Like Quertime on Facebook!

20 WP-Config Snippets to Configure WordPress Site

Posted on by in WordPress

WordPress is one of the simplest yet most efficient content management systems out there, allowing you to have a website up and running with just a few clicks, with little to no technical skills necessary in the process. However, while most of the basic settings can be configured through the use of the visual interface WordPress Admin, additional customization is possible though wp-config.php – a file that contains numerous parameters for your new site. It is important to note that wp-config.php contains a lot of settings that can make or break your website, so make sure you have a backup copy of it you can use in case things go south.


Now that you’re all set, here are 20 wp-config snippets to configure your WordPress site and make it more secure.

1. Enable Debugger

Enabling the debugger is a great idea during your setup, as it is an easy and convenient way to accurately track what works as intended, and what doesn’t. You can enable the debugger for WordPress, as well as the debugger for the front end, by using the following code:

* For developers: WordPress debugging mode.
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
define('WP_DEBUG', true);

2. Change Your Database Prefix

By default, WordPress uses the “wp_” prefix for your databases, and while that makes is easier to locate them when your browsing through your files, it also makes it easier for potential intruders to identity them and target them. Luckily, changing the prefix of a database is quite simple, as there already is an option in the wp-config file to do so. Simply look for “$table_prefix =“ and change it to something of your choice. It’s important to do this right after install, on a new deployment, and not to an active installation, otherwise it may get corrupted.

# Creates secure table prefix for database tables
# Only numbers, letters, underscores
$table_prefix = 'a81kJt_';

3. Add Your Database Credentials

Now that you changed your database name, you need to let WordPress know what you changed it to, and how to access it. This is done by adding your database credentials to wp-config. You can do so using the following code:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
/** MySQL database username */
define('DB_USER', 'username_here');
/** MySQL database password */
define('DB_PASSWORD', 'password_here');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

4. Set up Authentication Keys

Another important step towards increased security is setting up custom authentication keys. These keys are usually stored in the cookies that are downloaded to a user’s browser, so setting up strong authentication keys can make it impossible for a hacker to decode the cookies to obtain useful data. WordPress even has a special generator in place to help you generate complex keys.

Use this code to add your keys to wp-config:

* Authentication Unique Keys and Salts.
* Change these to different unique phrases!
* You can generate these using the {@link secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
* @since 2.6.0
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

5. Set WordPress URLs

Setting up your WordPress URLs directly from wp-config can save you a lot of headaches in case your WordPress Admin area becomes inaccessible for various reasons. To set the URLs, just add this code:

# Specifies site URL
define('WP_SITEURL', '');
# Specifies home URL (the root of the WP install)
define('WP_HOME', '');

6. Enable WordPress Cache

While there are numerous caching plugins out there that automatically do this for you, you can also enable and use WordPress’ own cache feature, if you don’t need any advanced settings offered by third party options. To enable the WordPress cache from wp-config, just use this code:

# Enables WP cache
define( 'WP_CACHE', true);

7. Enable WordPress Multisite

Using WordPress Multisite is a great option if you need to manage multiple WordPress-based websites from a single WordPress Admin interface. To enable this feature, simply add the following code to wp-config:

# Turns on WordPress Multisite
define( 'WP_ALLOW_MULTISITE', true );

8. Redirect Inexistent Subdomains

It’s not uncommon for a visitor to type in an incorrect subdomain name, so you will need to make sure that doesn’t affect his usage experience. With the redirect feature, you can redirect the visitor from an inexistent or incorrectly types address to a page of your choice. Just add the following code:

# Redirects non-existing subdomains and subfolders to homepage
define( 'NOBLOGREDIRECT', '');

9. Set up Language

By default, WordPress is set to use English. However, you can change the language to any language you want by adding the corresponding language files to wp-content/languages, and then instructing WordPress to use it, using the following code:

* WordPress Localized Language, defaults to English.
* Change this to localize WordPress.  A corresponding MO file for the chosen
* language must be installed to wp-content/languages. For example, install
* to wp-content/languages and set WPLANG to 'de' to enable German
* language support.
define ('WPLANG', '');

10. Configure Auto-Save

WordPress comes with an auto-save feature that saves your posts as you write them, at a pre-defined interval. The default interval is 60 seconds, but it can be changed using the following code:

/** Specify the Autosave Interval */
define('AUTOSAVE_INTERVAL', 120); // I have changed to 120 seconds.

