Best Practices of WordPress wp-config.php file | Tutorial Freak – Online Tutorials

Best Practices of WordPress wp-config.php file

Do you know how many files are there in the standard wordpress installation? Well, it is not important to know. But since i already asked this question, let me tell you that there are 981 file in the current wordpress version (versiov 3.4.1) installation. Out of which, wp-config.php is the most important of all files. It is the heart of a WordPress installation. Let us look at some best practices of this file to ensure the security and speed of your site.


It is always better to have a backup of any file you are trying to modify. The old saying “Better safe than sorry” is always relevant.

Back-up your complete wordpress installation by whichever method you prefer – FTP, web, direct, server to server etc.

Lets start!

Tweak for Faster WordPress: Disable auto-saving of post revisions

This feature is enabled by default and leads to unnecessary bloating of databse. Revisions are enabled so that you can revert to a previous version of the post whenever required. Most of them do not use this feature and if you do not plan to use it as well, add the below line of code to your wp-config.php file. This will reduce unnecessary bloating of your database and a faster website.

define('WP_POST_REVISIONS', false );

If you plan to use revisions feature, try to limit the number of post revisions to be saved to a maximum of 2 or 3. You can use the below code for that.

define('WP_POST_REVISIONS', 3 );

3 being the maximum revisions you would like to allow.

Tweak for Faster WordPress: Set a Cookie Domain

If you serve static content (media uploads etc) from a subdomain, it is a good idea to set “cookie domain”. By doing that, cookies won’t be sent each time static content is requested. Thus reducing page load times. Do that by adding the below line of code onto your wp-config.php file:

define('COOKIE_DOMAIN', '');

Tweak for Faster WordPress: Changing your Filesystem Method

If you install, update or delete your plugins and/or themes very frequently, chances are that you hate entering your FTP password every time you add/remove/change something on your site. The code below makes it easier for you by forcing the filesystem to use direct file I/O request from within PHP – in other words, you won’t need to enter FTP credentials anymore.

define('FS_METHOD', 'direct');

Please note that this code might not work with every hosting provider and even if it works, it might cause security issues with poorly configured hosts. So make sure that you’re using it on a decent server. Also check with your hosting provider about securing your server.

Secure your WordPress Installation: Restrict Access to the wp-config.php File

This tweak requires you to edit the .htaccess file in your root directory, not the wp-config.php file. It prevents people from loading directly with a browser. Just add the below code and you will be fine:

# protect wpconfig.php
<files wp-config.php>
    order allow,deny
    deny from all

Secure your Wordrpess Installation: Force SSL on the Admin Panel

Is SSL enabled on your server? If yes, you can force WordPress to use a secure connection while you’re logging in with this line of code:

define('FORCE_SSL_LOGIN', true);

Are you extra cautious when it comes to security? You can make WordPress use SSL on every admin page so everything you do in there is done with an encrypted connection:

define('FORCE_SSL_ADMIN', true);

Further information can be found here.

Secure your WordPress Installation: Add Security Keys!

This is one of the most essential security precautions for WordPress. Just go to this page and copy paste the code onto your WordPress wp-config.php file. Easy enough? Just do it!!

General wp-config tweak: Change the Autosave Interval

If you work on your post for longer hours, you might find it annoying that WordPress automatically saves your current content every 60 seconds. If you do not like this and want to set the autosave interval to a higher value, you can do it by defining it in the wp-config.php file like this:

define('AUTOSAVE_INTERVAL', 120 ); // the value should be in seconds!

Secure your WordPress Installation: Change the Database Prefix

This one advise has been given out numerous times! Yet, people do not follow it (so bad!). If WordPress had a security flaw which allowed hackers to use the hacking method known as “SQL injection”, they would easily use the default prefixes on your WordPress database tables to delete them. However, if you have a different table prefix than the default (wp_), they wouldn’t be able to guess that, would they?

So, while setting up a new WordPress website, either change the default value on the installation page or in the wp-config.php file, change the line below:

$table_prefix  = 'wtf_';

It is better to keep it very random instead of something related to your domain so that hackers cannot guess it easily.

Beware: If you want to change the database prefix on an existing wordpress site, you cannot just change the prefix on the wp-config.php file – you’ll get database connection errors. You should use a plugin for that since it involves changing the database tables and some specific values inside those tables. I recommend the DB Prefix Change plugin.

General WordPress Tweaks: Easily Move Your WordPress Website

WordPress is full of surprises, and this is one of them. If you ever need to move your website to a new domain (or a new subdomain, or a new folder), define this constant on your wp-config.php file before moving your files and database:

define('RELOCATE',true); // We're not done yet!

After setting this and moving your FTP and database, log in with your WP credentials on and after that, check if the home URL has changed on the General Options page. After confirming that it has changed, delete the constant in your wp-config.php file. This little trick of WordPress’ saves you the burden of editing the database manually.

Tip: While this literally “moves” your website, it doesn’t affect the hard-coded links in your content. To replace them, you should use a plugin like Search Regex and change the old links with new ones.

General WordPress tweaks: Disable Editing of Plugin & Theme Files

If you’re a web designer and using WordPress with your clients’ websites, you might want to disable the editing of theme and plugin files by adding the constant below:


Even better, you can also disable installing new themes and plugins, and updating them:


Just remember that theme and plugin updates are sometimes very important when they fix security flaws. So if you’re going to disable updating and installing new plugins/themes, you will have to track the updates in some different manner.

General WordPress tweaks: Enable WP_DEBUG While Developing

This is an easy one: If you’re developing a plugin or a theme, it’s good practice to enable the debug feature of WordPress to see what kinds of notices and warnings you’re getting:


Sometimes it’s amazing to see how easy mistakes you can make while developing! :)


These tips will help you out in a very big manner since wp-config.php is the lifeline of any wordpress installation. Keeping it secure is very important. Also important is keeping your wordpress site very light so that visitors do not have to wait long for pages to load.

There are many other wp-config.php settings. Feel free to share them using the comments form below.

Author, Blogger, SEO Expert, Working Professional and a Student! I play so many roles in life and love what i do. I enjoy each moment of my life. Do follow us on Facebook

Sagar – who has written posts on Tutorial Freak – Online Tutorials.

Help keep us alive & kicking, we need coffee 24/7, please donate, thanks!

Leave a Reply

error: Content is protected !!