WordPress wp-config.php: Complete Guide 2026

Published April 21, 2026

WordPress wp-config.php Guide

wp-config.php is WordPress's main configuration file. It stores database credentials, security keys, debug settings, and constants that control WordPress behavior. Understanding it lets you solve many WordPress problems directly.

Database Configuration

define('DB_NAME', 'your_database_name');
define('DB_USER', 'your_database_user');
define('DB_PASSWORD', 'your_database_password');
define('DB_HOST', 'localhost');
define('DB_CHARSET', 'utf8mb4');

Authentication Keys and Salts

These unique keys encrypt cookies. Generate fresh ones at WordPress.org. Changing them invalidates all active sessions — useful after a security breach.

Essential Performance Constants

define('WP_MEMORY_LIMIT', '256M');
define('WP_MAX_MEMORY_LIMIT', '512M');
define('WP_POST_REVISIONS', 5);  // Limit revision storage
define('AUTOSAVE_INTERVAL', 300); // Autosave every 5 minutes

Security Constants

define('DISALLOW_FILE_EDIT', true);   // Disable theme/plugin editor
define('DISALLOW_FILE_MODS', true);   // Block plugin/theme installs from admin
define('FORCE_SSL_ADMIN', true);      // Force HTTPS in admin
define('WP_DEBUG', false);            // Keep false in production

Debug Mode (Development Only)

define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);
define('SCRIPT_DEBUG', true);

Table Prefix

Change $table_prefix from wp_ to a custom value for security. Do this during initial setup — changing it later requires updating all table names.

Protecting wp-config.php

Set file permissions to 600 (owner read/write only). Never commit it to version control. SiteICO stores database credentials securely and injects them at container runtime.