The WordPress architecture makes use of a file named wp-config.php
which contains primary settings like the database connection settings, how error handling etc. The wp-config.php
file does not come with the installation pack, instead, it is automatically created by WordPress during the installation. If your WordPress installation fails with an error, it may be because of incorrect file ownership/permissions which prevents the file from being created.
This article lists some good practices to ensure that your wp-config.php
is configured correctly and safely.
Important security tip: when making changes to wp-config.php
, you should make a backup, but if you rename it to something like wp-config.bck
, the contents of the file (including your database connection) may be viewed by a hacker. It is better that you rename to something like wp-config01.php
so that it remains an executable .php
file.
I have also included links to the official WordPress documentation if you need further guidance.
Hard-coding WP_SITEURL and WP_HOME
You can reduce the number of database queries to the wp_options
table and thus reduce load on your server by adding the following lines which hard-code your domain name in the wp-config.php
file:
define( 'WP_SITEURL', 'http://www.fastfwd.co.za' );
define( 'WP_HOME', 'http://www.fastfwd.co.za' );
You will then notice that under WordPress Settings, the General tab, that your settings are greyed out:
Disable debugging with WP_DEBUG
You should only enable debugging when you are trying to debug an issue.
define( 'WP_DISABLE_FATAL_ERROR_HANDLER', true );
define( 'WP_DEBUG', true );
Disable WP_CRON
WordPress includes a built-in PHP function called wp-cron
which is used to automatically run maintenance tasks like updating themes and plugins.
The wp-cron
function is automatically executed whenever someone accesses the website. This is acceptable when only a small handful of people are accessing the website, but as user demand scales up to dozens of users, this create an exponential load on the server and eventually degrades performance.
It is therefore best-practice to disable wp-cron
within WordPress, and enable it on the server as a scheduled task. I wrote a more detailed explanation on how-to disable and configure wp-cron.
define('DISABLE_WP_CRON', true);
FORCE_SSL_ADMIN
FORCE_SSL_ADMIN is for when you want to secure logins and the admin area so that both passwords and cookies are never sent in the clear.
define('FORCE_SSL_ADMIN', true);
Force all traffic to HTTPS
This code snippet forces all traffic to upgrade from HTTP to HTTPS.
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){ $_SERVER['HT>
Disable WordPress core updates
WordPress includes functionality to automatically update your site. If you are confident that automatic updates won’t wreck your site with plugin and theme incompatibilities, then set this to minor
.
true
– Development, minor, and major updates are all enabledfalse
– Development, minor, and major updates are all disabledminor
– Minor updates are enabled, development, and major updates are disabled
define( 'WP_AUTO_UPDATE_CORE', minor );
Source: https://wordpress.org/documentation/article/configuring-automatic-background-updates/
Restrict memory available to each user
Use this setting carefully. The default memory limit is 32M, but you can increase this to 64M (if you use Woocommerce), or as high as 256M if you have a particularly heavy site (ie. Woocommerce + Learndash).
If your users keep reporting an error like “Fatal error: Allowed memory size of 33554432 bytes exhausted
” then double the amount of memory allocated.
define( 'WP_MEMORY_LIMIT', '64M');
Warning: if you set this too high (ie. 256M or 512M) on a low-spec server (ie. with less than 2GB memory), you run the risk of running into other performance issues.
Note: If you are using shared hosting (which I do not recommend), your web host may have limited this in PHP.ini, which overrides your setting in WordPress. You would need to negotiate this with your hosting provider.
Restrict memory for administrative functionality
The WordPress admin interface may require may require more memory than the average use. Memory can be increased or decreased from the WP_MEMORY_LIMIT by defining WP_MAX_MEMORY_LIMIT. The default value for this is 256MB.
define( 'WP_MAX_MEMORY_LIMIT', '512M' );
Disable concatenation of scripts
Before HTTP/2 allowed for parallel downloading of resources (called HTTP multiplexing), concatenating scripts was a popular technique to minimise the number of resources downloaded and thus improve website performance.
Concatenating scripts often causes more inexplicable problems that it solves, so my recommended approach is to disable this.
define( 'CONCATENATE_SCRIPTS', false );
Enable file editing using FS_METHOD
If you’re getting an error that says “WordPress Asking for FTP Credentials”, then add the following line to your wp-config.php file:
define('FS_METHOD','direct');
Set the WordPress table prefix
Only modify this if you intend installing multiple WordPress instances on the same database (which in itself not recommended):
$table_prefix = 'wp_';
REDIS settings
If you have REDIS installed, you will need to add the following lines to enable REDIS.
define('WP_REDIS_PREFIX','YOURDOMAIN');
define('WP_REDIS_HOST', '127.0.0.1');
define('WP_REDIS_SELECTIVE_FLUSH', true);
define('WP_REDIS_DATABASE', 1 );
define( 'WP_CACHE_KEY_SALT', 'YOURDOMAIN');
Database Connection Settings
/** The name of the database for WordPress */
define( 'DB_NAME', 'DATABASENAME' );
/** MySQL database username */
define( 'DB_USER', 'USERNAME' );
/** MySQL database password */
define( 'DB_PASSWORD', 'PASSWORD' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
Enable advanced cache
This setting enables Advanced Cache, which is used by many file caching plugins.
define( 'WP_CACHE', true);
Disable the Query Monitor plugin without deactivating the plugin
define( 'QM_ENABLE_CAPS_PANEL', true );