What Is wp-config.php and When Should You Edit It? (2026 Guide)
The wp-config.php file is the brain of your WordPress site. It tells WordPress how to connect to your database, how to handle security, and how to behave in dozens of situations you probably never think about — until something breaks.
Most WordPress users never touch this file. But if you’ve ever needed to enable debug WordPress mode, increase your memory limit, fix a White Screen of Death, or lock down your site after a scare — wp-config.php is where you go. One wrong character can take your entire site offline. One right setting can prevent a hack.
This guide covers everything: what’s inside the file, how to safely edit it, the settings worth changing, and how to recover if something goes wrong.
⚡ Key Takeaways
- wp-config.php is the main configuration file that connects WordPress to your database and controls core behavior
- Always back up the file before editing — a single missing semicolon can crash your entire site
- Place all custom code above the line that says
/* That's all, stop editing! */ - Set file permissions to 440 or 400 to prevent unauthorized access
- The most common edits: enabling debug mode, increasing memory, disabling the file editor, and changing database credentials
What Is wp-config.php?
wp-config.php is a PHP file that sits in the root directory of every self-hosted WordPress installation. It’s created during the WordPress installation process (the famous “5-minute install”) and contains the fundamental settings WordPress needs to function.
Think of it as the control room of a ship. Every critical system — database connection, security keys, debugging, memory allocation — runs through this single file. Without it, WordPress literally cannot start.
43%
of WordPress vulnerabilities in 2025 required no authentication to exploit
Source: Patchstack State of WordPress Security 2026
That stat matters here because wp-config.php is your first line of defense. Properly configured security keys, locked-down file permissions, and a disabled file editor all live in this file. Misconfigure it, and you’re leaving the vault door open.
What’s Inside wp-config.php — The Key Settings
Open your wp-config.php file and you’ll see a structured PHP file with clearly labeled sections. Here are the settings that matter most.
Database Connection (The Big Four)
define( 'DB_NAME', 'your_database_name' );
define( 'DB_USER', 'your_database_user' );
define( 'DB_PASSWORD', 'your_database_password' );
define( 'DB_HOST', 'localhost' );These four lines are the only thing connecting WordPress to your data. Get any one of them wrong, and you’ll see the dreaded “Error Establishing a Database Connection” message. Your hosting provider gives you these values — don’t guess them.
Authentication Keys and Salts
Eight unique keys that encrypt the cookies storing your login information. WordPress generates them during installation, but you can regenerate them anytime using the official WordPress salt generator. Changing these keys instantly logs out every user on your site — useful if you suspect a breach.
Debug Mode
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );This trio is your troubleshooting toolkit. WP_DEBUG turns on error reporting. WP_DEBUG_LOG writes errors to /wp-content/debug.log instead of showing them to visitors. WP_DEBUG_DISPLAY should always be false on live sites — displaying PHP errors publicly is a security risk.
🏴☠️ PIRATE TIP: Never leave WP_DEBUG set to true on a production site. It exposes file paths, database queries, and PHP errors that hackers can use to map your server. Debug on staging, not on live. Check your staging site setup if you don’t have one yet.
Memory Limit
define( 'WP_MEMORY_LIMIT', '256M' );WordPress defaults to 40MB for single sites and 64MB for WordPress Multisite. That’s often not enough for sites running WooCommerce, page builders, or image-heavy content. Bumping to 256MB is safe for most hosting environments. Your host may cap this — check with them if the setting doesn’t take effect.
Other Settings Worth Knowing
DISALLOW_FILE_EDIT— set totrueto remove the plugin/theme editor from the dashboard (security best practice)WP_POST_REVISIONS— limit stored revisions (e.g.,5) to keep your database leanEMPTY_TRASH_DAYS— set how many days before trashed posts are permanently deleted (default: 30)WP_HOMEandWP_SITEURL— hard-code your site URL, useful after a domain change or migrationFORCE_SSL_ADMIN— force HTTPS on the admin dashboard
How to Safely Edit wp-config.php
Editing wp-config.php is straightforward — the danger isn’t complexity, it’s carelessness. As Jetpack warns: “A minor syntax error, such as a missing semicolon or quote, can cause an immediate site-wide outage.”
