What Is wp-config.php and When Should You Edit It? (2026 Guide)
The wp-config.php file is the brain of your WordPress site. It tells WordPress how to connect to your database, how to handle security, and how to behave in dozens of situations you probably never think about — until something breaks.
Most WordPress users never touch this file. But if you’ve ever needed to enable debug WordPress mode, increase your memory limit, fix a White Screen of Death, or lock down your site after a scare — wp-config.php is where you go. One wrong character can take your entire site offline. One right setting can prevent a hack.
This guide covers everything: what’s inside the file, how to safely edit it, the settings worth changing, and how to recover if something goes wrong.
⚡ Key Takeaways
- wp-config.php is the main configuration file that connects WordPress to your database and controls core behavior
- Always back up the file before editing — a single missing semicolon can crash your entire site
- Place all custom code above the line that says
/* That's all, stop editing! */ - Set file permissions to 440 or 400 to prevent unauthorized access
- The most common edits: enabling debug mode, increasing memory, disabling the file editor, and changing database credentials
What Is wp-config.php?
wp-config.php is a PHP file that sits in the root directory of every self-hosted WordPress installation. It’s created during the WordPress installation process (the famous “5-minute install”) and contains the fundamental settings WordPress needs to function.
Think of it as the control room of a ship. Every critical system — database connection, security keys, debugging, memory allocation — runs through this single file. Without it, WordPress literally cannot start.
43%
of WordPress vulnerabilities in 2025 required no authentication to exploit
Source: Patchstack State of WordPress Security 2026
That stat matters here because wp-config.php is your first line of defense. Properly configured security keys, locked-down file permissions, and a disabled file editor all live in this file. Misconfigure it, and you’re leaving the vault door open.
What’s Inside wp-config.php — The Key Settings
Open your wp-config.php file and you’ll see a structured PHP file with clearly labeled sections. Here are the settings that matter most.
Database Connection (The Big Four)
define( 'DB_NAME', 'your_database_name' );
define( 'DB_USER', 'your_database_user' );
define( 'DB_PASSWORD', 'your_database_password' );
define( 'DB_HOST', 'localhost' );These four lines are the only thing connecting WordPress to your data. Get any one of them wrong, and you’ll see the dreaded “Error Establishing a Database Connection” message. Your hosting provider gives you these values — don’t guess them.
Authentication Keys and Salts
Eight unique keys that encrypt the cookies storing your login information. WordPress generates them during installation, but you can regenerate them anytime using the official WordPress salt generator. Changing these keys instantly logs out every user on your site — useful if you suspect a breach.
Debug Mode
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );This trio is your troubleshooting toolkit. WP_DEBUG turns on error reporting. WP_DEBUG_LOG writes errors to /wp-content/debug.log instead of showing them to visitors. WP_DEBUG_DISPLAY should always be false on live sites — displaying PHP errors publicly is a security risk.
🏴☠️ PIRATE TIP: Never leave WP_DEBUG set to true on a production site. It exposes file paths, database queries, and PHP errors that hackers can use to map your server. Debug on staging, not on live. Check your staging site setup if you don’t have one yet.
Memory Limit
define( 'WP_MEMORY_LIMIT', '256M' );WordPress defaults to 40MB for single sites and 64MB for WordPress Multisite. That’s often not enough for sites running WooCommerce, page builders, or image-heavy content. Bumping to 256MB is safe for most hosting environments. Your host may cap this — check with them if the setting doesn’t take effect.
Other Settings Worth Knowing
DISALLOW_FILE_EDIT— set totrueto remove the plugin/theme editor from the dashboard (security best practice)WP_POST_REVISIONS— limit stored revisions (e.g.,5) to keep your database leanEMPTY_TRASH_DAYS— set how many days before trashed posts are permanently deleted (default: 30)WP_HOMEandWP_SITEURL— hard-code your site URL, useful after a domain change or migrationFORCE_SSL_ADMIN— force HTTPS on the admin dashboard
How to Safely Edit wp-config.php
Editing wp-config.php is straightforward — the danger isn’t complexity, it’s carelessness. As Jetpack warns: “A minor syntax error, such as a missing semicolon or quote, can cause an immediate site-wide outage.”
