The wp-config.php file plays a key role in your WordPress site as well as its security. But to manage the file you need to have some knowledge. This article provides the complete idea about WordPress configuration and the crucial benefits offered by it.
An Introduction to wp-config.php File
So, let’s first understand what wp-config.php is. Your database configuration is stored on your website by this file.
The information that is stored within the file includes your username, password, database names and database host.
The wp-config.php isn’t pre-built in WordPress but is created while the installation of WordPress is done. It is specifically developed for the user. You will find this file in the root directory of your website. Here, the location is displayed in /public_html.
For changing the wp-config.php, you will need an FTP (i.e. FileZilla) or MilesWeb File Manager. Then download the file to your hard drive.
For example, here we’ll use wp-config-sample.php as our source. This is the base version of wp-config.php located in your WordPress directory, so both files are not completely different. The code is mentioned in PHP constant and appears as below:
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
/** MySQL database username */
define('DB_USER', 'username_here');
/** MySQL database password */
define('DB_PASSWORD', 'password_here');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
MySQL Settings for wp-config.php
You will find your database configuration written under MySQL settings in wp-config.php. It contains your database name, MySQL hostname, username, and password. You can change one of these when you migrate your website to another web host and decide to update MySQL details. Below is a snippet:
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define( 'DB_NAME', 'database_name_here' ); /** MySQL database username */ define( 'DB_USER', 'username_here' ); /** MySQL database password */ define( 'DB_PASSWORD', 'password_here' ); /** MySQL hostname */ define( 'DB_HOST', 'localhost' );
You can see this information with another method and that is by searching the web hosting control panel. Log in to your web hosting account, click the Database section, and select MySQL Databases.
Apart from this, you can change several things inside wp-config.php to enhance your website. It allows you to generate Authentication Key and Salts, change your table prefix, enable debugging mode, and move the file for security reasons. Let’s check them one by one.
Security Keys
You can create Authentication Keys and Salts inside the wp-config.php file. With this your website will remain secured with more advanced methods by encrypting the user’s information.
When you opt for this, you will need a series of strong passwords. These can be generated with the WordPress password generator. After you have your passwords, paste them one by one inside the apostrophe to replace ‘put your unique phrase here’.
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
/**#@-*/
You will find a strong effect after its implementation as all users will get logged out and current cookies will become invalid. In this way, hackers that are trying to hack your credentials will be forced to get out.
Database Table Prefix
Generally, WordPress sets a predefined table prefix in wp-config.php and allows you to add more layer of protection by modifying it. It reads as below:
$table_prefix = 'wp_';
So, we recommend you to change this prefix while the installation process for high security. When you replace the existing prefix, it will make harder for SQL injections to happen.
The wp prefix can be changed with something randomly but don’t forget that you can only use letters, numbers and underscores for this. Check it below:
$table_prefix = 'wp_custom751Admin_';
It is best to opt for something complex. Or else, it will beat the intention of changing database table prefix in the first place.
Debugging Mode
By default, you will find the debugging mode turned off. You can turn it on if you want to learn about WordPress development.
The use of debugging mode is for notifying the developers after codes are being executed. This helps them to check for bugs on their website. However, if this function is considered, the debugging mode can still be useful for more general users.
You can turn on debugging mode in a simple way. You just need to find the line attached below, change debug mode to true as it is originally set to false.
define('WP_DEBUG', false);
Finding and Editing The wp-config.php File Location
It can be dangerous to change the wp-config.php location so it is important to perform a backup. But since it is risky, you can move your wp-config.php file to a new location so hackers won’t find it easily. It is always better to have one more safety measure.
For changing the wp-config.php location, select FTP application of your choice and follow the below instructions:
Find your wp-config.php in the root directory of your website (as shown earlier).
Place your wp-config.php to another location by drag-and-dropping it to your preferred directory. In this case, we will place it inside /public_html/wp-admin/user
When you are done with this process, your website won’t be accessible because it does not identify the location of the wp-config file that you just moved. So, you will have to create another wp-config.php in a text editor in your PC for your website to know where the actual file is now located. From our example, the new wp-config.php file should only contain:
<?php include(‘/domains/hostinger-dev-9.xyz/public_html/wp-admin/user’); ?>
Make sure you replace the directory above with the new location of your wp-config.php.
Then upload the new file to your root directory–the location where the original wp-config.php was located. If find your backup file still there, overwrite it.
That’s it! Your WordPress configuration file is now located in a safer place.
Conclusion
In this article, you have learned the importance of wp-config.php for WordPress. It comprises of sensitive information that should be kept away from the people having bad intentions. It’s fortunate that you can do several things to increase your website’s security and control. Don’t forget to be careful while editing it as you won’t be able to access the WordPress website if anything goes wrong.
