LiveChat 
Support 
wp-config.php Explained: What It Is and How to Edit It Safely
If you run a WordPress site long enough, you will eventually be told to “edit wp-config.php.” Maybe a plugin’s documentation asks you to add a line. Maybe you are chasing down an “error establishing database connection.” Maybe you simply want to raise your memory limit. Whatever the reason, wp-config.php is the file that controls how WordPress talks to its database and how dozens of core behaviors are configured — and it deserves to be understood rather than copied from blindly.
This guide walks through exactly what the WordPress config file is, what each setting does, how to edit it without taking your site down, and how to lock it down so it does not become an attacker’s easiest target.
Key Takeaways
• wp-config.php is WordPress’s core configuration file. It holds your database credentials and controls security keys, memory, debugging, and site behavior.
• It lives in the WordPress root directory (the same folder as `wp-load.php` and the `wp-admin` and `wp-includes` folders).
• Always back it up before editing. A single misplaced character can produce a blank white screen across the whole site.
• It contains your database username and password in plain text, so protecting it with strict file permissions and web-access rules is non-negotiable.
• Many problems people fix with plugins can be solved with one line here — memory limits, debug logging, forced SSL, and more.
This file is part of running WordPress well, which is why it belongs inside the broader picture of the complete guide to WordPress hosting, speed, security, and care.
What is wp-config.php and where does it live?
wp-config.php is the PHP file WordPress reads first to learn how to connect to its database and how to configure itself. Without it, WordPress cannot start — which is why a fresh download ships with `wp-config-sample.php` and the famous five-minute install simply renames and fills in that sample.
You will find it in the WordPress root directory: the top-level folder of your installation. On most hosts that is something like `public_html/` or `www/`, and it sits alongside these familiar items:
“`text public_html/ ├── wp-admin/ ├── wp-includes/ ├── wp-content/ ├── index.php ├── wp-load.php ├── .htaccess └── wp-config.php ← here “`
Because it is plain PHP, you can open it in any text editor. But because it controls everything from your database connection to your security salts, you should treat every edit with care.
What does wp-config.php actually contain?
The file is a sequence of PHP `define()` statements and a couple of variables. Here are the parts you will run into most often.
Database settings. These four lines are the heart of the file. They tell WordPress which database to use and how to authenticate against it:
“`php define( ‘DB_NAME’, ‘my_wordpress_db’ ); define( ‘DB_USER’, ‘wp_dbuser’ ); define( ‘DB_PASSWORD’, ‘a-long-strong-password’ ); define( ‘DB_HOST’, ‘localhost’ ); “`
`DB_NAME` is the database name, `DB_USER` and `DB_PASSWORD` are the credentials, and `DB_HOST` is where the database server lives — usually `localhost`, though some hosts use a specific hostname or `127.0.0.1:3306`.
Authentication unique keys and salts. These long random strings strengthen the cookies WordPress uses to keep you logged in. They make stored session tokens far harder to forge:
“`php define( ‘AUTH_KEY’, ‘put-a-long-random-string-here’ ); define( ‘SECURE_AUTH_KEY’, ‘another-long-random-string’ ); define( ‘LOGGED_IN_KEY’, ‘and-another-one’ ); define( ‘NONCE_KEY’, ‘yet-another’ ); define( ‘AUTH_SALT’, ‘more-randomness’ ); define( ‘SECURE_AUTH_SALT’, ‘still-more’ ); define( ‘LOGGED_IN_SALT’, ‘keep-going’ ); define( ‘NONCE_SALT’, ‘last-one’ ); “`
WordPress provides an official generator that produces fresh values for these. Regenerating them invalidates every existing login session, which is exactly what you want after a security scare.
