this.

Concatenate scripts:

define('CONCATENATE_SCRIPTS', false);

Turn this off if you have problems with JavaScript in admin.

Practical configuration examples

For small blog:

define('WP_MEMORY_LIMIT', '128M');
define('WP_POST_REVISIONS', 3);
define('AUTOSAVE_INTERVAL', 300);
define('EMPTY_TRASH_DAYS', 7);
define('DISALLOW_FILE_EDIT', true);

For large webshop:

define('WP_MEMORY_LIMIT', '512M');
define('WP_MAX_MEMORY_LIMIT', '768M');
define('WP_POST_REVISIONS', 5);
define('DISABLE_WP_CRON', true);
define('DISALLOW_FILE_EDIT', true);
define('FORCE_SSL_ADMIN', true);

For development:

define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);
define('SCRIPT_DEBUG', true);
define('SAVEQUERIES', true);

By configuring wp-config.php properly you get more out of your WordPress site. You make it faster, more secure and more stable. Choose the settings that fit your situation and always test on a staging environment first.

Frequently Asked Questions

Is WordPress free?

WordPress itself is free open-source software. You only pay for hosting, a domain name, and any premium themes or plugins you want to use.

How difficult is WordPress to learn?

WordPress is relatively easy to learn. You can master the basic functions within a few hours. Advanced customizations require more time.

Can I move WordPress to a different host later?

Yes, WordPress websites can be moved to a different hosting provider. Most providers offer free assistance for this.