Optimization of wp-config

Tips & Tricks how to optimize the file: wp-config.php in WordPress.

In this blog post we show you some tips and tricks on how to enhance your WordPress installation by optimizing wp-config with features and how to make the entire installation safer.

The wp-config.php is the most important file of a WordPress installation. It contains the access data to the database. It also has other features for running WordPress, such as controlling the PHP memory limit on your server, the maximum number of post-revisions, and so on. It’s your most important file, and it needs to be protected from external intrusion.

Another important note before you make changes to the wp-config.php: make a backup of the current wp-config.php, so you can restore it when something goes wrong.

Anything added to the file with new code should be preceded by the “For Developers” comment (* For developers: WordPress debugging mode.).

You also need an HTML editor and an FTP client so you can access your server.

# 1: Update WordPress automatically

Keeping WordPress and the themes and plugins up to date is one of the most important tasks. This guarantees the security of your WordPress installation. There have been automated updates for security updates since version 3.7, but the major new versions have to be manually installed through the backend.

To automatically update new major versions of WordPres, you can insert the following line:

define('WP_AUTO_UPDATE_CORE', true);

Automatic updates in WordPress for the plugins and themes do not work through the wp-config.php. Du kannst dies jedoch über das Plugin Easy Updates Manager realisieren. It then only has to be configured after the installation.

# 2: Use Security Keys / Secret Keys

The secret keys encrypt the information that is stored in the cookie, for example the password for the login. Because an unencrypted password like “pass123” is much easier to crack than a “Aga5VfdsaAFGhjhjJ @ §2”.

You can also install or replace the security keys later in an existing website. Only the users have to log in again after the update of the Secret Keys.

You can regenerate the security keys on the official site and copy them to wp-config.php:

Link to the website: https://api.wordpress.org/secret-key/1.1/salt/

# 3: Turn off the plugin & theme editor in the backend

The theme files and the plugin files can be customized in the WordPress backend directly from the dashboard. The editor can be found under “Design -> Editor” or “Plugins -> Editor”. However, if an unauthorized person gains access to the backend, you have a significant security issue. It can be used to delete lines of code or to implement bad code.

Another worst case version: if you even as an administrator save a reckless change prematurely, under certain circumstances, the entire page and backend can no longer work.

The recommendation for professionals: Check changes either first in a test environment or make only directly to the files via SSH or FTP.

Turn off the editor in the backend for all users works with the following code:

define('DISALLOW_FILE_EDIT', true);

# 4: Disable plugin and theme installation

Preventing the installation of themes and plugins via the backend works with the following line of code. This prevents all users from changing the theme or plugins via the administration interface. In the future, all files must be uploaded to the server via FTP.

define( 'DISALLOW_FILE_MODS', true );

# 5: Prefer SSL usage

An SSL certificate is mandatory on every website today. It increases security between browser and server. It’s been a ranking factor on Google a long time ago.

Let’s Encrypt offers certificates for free. So there is no reason to do without it.

If a certificate is installed, you can use the following code to instruct WordPress to force SSL in the backend as well and thus achieve a secure connection when unsubscribing. The first line is the secure login and the second line is the secure connection in the backend.

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

# 6: Disable debug mode

Debug mode in WordPress allows developers to find errors in code and identify outdated features. The debug mode should only be used in a secure trial version. In a live environment, he would also tell strangers sensitive information about the WordPress installation.

By default, debug mode is disabled in WordPress. We recommend to check in the wp-config.php in any case, whether it is so set. The following code has debug mode disabled:

define('WP_DEBUG', false);

# 7: Change table prefix

In a new WordPress installation, the table prefix of “wp_” should be replaced with something cryptic: e.g. “Krtxp_”.

This reduces SQL injection (injecting bad code) into the database.

# 8: move wp-config.php

Since wp-config.php is the most important file in your WordPress installation, it should be as secure and hidden as possible. The file can also be moved to another directory, where it is not so easy to find for strangers.

To do this, move the wp-config.php to a new location of your choice, which can also be outside the WordPress folder. Save the file before. Then you simply create a new wp-config.php in the root directory of your WP installation and insert the following code. Please make sure that the path in line 4 has to be adjusted. That’s all.

The opinions about the expediency of moving the wp-config.php are divided among experts. However, if you want to include an additional security feature in your WordPress installation, we recommend this step.

<?php if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');
require_once(ABSPATH . '../pfad/zur/wp-config.php');

# 9: Securing wp-config.php with .htaccess

The following code will be integrated into the .htaccess file and not into your wp-config.php. The code is used to secure the wp-config.php. Access to the wp-config.php from the outside is thus limited:

<files wp-config.php>
    order allow,deny
    deny from all

# 10: Change autosave interval

By default, WordPress saves your post every 60 seconds. In case of a browser failure, the majority of your work is preserved. If you want to specify a longer or shorter period of time, you can adjust this with the following line of code:

define( 'AUTOSAVE_INTERVAL', 120 ); // Sekunden

# 11: Limit or disable post revisions

WordPress automatically saves any changes to your posts. This burdens the database enormously. If you want to limit the revisions to a certain number, you can set this with the code below. [

define('WP_POST_REVISIONS', 5); //nur noch 5 Revisionen zulassen

Alternatively, you can turn off the revisions completely:

define('WP_POST_REVISIONS', false); //Revisionen komplett deaktivieren

# 12: Deposit Home URL and Site URL

The Home URL and Site URL of WordPress are stored in the database in the wp_options table. Each time a theme or plugin accesses this feature, it must communicate with the database. This takes time and increases the access rate to the database.

The following code allows you to store your home URL and site URL directly in wp-config.php. This will save many database queries in the future. Both values can no longer be changed via the backend, which minimizes the risk of an (unwanted) change in a website with many users and different rights assignments.

Attention! The values in the database will not be overwritten, if you enter something else in your wp-config.php than in the backend. Once you remove these lines from the wp-config.php, the URLs that are stored in the backend will apply.

Both values have no trailing slash at the end.

define('WP_HOME', 'http://www.deinedomain.de');
define('WP_SITEURL', 'http://www.deinedomain.de');

# 13: Empty the trash faster

WordPress includes a Recycle Bin feature. The deleted posts can thus be restored for a certain time and are not immediately deleted from the database. The standard for automatic emptying is 30 days.

If you want to reduce or extend this time, you can do that via the following line of code.

Entry = “0” means: the recycle bin function will be completely deactivated and posts will be deleted immediately upon deletion and can not be restored.

Attention! WordPress does not ask for confirmation, so be careful ..

define('EMPTY_TRASH_DAYS', 7 ); // Tage

# 14: PHP memory limit increase

You can change the increase of the PHP memory limit with the following line:

define('WP_MEMORY_LIMIT', '256M'); // PHP Memory Limit

Conclusion: optimize wp-config.php

With the featured snippets of code, you can customize the behavior of your website to suit your needs.

You also have some tools at your fingertips to make your WordPress installation a bit more secure and prevent hacker attacks.

JoeWP WordPress Agency - Request

You need help with the optimization of your file wp-config?

Do you want to start right now? Discuss your project with us!