Table prefix. This variable prefixes every database table name. The default is `wp_`:
“`php $table_prefix = ‘wp_’; “`
Debug settings. `WP_DEBUG` controls whether WordPress shows PHP notices and errors. Paired with `WP_DEBUG_LOG` and `WP_DEBUG_DISPLAY`, you can log problems quietly instead of printing them to visitors:
“`php define( ‘WP_DEBUG’, true ); define( ‘WP_DEBUG_LOG’, true ); // writes to wp-content/debug.log define( ‘WP_DEBUG_DISPLAY’, false ); // hide errors from visitors “`
Memory limit. When a site throws “allowed memory size exhausted,” this is often the fix:
“`php define( ‘WP_MEMORY_LIMIT’, ‘256M’ ); “`
Site URLs. These override the URLs stored in the database, which is useful during migrations or when an address change has locked you out:
“`php define( ‘WP_HOME’, ‘https://example.com’ ); define( ‘WP_SITEURL’, ‘https://example.com’ ); “`
One detail to remember: anything you add must go above the line that reads `/* That’s all, stop editing! Happy publishing. */`. Definitions placed after it are ignored.
A quick reference table of common settings
Here is a compact map of the settings you are most likely to touch, and what each one is for.
| Setting | Purpose |
|---|---|
| `DB_NAME` | Name of the MySQL/MariaDB database WordPress uses |
| `DB_USER` | Database username WordPress logs in with |
| `DB_PASSWORD` | Password for that database user (plain text) |
| `DB_HOST` | Database server address, usually `localhost` |
| `$table_prefix` | Prefix added to every database table name |
| `AUTH_KEY` / salts | Random strings that secure login cookies and sessions |
| `WP_DEBUG` | Turns error reporting and logging on or off |
| `WP_MEMORY_LIMIT` | Maximum memory PHP may use for WordPress |
| `WP_HOME` / `WP_SITEURL` | Override the site’s stored front-end and admin URLs |
| `DISALLOW_FILE_EDIT` | Disables the built-in theme/plugin code editor |
| `FORCE_SSL_ADMIN` | Forces the admin area to load over HTTPS |
How do you edit wp-config.php safely?
There is no WordPress dashboard screen for this file — and that is by design. You edit it through file access, not the admin area.
Reach the file with one of two methods:
- SFTP/FTP. Connect with a client, navigate to the root directory, and download a copy.
- cPanel File Manager (or your host’s equivalent). Open the file manager, find the root folder, and use the built-in editor.
Then follow three rules every single time:
- Back it up first. Before changing anything, download or copy the original to a safe name like `wp-config-backup.php`. This is the most important habit in this entire article. If an edit breaks the site, you restore the backup and you are back online in seconds.
- Mind the syntax. This is PHP. Every statement ends in a semicolon, strings need matching quotes, and a stray character can crash the whole site. Copy lines carefully and change only what you intend to.
- Save and test immediately. Reload the front end and the admin after every change so you know precisely which edit caused a problem if one appears.
What are the most common wp-config.php tasks?
Most people open this file for one of a handful of reasons. Here are the practical ones.
Fix “error establishing a database connection.” This message almost always means WordPress cannot authenticate against the database. Check that `DB_NAME`, `DB_USER`, `DB_PASSWORD`, and `DB_HOST` exactly match what your host shows in its control panel. A single wrong character in the password is enough to trigger it.
Increase the memory limit. Add or raise this line when you hit memory exhaustion errors:
“`php define( ‘WP_MEMORY_LIMIT’, ‘256M’ ); “`
Enable debug logging. When something misbehaves, turn on logging without exposing errors to visitors:
“`php define( ‘WP_DEBUG’, true ); define( ‘WP_DEBUG_LOG’, true ); define( ‘WP_DEBUG_DISPLAY’, false ); “`
Then read `wp-content/debug.log` to see what is failing. Turn `WP_DEBUG` back to `false` when you are done.
Change the table prefix. A non-default prefix is a minor hardening step. Changing it on an existing site also requires renaming the tables and updating a couple of stored values, so it is not a one-line change once content exists — plan for it.
Disable the file editor. WordPress lets administrators edit theme and plugin code from the dashboard. If an account is compromised, that editor becomes a code-injection tool. Disable it:
“`php define( ‘DISALLOW_FILE_EDIT’, true ); “`
Force SSL on the admin area. Ensure the dashboard always loads over HTTPS:
“`php define( ‘FORCE_SSL_ADMIN’, true ); “`
Move the file for security. WordPress will look one directory above the root for wp-config.php if it is not in the root. Moving it up a level on a single-site install can place it outside the web-accessible folder entirely — a small but meaningful win.
