Phase 1 — Module 1.5: wp-config.php Deep Dive

What is wp-config.php?

wp-config.php is the master configuration file of your WordPress installation. It is the first meaningful file WordPress loads on every request. It tells WordPress:

  • How to connect to the database
  • How to behave in the current environment
  • What security keys to use
  • Where files are located
  • Whether to show errors or not

It lives in the WordPress root directory — same level as index.php.

Complete wp-config.php — Section by Section

Let us go through every section of this file in detail.

Section 1 — Database Settings

This is the most critical section. Without correct database credentials, WordPress cannot run at all.

define('DB_NAME',     'streamvault');
define('DB_USER',     'root');
define('DB_PASSWORD', '');
define('DB_HOST',     'localhost');
define('DB_CHARSET',  'utf8mb4');
define('DB_COLLATE',  '');

Constant

What it means

DB_NAME

The name of your MySQL database

DB_USER

MySQL username

DB_PASSWORD

MySQL password

DB_HOST

Database server address (almost always localhost)

DB_CHARSET

Character set — always use utf8mb4 (supports emojis & all languages)

DB_COLLATE

Collation — leave empty, WordPress sets it automatically

In LocalWP, these are automatically configured. You will see real credentials already filled in.

Section 2 — Security Keys & Salts

define('AUTH_KEY',         'x#K2m@...long random string...');
define('SECURE_AUTH_KEY',  'x#K2m@...long random string...');
define('LOGGED_IN_KEY',    'x#K2m@...long random string...');
define('NONCE_KEY',        'x#K2m@...long random string...');
define('AUTH_SALT',        'x#K2m@...long random string...');
define('SECURE_AUTH_SALT', 'x#K2m@...long random string...');
define('LOGGED_IN_SALT',   'x#K2m@...long random string...');
define('NONCE_SALT',       'x#K2m@...long random string...');

These are random strings used to encrypt cookies and security tokens. WordPress uses them to:

  • Encrypt login cookies so they cannot be forged
  • Generate nonces (security tokens for forms and AJAX)
  • Secure password reset links

Important rules:

  • Each key must be unique and completely random
  • They should be at least 60 characters long
  • Never share these publicly (do not commit wp-config.php to GitHub)
  • You can regenerate them anytime — all logged-in users will be logged out

Generate fresh keys here: https://api.wordpress.org/secret-key/1.1/salt/

Section 3 — Database Table Prefix

$table_prefix = 'wp_';

This prefix is added to the beginning of every WordPress database table name.

With wp_ prefix, your tables look like:

wp_posts
wp_users
wp_options
wp_postmeta

Why change it?

The default wp_ prefix is a security risk. Automated SQL injection attacks often target wp_users and wp_options by name. Changing the prefix makes these attacks harder.

$table_prefix = 'sv_';

Now your tables become:

sv_posts
sv_users
sv_options
sv_postmeta

Important: Only change this before installation. Changing it after installation breaks everything unless you also rename all tables in the database.

Section 4 — Debug Settings

This is the section you will use most during development.

define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);
define('SCRIPT_DEBUG', true);

Constant

Purpose

WP_DEBUG

Master switch — enables error reporting

WP_DEBUG_LOG

Saves all errors to wp-content/debug.log file

WP_DEBUG_DISPLAY

Shows errors on screen (set false in production)

SCRIPT_DEBUG

Loads unminified JS and CSS (easier to debug)

Development config — use this locally:

define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', true);
define('SCRIPT_DEBUG', true);

Production config — use this on live server:

define('WP_DEBUG', false);
define('WP_DEBUG_LOG', false);
define('WP_DEBUG_DISPLAY', false);
define('SCRIPT_DEBUG', false);

Never leave WP_DEBUG_DISPLAY as true on a live site — it exposes your file paths, database details, and code structure to the public.

Section 5 — URLs and Paths

You can hardcode your WordPress URLs to prevent issues with redirects and migrations:

define('WP_HOME',    'https://streamvault.local');
define('WP_SITEURL', 'https://streamvault.local');

Constant

What it controls

WP_HOME

The URL visitors use to access your site

WP_SITEURL

The URL where WordPress core files are located

In most setups these are the same. They are also stored in the database (wp_options table) but defining them in wp-config.php overrides the database values — useful when migrating between environments.