11. Configure Post Revisions

Another fail-safe feature of WordPress is post revisions. This feature saves a copy of your post every time you make a change and save it, so you can revert back to it in case you mistakenly saved something. You can set up how many revisions are saved, or disable the feature altogether using the following code snippets:

/** Disable the post-revision feature */
define('WP_POST_REVISIONS', false);
/** Limit the number of saved revisions */
define('WP_POST_REVISIONS', 2); // insert number of revisions to be saved here

12. Configure Trash

The Trash feature is yet another fail-safe feature offered by WordPress: when you hit Delete on a post, comment, attachment, or other elements, instead of getting permanently deleted, they get sent to Trash. However, you will need to make sure that Trash folder does not get overcrowded, so use the following code to automate trash handling:

/** Empty trash in 7 days */
define('EMPTY_TRASH_DAYS', 7);
/** Disable Trash */
define('EMPTY_TRASH_DAYS', 0);

13. Configure Repair

With so many reads and writes, it’s not uncommon for a WordPress database to get corrupted. Luckily, these small issues can be easily repaired using an auto-repair feature. Enable it with the following code:

/** Set Automatic Database Repair */
define('WP_ALLOW_REPAIR', true);

14. Configure Memory

Depending on your project size, the memory consumption by PHP can vary, sometimes exceeding the allocated space. If you run into the error “Allowed memory size of xx bytes exhausted”, you will need to increase the memory allocation. You can do so with the following code:

/** Setting PHP Memory Limit to 128MB */
define('WP_MEMORY_LIMIT', '128M');

15. Configure Updates

WordPress gets constant updates, which are installed automatically in the background. However, you can toggle automatic updates off, so you can manually install only the updates you deem necessary. To do so, use the following code:

# Disables all automatic updates

# Disables all core updates
define( 'WP_AUTO_UPDATE_CORE', false);

# Enables all core updates, including minor and major releases
define( 'WP_AUTO_UPDATE_CORE', true);

# Enables core updates only for minor releases (default)
define( 'WP_AUTO_UPDATE_CORE', 'minor');

16. Disable Plugins / Theme Editing

Disabling plugins and theme editing is a good security measure you should consider if you are not the sole administrator of the site. By disabling plugins and theme editing, should an administrator account be breached, the intruder will not be able to do damage to your theme and plugins. Use this code to do so:

/** Disabling the Plugin and Theme Editor */

17. Disable Image Edit Copies

When an image is edited, WordPress automatically saves a copy of it in a different resolution, for backup purposes. However, if this is not a feature you need or use, you can disable it with the following code:

# Cleans up image edits
define( 'IMAGE_EDIT_OVERWRITE', true);

18. Disable Unfiltered HTML

By default, unfiltered HTML usage is disabled for lower classes of users (visitors, subscribers, contributors, etc.). However, people with higher access can still use unfiltered HTML, which can be a security loophole should one such account gets compromised. To disabled the use of unfiltered HTML, simply use this code:

# Disables unfiltered HTML for admins and editors

19. Enable SSL Logins

Another way to increase the security of your website is to enforce SSL login for your users and admins. This greatly reduces the chances of pishing and impersonation. Use the following code to enforce SSL logins:

# Forces SSL login
define( 'FORCE_SSL_ADMIN', true);

20. Protect wp-config

So you’ve made all the right settings to your wp-config file, but how do you make sure nobody alters them? The answer is simple: you secure the wp-config.php file. To do so, you will need to enter the following code directly to your root .htaccess file:

# BEGIN Protect wp-config.php
Order Allow,Deny
Deny from all
# ENDProtect wp-config.php
Author: Charles Goodwin

Charles Goodwin is the writer to this article. He is a regular contributor at many sites and mainly focuses on business and technology related topics. He recommends to get web design services in London.

Tags: , , ,

Comments are closed.