The single most important thing to internalize about wp-config.php is its duality: it is simultaneously the most powerful and the most sensitive file in a WordPress install, and treating it as only one of those is where people get hurt. On the power side, a few lines here govern the database connection, the security salts, memory, debugging, URLs, and dozens of behaviors — which means a surprising number of problems people install plugins to solve can be fixed with a single line in this file. On the sensitive side, it stores your database username and password in plain text; anyone who can read this file can read or destroy your entire database. That duality dictates two non-negotiable habits. First, back it up before every edit, because one syntax error takes the whole site down with a white screen. Second, lock it down with strict permissions and denied web access, because it is the master key to your site. Guard it like a master key, and edit it like you are defusing something — calmly, deliberately, and with a way to undo.
How do you secure wp-config.php?
Because this file holds your database password, protecting it is part of basic site hygiene. Three measures cover most of the risk.
Set correct file permissions. The file should be readable by the web server but locked down otherwise. A permission of `600` (owner read/write only) or `640` is appropriate on most setups:
“`bash chmod 640 wp-config.php “`
Avoid `777` or world-readable permissions — they let other accounts on a shared server read your credentials.
Deny web access via .htaccess. On Apache, add a block to your root `.htaccess` so the file can never be served over HTTP, even if PHP processing fails:
“`apache
Move it one level up. As noted earlier, relocating wp-config.php to the directory above the WordPress root (on single-site installs) keeps it out of the publicly served folder. WordPress finds it automatically.
Together these steps mean that even if some other layer fails, your database credentials are not casually exposed. Security at this level pairs well with broader and a habit of regular backups.
Configure WordPress with confidence on DarazHost
DarazHost makes working with wp-config.php safe and easy. You get secure file access through SFTP or the cPanel File Manager, automatic backups so a single edit can never permanently break your site, correct default file permissions out of the box, and one-click WordPress that sets the configuration up properly from the start. Whether you are fixing a database connection, raising a memory limit, or hardening your install, you can manage your WordPress configuration with confidence — backed by 24/7 support whenever you need a second set of eyes.
How does wp-config.php fit into the bigger WordPress picture?
Think of wp-config.php as the bridge between WordPress’s code and its data. The PHP files in `wp-admin` and `wp-includes` are the engine; the database holds your posts, settings, and users; and this one file is where the two are introduced to each other and tuned. That is why it appears in so many troubleshooting guides — when the connection breaks or behavior needs adjusting, this is the lever you reach for.
It also explains why hosting quality matters here. Good gives you a modern PHP version, sensible default limits, and easy file access, so the edits described above are quick and low-risk rather than fragile. And when a database connection genuinely fails despite correct credentials, the cause is often server-side — which is where your host’s support comes in.
Frequently asked questions
Where exactly is wp-config.php located? In the WordPress root directory — the top-level folder of your install, usually `public_html/` or `www/`. It sits next to `wp-load.php` and the `wp-admin`, `wp-includes`, and `wp-content` folders. On a brand-new download it does not exist yet; WordPress creates it from `wp-config-sample.php` during installation.
Can I edit wp-config.php from the WordPress dashboard? No. There is no admin screen for it, deliberately. You edit it through SFTP/FTP or your host’s File Manager. Always download a backup copy before making changes so you can restore it instantly if something breaks.
I added a line and now my site shows a blank white screen — what happened? You almost certainly introduced a PHP syntax error: a missing semicolon, an unmatched quote, or a line placed after “stop editing.” Restore your backup, or carefully re-check the line you added. This is exactly why backing up first is the rule, not the suggestion.
Is it safe that my database password sits in wp-config.php as plain text? It is normal — WordPress needs the password readable to connect. Safety comes from protecting the file: set permissions to `640` or `600`, deny web access with an `.htaccess` rule, and optionally move the file one level above the web root. Done together, these keep the plain-text credentials out of reach.
What is the difference between wp-config.php and wp-config-sample.php? `wp-config-sample.php` is the template that ships with WordPress, full of placeholder values. During installation it is copied to `wp-config.php` and filled in with your real database details. The sample file is harmless to leave in place, but only `wp-config.php` is actually loaded.