Section 6 — WordPress Content Directory

By default WordPress looks for wp-content/ inside the root. You can move it:

define('WP_CONTENT_DIR', dirname(__FILE__) . '/app');
define('WP_CONTENT_URL', 'https://streamvault.local/app');

This is an advanced technique for custom server setups. For now leave this at default.

Section 7 — Memory Limit

WordPress has a default PHP memory limit. You can increase it:

define('WP_MEMORY_LIMIT', '256M');
define('WP_MAX_MEMORY_LIMIT', '512M');

Constant

Purpose

WP_MEMORY_LIMIT

Memory available to WordPress frontend

WP_MAX_MEMORY_LIMIT

Memory available to WordPress admin panel

If you ever see a "Allowed memory size exhausted" error, increase this value.

Section 8 — Auto Updates

define('WP_AUTO_UPDATE_CORE', false);
define('AUTOMATIC_UPDATER_DISABLED', true);

Constant

Purpose

WP_AUTO_UPDATE_CORE

Controls automatic WordPress core updates

AUTOMATIC_UPDATER_DISABLED

Disables all automatic updates completely

Options for WP_AUTO_UPDATE_CORE:

define('WP_AUTO_UPDATE_CORE', true);   // Update to all releases
define('WP_AUTO_UPDATE_CORE', false);  // Never auto update
define('WP_AUTO_UPDATE_CORE', 'minor'); // Only minor security updates

Section 9 — File Editing

By default, WordPress has a built-in code editor in the admin panel (Appearance → Theme Editor). This is a security risk — if someone gains admin access, they can inject malicious code directly.

define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);

Constant

Purpose

DISALLOW_FILE_EDIT

Disables the theme & plugin editor in admin

DISALLOW_FILE_MODS

Disables ALL file modifications including plugin/theme installs

Use DISALLOW_FILE_EDIT on production always. Use DISALLOW_FILE_MODS only on very locked-down production servers.

Section 10 — Post Revisions & Trash

define('WP_POST_REVISIONS', 5);
define('EMPTY_TRASH_DAYS', 7);
define('AUTOSAVE_INTERVAL', 120);

Constant

Purpose

WP_POST_REVISIONS

How many revisions to keep per post (false = disable)

EMPTY_TRASH_DAYS

Days before trash is auto-emptied

AUTOSAVE_INTERVAL

Seconds between auto-saves in editor

On large sites with lots of content, unlimited revisions bloat the wp_posts table significantly. Setting a limit keeps the database clean.

Section 11 — Cron

define('DISABLE_WP_CRON', true);

When set to true, WordPress will not auto-trigger cron on page load. You would then set up a real server cron job:

*/5 * * * * curl https://yoursite.com/wp-cron.php?doing_wp_cron

This is the recommended approach for high-traffic production sites. On local development, leave DISABLE_WP_CRON as false (default).

Section 12 — SSL

define('FORCE_SSL_ADMIN', true);

Forces the admin panel to always use HTTPS. Always set this to true on production.

Complete wp-config.php for Development

Here is a clean, well-organized wp-config.php for local development:

<?php

define('DB_NAME',     'streamvault');
define('DB_USER',     'root');
define('DB_PASSWORD', '');
define('DB_HOST',     'localhost');
define('DB_CHARSET',  'utf8mb4');
define('DB_COLLATE',  '');

define('AUTH_KEY',         'generate-from-wordpress-api');
define('SECURE_AUTH_KEY',  'generate-from-wordpress-api');
define('LOGGED_IN_KEY',    'generate-from-wordpress-api');
define('NONCE_KEY',        'generate-from-wordpress-api');
define('AUTH_SALT',        'generate-from-wordpress-api');
define('SECURE_AUTH_SALT', 'generate-from-wordpress-api');
define('LOGGED_IN_SALT',   'generate-from-wordpress-api');
define('NONCE_SALT',       'generate-from-wordpress-api');