Four ways to access the file:
| Method | Best For | Skill Level |
|---|---|---|
| FTP/SFTP (FileZilla) | Most users — download, edit locally, re-upload | Beginner |
| cPanel File Manager | Quick edits — edit directly in the browser | Beginner |
| SSH (nano/vim) | Developers — fastest method | Intermediate |
| WP-CLI | Automation — set constants via command line | Advanced |
Regardless of method, follow these rules:
- Back up the file first — download a copy of wp-config.php before making any changes
- Use a plain text editor — Notepad++, VS Code, or Sublime Text. Never Microsoft Word or Google Docs (they add invisible formatting characters that break PHP)
- Place your code above the stop line — every custom
define()goes above/* That's all, stop editing! */ - Check your syntax — every line needs a semicolon at the end, every string needs matching quotes, every parenthesis needs a partner
💡 Need to test wp-config changes safely? Browse the Arsenal for WordPress development and staging tools.
wp-config.php Security Hardening
With 11,334 WordPress vulnerabilities discovered in 2025, harden your siteing your wp-config.php isn’t optional. Here’s the checklist:
- Set file permissions to 440 or 400 — this prevents other users on the server from reading it. WordPress.org recommends these restrictive permissions explicitly.
- Disable the file editor — add
define( 'DISALLOW_FILE_EDIT', true );to remove the plugin/theme code editor from the dashboard. If a hacker gets admin access, they can’t inject code through the editor. - Regenerate security keys after any breach — paste fresh keys from the salt generator to force-log out all sessions.
- Force SSL on admin — add
define( 'FORCE_SSL_ADMIN', true ); - Change the default table prefix — if you used
wp_during installation, SQL injection attacks that target the default prefix work out of the box. A custom prefix adds friction. - Never commit wp-config.php to Git — add it to your
.gitignoreimmediately. Your database password has no business in a repository.
“Disabling the file editor also provides an additional layer of security if a hacker gains access to a well-privileged user account.”
— WordPress.org, Advanced Administration Handbook
What about moving wp-config.php above the root directory? WordPress supports it, but the official documentation now warns that “moving wp-config.php has minimal security benefits” and “if not done carefully, may actually introduce serious vulnerabilities.” For most sites, proper file permissions are sufficient.
What Happens When You Mess Up wp-config.php
Two scenarios you’ll see if something goes wrong:
White Screen of Death: A PHP syntax error in wp-config.php — missing semicolon, mismatched quote, unclosed parenthesis — causes WordPress to fail silently. You get a blank white page. The fix: access the file via FTP, find the typo, correct it, re-upload.
“Error Establishing a Database Connection”: Wrong database name, user, password, or host. Double-check all four values against what your hosting provider gives you. The most common cause after a migration is forgetting to update DB_HOST — different hosts use different values (some use localhost, others use an IP address or hostname).
🏴☠️ PIRATE TIP: If you backed up wp-config.php before editing (like we told you to), recovery is a 30-second FTP upload. If you didn’t back up… lesson learned. The backup is the single most important step. No exceptions.
FAQ — wp-config.php
What is wp-config.php used for?
wp-config.php is the main configuration file for WordPress. It contains your database connection credentials, authentication keys, debug settings, memory limits, and other constants that control how WordPress behaves. Without it, WordPress cannot connect to your database or start.
Where is wp-config.php located?
It’s in the root directory of your WordPress installation — the same folder that contains wp-admin, wp-content, and wp-includes. You can access it via FTP, your hosting file manager, or SSH. WordPress also supports placing it one directory above the root for additional security.
Can I edit wp-config.php from the WordPress dashboard?
No. WordPress does not provide a dashboard interface for editing wp-config.php. You must edit it directly through FTP/SFTP, your hosting file manager (like cPanel), SSH, or WP-CLI. This is by design — the file contains sensitive credentials that shouldn’t be exposed through the web interface.
What happens if I delete wp-config.php?
Your site will immediately go down. WordPress cannot function without wp-config.php because it contains the database connection details. If deleted, WordPress will show the installation setup screen as if it were a fresh install. Restoring the file from a backup will bring your site back immediately.
What file permissions should wp-config.php have?
WordPress.org recommends setting wp-config.php to 440 or 400. These permissions allow the web server to read the file but prevent other users on the server from accessing it. Never set it to 777, which grants universal access and creates a critical security vulnerability.
⚔️ Pirate Verdict
wp-config.php isn’t scary — it’s just a text file with some PHP constants. But it’s a text file that controls your entire site’s security, database connection, and behavior. Learn what the settings do, always back up before editing, and lock it down with proper permissions. The people who get burned by wp-config aren’t the ones who edit it — they’re the ones who edit it without understanding what they’re changing or without a backup to fall back on. Know the file. Respect the file. Keep your ship sailing.
Know the File, Respect the File
Every WordPress developer eventually needs to edit wp-config.php. Now you know what’s inside it, how to edit it safely, and how to harden it against attacks. The process is simple: back up, edit above the stop line, save, test.
For more WordPress fundamentals, visit the AI Or Die Now homepage or explore the Arsenal for tools that make WordPress management easier.
Have you ever broken your site editing wp-config.php? What happened and how did you fix it? Share your story in the comments.