WordPress: Super useful WP-config tips

The wp-config.php file is the heart of your WordPress website, where you can define a wide variety of options to control how your WordPress install works. Today, I'm sharing with you a list of super easy tips to take more control of your site using wp-config.php.


Keeping your database and site size small

On large websites, keeping your database small in size can be a challenge. WordPress tends to store a lot of data in your db, like transients or post revisions.

You can easily limit post revisions to a number of your choice (3 in this example) by adding the following in your wp-config.php file:

define('WP_POST_REVISIONS', 3);

If you don’t feel like using the post revision feature at all, you can simply disable it:

define( 'WP_POST_REVISIONS', false );

Also, WordPress stores in the database posts, pages, attachments and comments which have been moved to trash. You can control the number of days it will stay in the trash before being completely deleted. The default is set to 30, but I’ve set it to 1 in this example.

define( 'EMPTY_TRASH_DAYS', 1 );

By default, WordPress creates a new set of images every time you edit an image and when you restore the original, it leaves all the edits on the server. Defining IMAGE_EDIT_OVERWRITE as true changes this behavior.

define( 'IMAGE_EDIT_OVERWRITE', true );


If your web hosting plan supports SSL, you should definitely use that feature to add an extra layer of security to your site. Via wp-config.php, WordPress makes it easy to force SSL logins:

define('FORCE_SSL_LOGIN', true);

And same goes with the admin area of your site:

define('FORCE_SSL_ADMIN', true);

Secret keys are making your site harder to hack by adding random elements to the password. There are currently 4 secret keys and 4 salts that can be defined. To generate unique and secure secret keys, just use this handy generator. Don’t use those below!

define( 'AUTH_KEY',         't`DK%X:oxy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|' );
define( 'SECURE_AUTH_KEY',  'D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj' );
define( 'LOGGED_IN_KEY',    'MGKi8Br(&{H*~&0s;{k0tS(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^' );
define( 'NONCE_KEY',        'FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn)4!d~yqz))&B D?AwK%)+)F2aNwI|siOe' );
define( 'AUTH_SALT',        '7T-!^i!0,w)L#JK@pc2{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G' );
define( 'SECURE_AUTH_SALT', 'I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #' );
define( 'LOGGED_IN_SALT',   'wu$4c$Hmd%/*]`Oom_(hdXW|0M=X={we6;Mpvtg+V.ol$|#_}qG(GaVDEsn,~*4i' );
define( 'NONCE_SALT',       'a|#h{c5|P &xWs4IZ20c2&%4!c(/uG}W:mAvyjI44`jAbup]t=]V7`}.py(wTP%%' );

For client sites

When using WordPress to build a site for a client, a developer is almost all the time concerned that the client won’t do something stupid to the site, requiring a lot of maintenance.

One common thing is a client trying to edit one of the site php files and ending up deleting something important, causing the website to be unavailable. You can actually prevent this to happen by disabling the built-in files editor in wp-config.php:

define('DISALLOW_FILE_EDIT', true);

Another “classic” client mistake is to never update the WordPress core, which leads to potential security breaches. You can force WordPress to update itself automatically by using the WP_AUTO_UPDATE_CORE constant in your wp-config.php file.

define('WP_AUTO_UPDATE_CORE', true);


If your WordPress install prompts you to fill in your FTP credentials each time you need to update a plugin, you can actually save a lot of time by using wp-config.php to memorize it. The three constants below will tell WordPress what are your FTP host, username and password. That way, you won’t have to submit the info each time.

define('FTP_HOST', 'ftp.yoursite.com');
define('FTP_USER', 'Your_FTP_Username');
define('FTP_PASS', 'Your_FTP_password');

Most quality hosting companies provide SSL to their clients. If your host does, make sure you turn SSL FTP connections on for some extra security.

define('FTP_SSL', true);


When your website is unavailable or behaves strangely, you can make your maintenance work way easier by using wp-config.php and the debugging constants.

Enabling WP_DEBUG will cause all PHP errors, notices and warnings to be displayed.

define('WP_DEBUG', true);

As errors will be displayed on the site and accessible to visitors, a way more elegant way to debug is to use a log. Doing so in WordPress is easy: Once you have set WP_DEBUG to true, you can use WP_DEBUG_LOG, a constant that will make WordPress send all PHP errors and warning into a log located in your wp-content directory.

define( 'WP_DEBUG_LOG', true );

If your database is broken, you can actually repair it easily by accessing the script located at /wp-admin/maint/repair.php after setting WP_ALLOW_REPAIR to true:

define( 'WP_ALLOW_REPAIR', true );

Please note that those constants are intended to be used only when debugging a site. Once you found and fixed the problem, remember to set the values to false!


The wp-config.php file allows some tweaking to ensure a better performance by WordPress. One thing to start with is to increase the maximum memory allocated. Please note that this won’t work if your hosting provider limits the memory, which is often the case on shared hosting.
If you’re looking for a quality web host, I recommand Vidahost, WP Engine or InMotion Hosting.

define('WP_MEMORY_LIMIT', '96M');

You can also allow even more memory to administrative tasks (which requires more memory than just browsing the blog):

define( 'WP_MAX_MEMORY_LIMIT', '256M' );

WordPress has a built-in caching system, located in wp-content/advanced-cache.php. It can be activated using the WP_CACHE constant:

define( 'WP_CACHE', true );