Hopefully everyone knows by now that they shouldn’t hack the WordPress core files to bend WordPress into submission. Doing so can affect its ability to successfully upgrade to newer versions, which is important for security, and can make your WordPress installation incompatible with properly-coded plugins and themes. Right?…

Wrong.

There is one (and only one) WordPress core file that you should edit. It’s called wp-config.php.

In this post, I’ll point out some wp-config.php tips and tricks that everyone should know about and also some of my personal favorites and some lesser-known configurations.

The Basics of wp-config.php

The wp-config.php file is the “WordPress Configuration” or control file. If you could only pick one file for hackers not to get a hold of, this would be it. It runs the WordPress show.

wp-config.php is loaded for every page view not loaded from a cache file
– WordPress Codex

The wp-config.php file is located at the root of your WordPress installation, typically at the root of your domain, visible when browsing your site via FTP.

There are built-in constants — like the database name, username, password, and host — and certain plugins and themes can also extend wp-config.php to include their own constants.

It’s actually created during the installation step and is created based on the included wp-config-sample.php file, which has no use after the wp-config.php file is created. You can use this to your advantage if you create a lot of sites, whether for testing or production, by including things in wp-config-sample.php that you know you often want in wp-config.php.

Once the wp-config.php file is created from the installation step, you can delete the wp-config-sample.php file and dig into the wp-config.php file to make your desired site-specific changes.

A Bunch of Options

Since wp-config.php is the WordPress configuration / control / management / “boss” file, it’s important to get it just right. It can be used to achieve many things, like increasing site-wide security or providing extra convenience.

Following is my list of hand-picked wp-config.php settings. It’s not all-inclusive or comprehensive, but I am fond of the ones I’ve included or felt they were necessities.

Quick Tip: Don’t forget about PHP’s “slash-slash” (//) commenting. Instead of deleting a line when you no longer need it, why not just comment it out? Plus, if you want to make descriptive comments at the end of one or more lines, feel free.

Security

I’m a big believer in getting an SSL certificate for each of your used/important websites. For approximately the price of your annual domain name renewal, you can get an SSL certificate. Once your server admin gets it installed on your server, you can add one of the following wp-config.php constants (not both, although it wouldn’t hurt anything) to force SSL logins (but not SSL admin) or force both SSL login and SSL admin, respectively:

define('FORCE_SSL_LOGIN',false); // only activates https wp-login.php form
define('FORCE_SSL_ADMIN',true); // activates https on both wp-login.php form and all of wp-admin

With or without an SSL certificate, generating random security keys is essential. All you have to do is visit https://api.wordpress.org/secret-key/1.1/salt/ and copy and paste.

Your database should have a table prefix so that your WordPress installation doesn’t have the generic wp_ prefix that hackers can look for. There are some plugins (like Better WP Security) that can convert an existing database’s prefix.

Development

These wp-config.php constants provide convenience by helping with development tasks (e.g. finding errors).

Perhaps the most famous of them all… WP_DEBUG

define('WP_DEBUG', true);

And the related Logging Debug Messages (below is a great way to have WP_DEBUG on but without showing nasty-looking errors on the front-end).

/**
 *
 * This will log all error notices and warnings to a file called debug.log in
 * wp-content only when WP_DEBUG is true. if Apache does not have write permission,
 * you may need to create the file first and set the appropriate permissions (i.e. use 666).
 */
define( 'WP_DEBUG', true ); // or false

define( 'WP_DEBUG_LOG', false );
define( 'WP_DEBUG_DISPLAY', false );
@ini_set( 'display_errors', false );

if ( WP_DEBUG ) {
  define( 'WP_DEBUG_LOG', true );
  define( 'WP_DEBUG_DISPLAY', true );
  @ini_set( 'display_errors', true );
}

You can also save queries to the database for development and analysis purposes.

Convenience / License Keys

Here are a few popular WordPress extensions that make it easy to insert your valid license key into your site (especially useful for MultiSite setups and for not putting your license key into a client’s database).

Gravity Forms License Key

define('GF_LICENSE_KEY','a421...21b');

SlideDeck 2 License Key

define('SLIDEDECK_LICENSE_KEY', 'XXXXXX');

WPMU DEV Dashboard License Key, Limiting Access to Specific Users, or Hiding Branding

define('WPMUDEV_APIKEY', '16dc223...3ee');
define('WPMUDEV_LIMIT_TO_USER', '1,8'); // only user IDs 1 and 8 can perform actions like updates and installations
define('WPMUDEV_HIDE_BRANDING', true); // used to entirely hide from wp-admin display

Yoast’s Bit.ly Pro Shortlinks Plugin

define('BITLY_USERNAME', 'a...z');
define('BITLY_APIKEY', 'R_67a...918');

Your Preferences (“Dealer’s Choice”)

This section includes tweaks subject to user preferences. I don’t recommend one way over the other, as long as you make an informed decision.

Turn on WordPress’ native caching

define('WP_CACHE', true); // everyone loves cache

Frequency of AutoSaves

define('AUTOSAVE_INTERVAL', 160 );  // in seconds

Post Revisions On/Off. If On, the amount to keep per post

define('WP_POST_REVISIONS', true );
define('WP_POST_REVISIONS', 3);

How Often to Empty the Trash

define('EMPTY_TRASH_DAYS', 30 );  // once every 30 days

MultiSite / Network

define('WP_ALLOW_MULTISITE', true);

Additional wp-config.php References

There are many more things that can be added to wp-config.php. Following are some links to additional resources. Take a look and you might just find your own favorite, obscure WordPress configuration setting:

• WordPress Codex’s “Editing wp-config.php”
• WPEngineer.com’s “WordPress Constants Overview”
• BetterWP.net’s “Ten Useful WordPress Constants You Might Love”
• WP Tuts+’ “Conquering the wp-config.php File — 11 Good Practices”

Did you learn of any new ones that you can’t wait to try out? Or was this whole thing old news? Let me know. I’m looking forward to your comments!

  Creative Commons image(s) courtesy of Cat, Neal Fowler, Mark Watson, Bailey Weaver