Configure wp-config.php

The WordPress architecture makes use of a file named wp-config.php which contains primary settings like the database connection settings, how error handling etc. The wp-config.php file does not come with the installation pack, instead, it is automatically created by WordPress during the installation. If your WordPress installation fails with an error, it may be because of incorrect file ownership/permissions which prevents the file from being created.

This article lists some good practices to ensure that your wp-config.php is configured correctly and safely.

Important security tip: when making changes to wp-config.php, you should make a backup, but if you rename it to something like wp-config.bck, the contents of the file (including your database connection) may be viewed by a hacker. It is better that you rename to something like wp-config01.php so that it remains an executable .php file.

I have also included links to the official WordPress documentation if you need further guidance.

Hard-coding WP_SITEURL and WP_HOME

You can reduce the number of database queries to the wp_options table and thus reduce load on your server by adding the following lines which hard-code your domain name in the wp-config.php file:

define( 'WP_SITEURL', '' );
define( 'WP_HOME', '' );

You will then notice that under WordPress Settings, the General tab, that your settings are greyed out:

Disable debugging with WP_DEBUG

You should only enable debugging when you are trying to debug an issue.

define( 'WP_DEBUG', true );

Disable WP_CRON

WordPress includes a built-in PHP function called wp-cron which is used to automatically run maintenance tasks like updating themes and plugins.

The wp-cron function is automatically executed whenever someone accesses the website. This is acceptable when only a small handful of people are accessing the website, but as user demand scales up to dozens of users, this create an exponential load on the server and eventually degrades performance.

It is therefore best-practice to disable wp-cron within WordPress, and enable it on the server as a scheduled task. I wrote a more detailed explanation on how-to disable and configure wp-cron.

define('DISABLE_WP_CRON', true);


FORCE_SSL_ADMIN is for when you want to secure logins and the admin area so that both passwords and cookies are never sent in the clear.

define('FORCE_SSL_ADMIN', true);

Force all traffic to HTTPS

This code snippet forces all traffic to upgrade from HTTP to HTTPS.


Disable WordPress core updates

WordPress includes functionality to automatically update your site. If you are confident that automatic updates won’t wreck your site with plugin and theme incompatibilities, then set this to minor.

  • true – Development, minor, and major updates are all enabled
  • false – Development, minor, and major updates are all disabled
  • minor – Minor updates are enabled, development, and major updates are disabled
define( 'WP_AUTO_UPDATE_CORE', minor );


Restrict memory available to each user

Use this setting carefully. The default memory limit is 32M, but you can increase this to 64M (if you use Woocommerce), or as high as 256M if you have a particularly heavy site (ie. Woocommerce + Learndash).

If your users keep reporting an error like “Fatal error: Allowed memory size of 33554432 bytes exhausted” then double the amount of memory allocated.

define( 'WP_MEMORY_LIMIT', '64M');

Warning: if you set this too high (ie. 256M or 512M) on a low-spec server (ie. with less than 2GB memory), you run the risk of running into other performance issues.

Note: If you are using shared hosting (which I do not recommend), your web host may have limited this in PHP.ini, which overrides your setting in WordPress. You would need to negotiate this with your hosting provider.

Restrict memory for administrative functionality

The WordPress admin interface may require may require more memory than the average use. Memory can be increased or decreased from the WP_MEMORY_LIMIT by defining WP_MAX_MEMORY_LIMIT. The default value for this is 256MB.

define( 'WP_MAX_MEMORY_LIMIT', '512M' );

Disable concatenation of scripts

Before HTTP/2 allowed for parallel downloading of resources (called HTTP multiplexing), concatenating scripts was a popular technique to minimise the number of resources downloaded and thus improve website performance.

Concatenating scripts often causes more inexplicable problems that it solves, so my recommended approach is to disable this.

define( 'CONCATENATE_SCRIPTS', false ); 

Enable file editing using FS_METHOD

If you’re getting an error that says “WordPress Asking for FTP Credentials”, then add the following line to your wp-config.php file:


Set the WordPress table prefix

Only modify this if you intend installing multiple WordPress instances on the same database (which in itself not recommended):

$table_prefix = 'wp_';

REDIS settings

If you have REDIS installed, you will need to add the following lines to enable REDIS.

define('WP_REDIS_HOST', '');
define('WP_REDIS_DATABASE', 1 );

Database Connection Settings

/** The name of the database for WordPress */
define( 'DB_NAME', 'DATABASENAME' );

/** MySQL database username */
define( 'DB_USER', 'USERNAME' );

/** MySQL database password */
define( 'DB_PASSWORD', 'PASSWORD' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

Enable advanced cache

This setting enables Advanced Cache, which is used by many file caching plugins.

define( 'WP_CACHE', true);

Disable the Query Monitor plugin without deactivating the plugin

define( 'QM_ENABLE_CAPS_PANEL', true );