Four ways to access the file:
| Method | Best For | Skill Level |
|---|---|---|
| FTP/SFTP (FileZilla) | Most users — download, edit locally, re-upload | Beginner |
| cPanel File Manager | Quick edits — edit directly in the browser | Beginner |
| SSH (nano/vim) | Developers — fastest method | Intermediate |
| WP-CLI | Automation — set constants via command line | Advanced |
Regardless of method, follow these rules:
- Back up the file first — download a copy of wp-config.php before making any changes
- Use a plain text editor — Notepad++, VS Code, or Sublime Text. Never Microsoft Word or Google Docs (they add invisible formatting characters that break PHP)
- Place your code above the stop line — every custom
define()goes above/* That's all, stop editing! */ - Check your syntax — every line needs a semicolon at the end, every string needs matching quotes, every parenthesis needs a partner
💡 Need to test wp-config changes safely? Browse the Arsenal for WordPress development and staging tools.
wp-config.php Security Hardening
With 11,334 WordPress vulnerabilities discovered in 2025, harden your siteing your wp-config.php isn’t optional. Here’s the checklist:
- Set file permissions to 440 or 400 — this prevents other users on the server from reading it. WordPress.org recommends these restrictive permissions explicitly.
- Disable the file editor — add
define( 'DISALLOW_FILE_EDIT', true );to remove the plugin/theme code editor from the dashboard. If a hacker gets admin access, they can’t inject code through the editor. - Regenerate security keys after any breach — paste fresh keys from the salt generator to force-log out all sessions.
- Force SSL on admin — add
define( 'FORCE_SSL_ADMIN', true ); - Change the default table prefix — if you used
wp_during installation, SQL injection attacks that target the default prefix work out of the box. A custom prefix adds friction. - Never commit wp-config.php to Git — add it to your
.gitignoreimmediately. Your database password has no business in a repository.
“Disabling the file editor also provides an additional layer of security if a hacker gains access to a well-privileged user account.”
— WordPress.org, Advanced Administration Handbook
What about moving wp-config.php above the root directory? WordPress supports it, but the official documentation now warns that “moving wp-config.php has minimal security benefits” and “if not done carefully, may actually introduce serious vulnerabilities.” For most sites, proper file permissions are sufficient.
What Happens When You Mess Up wp-config.php
Two scenarios you’ll see if something goes wrong:
White Screen of Death: A PHP syntax error in wp-config.php — missing semicolon, mismatched quote, unclosed parenthesis — causes WordPress to fail silently. You get a blank white page. The fix: access the file via FTP, find the typo, correct it, re-upload.
“Error Establishing a Database Connection”: Wrong database name, user, password, or host. Double-check all four values against what your hosting provider gives you. The most common cause after a migration is forgetting to update DB_HOST — different hosts use different values (some use localhost, others use an IP address or hostname).
🏴☠️ PIRATE TIP: If you backed up wp-config.php before editing (like we told you to), recovery is a 30-second FTP upload. If you didn’t back up… lesson learned. The backup is the single most important step. No exceptions.
Common Mistakes That Break Your Site (And How to Avoid Them)
Most WordPress site-breaking disasters come from three rookie errors in this file. First, adding extra spaces or line breaks before the opening <?php tag or after the closing ?> tag. These invisible characters trigger “headers already sent” errors that lock you out completely. Second, using the wrong quote marks—copying code from Microsoft Word or rich text editors imports curly quotes instead of straight quotes, causing immediate parse errors.
Third is database credential typos. One wrong character in your database name, username, or password means your entire site shows “Error establishing database connection.” Always copy-paste credentials directly from your hosting panel—never retype them manually.
