If you’ve ever looked under the hood at your WordPress installation, you’ll see a ton of files (almost 4,000 in a basic installation).

The most important file is wp-config.php.

This file is literally the first file that any web user has to access to get connected to your database and make WordPress run.

In this article, we are going to look at how we can Power Up that file (the wp-config.php) to enhance our website software.

Let’s start by looking at the wp-config.php (named wp-config-sample.php) that comes with every brand new WordPress installation and exploring what each does.

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'database_name_here' );

/** MySQL database username */
define( 'DB_USER', 'username_here' );

/** MySQL database password */
define( 'DB_PASSWORD', 'password_here' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

* Authentication Unique Keys and Salts.
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
* @since 2.6.0
define( 'AUTH_KEY', 'put your unique phrase here' );
define( 'SECURE_AUTH_KEY', 'put your unique phrase here' );
define( 'LOGGED_IN_KEY', 'put your unique phrase here' );
define( 'NONCE_KEY', 'put your unique phrase here' );
define( 'AUTH_SALT', 'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT', 'put your unique phrase here' );
define( 'NONCE_SALT', 'put your unique phrase here' );


* WordPress Database Table prefix.
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
$table_prefix = 'wp_';

* For developers: WordPress debugging mode.
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
* For information on other constants that can be used for debugging,
* visit the Codex.
* @link https://codex.wordpress.org/Debugging_in_WordPress
define( 'WP_DEBUG', false );

/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', dirname( __FILE__ ) . '/' );

/** Sets up WordPress vars and included files. */
require_once( ABSPATH . 'wp-settings.php' );

Whenever I move a WordPress website from a local installation to a live server, I use the wp-config to give my website the new URL.

WordPress SALTS

WordPress uses pass phrases to help protect your website. You can get these randomly generated SALTS at WordPress Salt Key Generator

Paste over the existing sample SALTS with the newly generated ones.

If you don’t have access to your WP-Config, iThemes Security plugin allows you to generate SALTS and adds them for you.

Table Prefix

WordPress allows you to set the table prefix so that the database can be organized in a sensible way. By default, the table prefix is wp_

If you can, always change that to something more random. Hackers know that default and can use it in their attempts to gain access to your database.

I will use: 83y0rawdz_wp_ and yes, I did mash my keyboard to get a random table prefix. I like to leave the _wp_ incase I have multiple WordPress installs using the one database (which I never do, but might).

Whatever you use for the prefix always end with underscore. As plugins create tables the underscore will give a clear distinction to the table names.

Additions to WP-CONFIG

Auto Save
You can choose to change how often WordPress auto saves your work. You can change this by adding additional seconds to this code:

define( 'AUTOSAVE_INTERVAL', 160 );

You can disable Post Revision by adding this code:

define( 'WP_POST_REVISIONS', false );

If you want to make sure your database doesn’t keep an unlimited amount of post revisions:

define( 'WP_POST_REVISIONS', 10 );

WordPress automatically deletes your trashed post, pages, attachments and comments after 30 days. You can decease that by adding and changing the amount of days to delete:

define( 'EMPTY_TRASH_DAYS', 10 );

If you want to disable trash, change the value to 0. Everything will be deleted when you trash an item and you will not be able to restore if you’ve made a mistake.

Another critical item you can adjust in your WP-Config is your memory limit.

By default, your hosting service will set limits on the amount of resources you can use. This important limit is on how much WordPress Memory a script or process can use.

You will more than likely want to increase this limit if your theme has a demo installer or plugins don’t complete the installation or activation.

define( 'WP_MEMORY_LIMIT', '128M' );

I suggest and many themes also suggest you use 256M.

WordPress can update your website automatically. By default, minor release will update, but you may not want this to happen.

You can disable all the auto updates by adding this code:


If you only want to disable the Core update and leave the security updates, add:

# Disables all core updates:
define( 'WP_AUTO_UPDATE_CORE', false );

Or this, to enable Core updates:

# Enables all core updates, including minor and major:
define( 'WP_AUTO_UPDATE_CORE', true );

You can disable the file editor in the Appearance menu, so no one with Administrator privileges can edit the files.

define( 'DISALLOW_FILE_EDIT', true );

Keep in mind that some plugins may need this to be enabled, so if you notice some plugins are not working right, change the true to false and see if that solves the problem.

There are some other things you can do in your WP-Config but keep in mind that some servers have tighter security and may not allow you to make changes, so keep trying until you can’t.

Also, if you notice that your WP-Config has some items that you didn’t put there, check out to see if a plugin has modified it. Sometimes Wordfence adds some items here as well and some Caching plugins.