$table_prefix = 'sv_';

define('WP_DEBUG',         true);
define('WP_DEBUG_LOG',     true);
define('WP_DEBUG_DISPLAY', true);
define('SCRIPT_DEBUG',     true);

define('WP_MEMORY_LIMIT',     '256M');
define('WP_MAX_MEMORY_LIMIT', '512M');

define('WP_POST_REVISIONS',  5);
define('EMPTY_TRASH_DAYS',   7);
define('AUTOSAVE_INTERVAL',  120);

define('WP_AUTO_UPDATE_CORE', false);

if (!defined('ABSPATH')) {
    define('ABSPATH', __DIR__ . '/');
}

require_once ABSPATH . 'wp-settings.php';

Complete wp-config.php for Production

<?php

define('DB_NAME',     'your_production_db');
define('DB_USER',     'your_db_user');
define('DB_PASSWORD', 'your_strong_password');
define('DB_HOST',     'localhost');
define('DB_CHARSET',  'utf8mb4');
define('DB_COLLATE',  '');

define('AUTH_KEY',         'generate-from-wordpress-api');
define('SECURE_AUTH_KEY',  'generate-from-wordpress-api');
define('LOGGED_IN_KEY',    'generate-from-wordpress-api');
define('NONCE_KEY',        'generate-from-wordpress-api');
define('AUTH_SALT',        'generate-from-wordpress-api');
define('SECURE_AUTH_SALT', 'generate-from-wordpress-api');
define('LOGGED_IN_SALT',   'generate-from-wordpress-api');
define('NONCE_SALT',       'generate-from-wordpress-api');

$table_prefix = 'sv_';

define('WP_DEBUG',         false);
define('WP_DEBUG_LOG',     false);
define('WP_DEBUG_DISPLAY', false);
define('SCRIPT_DEBUG',     false);

define('WP_HOME',    'https://yourdomain.com');
define('WP_SITEURL', 'https://yourdomain.com');

define('WP_MEMORY_LIMIT',     '256M');
define('WP_MAX_MEMORY_LIMIT', '512M');

define('WP_POST_REVISIONS',  5);
define('EMPTY_TRASH_DAYS',   7);
define('AUTOSAVE_INTERVAL',  120);

define('WP_AUTO_UPDATE_CORE',      'minor');
define('DISALLOW_FILE_EDIT',       true);
define('FORCE_SSL_ADMIN',          true);
define('DISABLE_WP_CRON',          true);

if (!defined('ABSPATH')) {
    define('ABSPATH', __DIR__ . '/');
}

require_once ABSPATH . 'wp-settings.php';

One Critical Rule — Never Commit wp-config.php to Git

wp-config.php contains your database credentials and secret keys. It must always be in your .gitignore:

# .gitignore
wp-config.php
wp-content/debug.log
wp-content/uploads/

In a team or production environment, you maintain a wp-config-sample.php with empty values and each developer fills in their own credentials locally.

Summary

  • wp-config.php is the master configuration file — database, security, debug, URLs.
  • Always use utf8mb4 for DB_CHARSET — it supports all languages and emojis.
  • Change $table_prefix from wp_ to something custom before installation for security.
  • Use WP_DEBUG true locally, always false on production.
  • WP_DEBUG_LOG saves errors to wp-content/debug.log — very useful during development.
  • Never commit wp-config.php to Git — it contains sensitive credentials.
  • DISALLOW_FILE_EDIT true should always be set on production servers.


By

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Phase 1 — Module 1.7: Posts, Pages, Categories & Tags

Overview In this module we go hands-on. We will create actual content in StreamVault — posts, pages, categories, and tags. This is not just ...

  • Setting up TypeScript in a Project
    Setting up TypeScript in a project is an important first step to leverage its benefits. Here’s a detailed step-by-step guide on how to set i...
  • Primitive Types in TypeScript
    In TypeScript, primitive types are the most basic data types, and they are the building blocks for handling data. They correspond to simple ...
  • What is TypeScript?
    TypeScript is a strongly typed, object-oriented, compiled language developed and maintained by Microsoft. It is a superset of JavaScript, me...