- Never edit the file in Windows Notepad—it adds hidden BOM characters that break PHP
- Don’t leave the closing
?>tag at the end—WordPress core removed it years ago to prevent whitespace issues - Always use UTF-8 encoding without BOM when saving the file
- Keep a backup before every edit, even for “small” changes
The best practice? Use a proper code editor like Sublime Text, VS Code, or the built-in editor in your hosting control panel. These tools show invisible characters and use correct encoding by default, preventing 90% of common configuration disasters.
FAQ — wp-config.php
What is wp-config.php used for?
wp-config.php is the main configuration file for WordPress. It contains your database connection credentials, authentication keys, debug settings, memory limits, and other constants that control how WordPress behaves. Without it, WordPress cannot connect to your database or start.
Where is wp-config.php located?
It’s in the root directory of your WordPress installation — the same folder that contains wp-admin, wp-content, and wp-includes. You can access it via FTP, your hosting file manager, or SSH. WordPress also supports placing it one directory above the root for additional security.
Can I edit wp-config.php from the WordPress dashboard?
No. WordPress does not provide a dashboard interface for editing wp-config.php. You must edit it directly through FTP/SFTP, your hosting file manager (like cPanel), SSH, or WP-CLI. This is by design — the file contains sensitive credentials that shouldn’t be exposed through the web interface.
What happens if I delete wp-config.php?
Your site will immediately go down. WordPress cannot function without wp-config.php because it contains the database connection details. If deleted, WordPress will show the installation setup screen as if it were a fresh install. Restoring the file from a backup will bring your site back immediately.
What file permissions should wp-config.php have?
WordPress.org recommends setting wp-config.php to 440 or 400. These permissions allow the web server to read the file but prevent other users on the server from accessing it. Never set it to 777, which grants universal access and creates a critical security vulnerability.
⚔️ Pirate Verdict
wp-config.php isn’t scary — it’s just a text file with some PHP constants. But it’s a text file that controls your entire site’s security, database connection, and behavior. Learn what the settings do, always back up before editing, and lock it down with proper permissions. The people who get burned by wp-config aren’t the ones who edit it — they’re the ones who edit it without understanding what they’re changing or without a backup to fall back on. Know the file. Respect the file. Keep your ship sailing.
Know the File, Respect the File
Every WordPress developer eventually needs to edit wp-config.php. Now you know what’s inside it, how to edit it safely, and how to harden it against attacks. The process is simple: back up, edit above the stop line, save, test.
For more WordPress fundamentals, visit the AI Or Die Now homepage or explore the Arsenal for tools that make WordPress management easier.
Have you ever broken your site editing wp-config.php? What happened and how did you fix it? Share your story in the comments.
Frequently Asked Questions
Can I edit wp-config.php from the WordPress admin dashboard?
No, wp-config.php is intentionally not editable from the WordPress dashboard for security reasons. You need to access it via SFTP, SSH, or your hosting control panel’s file manager. This is actually a good thing—if someone hacks your WordPress login, they can’t immediately modify your database credentials or security keys.
What happens if I delete wp-config.php by accident?
Your site will immediately go down and display an error asking you to create the configuration file. WordPress can’t connect to your database without it, so every page request fails. You’ll need to restore it from a backup or run through the WordPress installation process again (which will regenerate wp-config.php with your database details).
Do I need to restart anything after editing wp-config.php?
No, changes take effect immediately on the next page load. WordPress reads wp-config.php fresh on every single request, so there’s no caching or server restart required. Just save the file, upload it if you’re working locally, and refresh your browser.
Which file permissions should wp-config.php have?
Set it to 440 or 400 for maximum security—this makes the file read-only and inaccessible to the web server’s write processes. Most hosts default to 644, which is functional but less secure. You can change permissions via SFTP, SSH with chmod, or your hosting file manager.
Can I move wp-config.php to a different location?
Yes, WordPress allows you to move wp-config.php one directory level up from your WordPress root folder. This keeps it outside the publicly accessible web directory, adding a layer of security since it can’t be accessed via browser even if permissions are misconfigured. WordPress will automatically detect it in the parent directory.