Sufyan bin Uzayr February 5th, 2013

Mastering WordPress Configuration – wp-config.php

One of the best aspects of WordPress is the fact that it does not require much code-level tweaking to work. All you need to do is install the CMS, and off you go! All in all, for a general-purpose website, there is not much tweaking or customization that needs to be done. In fact, in most cases, you should steer away from messing with the code and WP files. However, there is one particular file which you actually can tweak and its name is wp-config.php. In this article, we shall be discussing the wp-config.php file as well as taking a look at certain tweaks that we can apply to it in order to get the most out of its possibilities.

Mastering wp-config.php -- An Introduction

As the name suggests, wp-config.php is the file that contains the configuration related settings of WordPress. Database name, username, password, and so on -- if the data is related to the smooth functioning of your WP site, chances are that it gets a mention under wp-config.php. Beyond that, many themes and plugins also tend to add their own constants and configuration settings to this file. Oh, and the file has its share of trivia curve as well: it is not there in the downloadable versions of WordPress, and as mentioned above, it contains a good deal of your database settings. We will by-pass all of that information -- if you still need it, you can find it in the Codex. With that said, let us now dive straight in to tweaking wp-config.php

Tweaking wp-config.php

Tweaks Related to Security

1. Restrict Access to wp-config.php

Naturally, if a file is so important, should it not have limited access? After all, the internet is not the safest place on earth. The following code will ensure that your wp-config.php is not publicly accessible (for instance, at

<files wp-config.php>

order allow,deny

deny from all


Just a note, though: you will need to add the above code to your .htaccess file, not the wp-config.php file.

2. Force SSL on Admin Pages

If you have SSL access on your server, you can force WordPress to employ it for the admin pages:

define (‘FORCE_SSL_ADMIN’, true);

More info about this tweak here.

3. Change Database Prefix

Generally, the common trend is to employ ‘wp_’ as the database prefix for WordPress databases. It is quite easy for a malicious hacker to guess that prefix, and many people prefer using a different database prefix:

$table prefix = ‘yo’;

For newer WP installations, though, you can also specify this value directly at the time of installation. Also, for an existing installation, simply heading to the wp-config.php file and changing the prefix value will break your installation: instead, you should consider employing a plugin such as this.

4. Disable Editing Plugins and Themes

If you are worried about your theme or plugin files being compromised (or, for example, accidentally edited by a non-geek client), use the following constant:

define (‘DISALLOW_FILE_EDIT’, true);

Similarly, to disable newer theme or plugin installations, use the following:

define (‘DISALLOW_FILE_MODS’, true);

Tweaks Related to Speed and Productivity

1. Move Your WP Blog

Yes, if you have tried to move your WP installation across servers (especially across domains) without the comfort of XML exports/imports, you must have found the process annoying. To save yourself from the annoyance, you can use this constant prior to moving the website:

define (‘RELOCATE’, true);

Now, move your WP site to the new domain. Once you login there, you will find your home URL changed. However, this method will not alter any hard-coded links of yours. For that purpose, you can make use of any proper plugin.

2. Use a Cookie Domain

This tweak is useful if you serve your media uploads and other similar content from a different location (for example, a sub-domain of your site). The following constant will ensure that WP cookies are not sent each time your media content is requested from the concerned location:

define (‘COOKIE_DOMAIN’, ‘’);

3. Disable Post Revisions

By default, the Post Revisions feature is enabled in WordPress. Now, not many people use it to go back to earlier versions of their posts, and if you are one of them, you can happily turn it off to save yourself from unnecessary database transactions which only end up making your database a bloat.

define (‘WP_POST_REVISIONS’, false);

Alternatively, you can also limit the number of such revisions (because, after all, who uses infinite post revisions?):

define (‘WP_POST_REVISIONS’, 3);

4. Turn On Caching

To turn on the native caching mechanism, use this constant:

define (‘WP_CACHE’, true);

5. Modify Autosave Interval

You can configure the frequency of autosaves as under (in seconds):

define (‘AUTOSAVE_INTERVAL’, 180);


Now that you have gone through the wp-config.php tips and tweaks, I strongly suggest you to make a backup before playing around with your wp-config.php file. In fact, it is best to test any changes on a demo site, before implementing the same on your main website. What are your thoughts regarding the wp-config.php tweaks? Got any recipes of your own? Feel free to share them in the comments! (dpe)

Sufyan bin Uzayr

Sufyan bin Uzayr is a contributor to a variety of websites and blogs about technology, open source, web design, content management systems and web development. He is a published author, coffee lover.


  1. Shufyan! a very informative post, as most of the people using WordPress for their sites. thanks for sharing info about making the site more secure. and avoiding malicious hackers. thumbs up.

  2. Pingback: Mastering WordPress Configuration – wp-config.php | CMS Radar
  3. Pingback: February’s ExpressionEngine, WordPress, and Magento Content | @nexcess

Leave a Reply

Your email address will not be published. Required fields are marked *