Getting the Most From Your wp-config.php

The wp-config.php file is an integral part of any WordPress installation and can do a lot more than you may think. Some websites will only ever have this file modified through the famous ‘5-minute WordPress Installer’, though by delving into the file and updating some of the code, you can change, secure and optimize a bunch of WordPress features.

We have included a number of our favourite additions to the wp-config.php file in this post, but be sure to read what each section does and not just blindly copy. We configure the file each time, changing a number of the variables to best suit our client. You’ll also need to be aware that some of these settings will change depending on the environment.

Database Settings

Now this first section you’re probably quite familiar with, setting up your database connection settings. For this section we would always recommend setting a unique table prefix and generating a new series of keys & salts. The URL is right there, for the sake of security it’s well worth a click. These unique salts will ensure that the generated passwords don’t use the same encryption pattern as other websites, so even if another website is compromised they can’t easily access your user’s login details.

<?php
/**
 * Custom WordPress configurations on "wp-config.php" file.
 *
 * This file has the following configurations: MySQL settings, Table Prefix, Secret Keys, WordPress Language, ABSPATH and more.
 * For more information visit {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php} Codex page.
 *
 * @package WordPress
 */


/* MySQL settings */
define( 'DB_NAME',     'DBNAME' );
define( 'DB_USER',     'ROOT' );
define( 'DB_PASSWORD', 'ROOT' );
define( 'DB_HOST',     'HOST' );
define( 'DB_CHARSET',  'utf8mb4' );


/* MySQL database table prefix. */
$table_prefix = 'sg123_';


/* Authentication Unique Keys and Salts. */
/* https://api.wordpress.org/secret-key/1.1/salt/ */
define('AUTH_KEY',         '`TNR8)&Km[<&cuKu{E)$l|-n/SqAho,z%dtuso{IjT<0Pzq-UDP:qS?~:(55I/+/');
define('SECURE_AUTH_KEY',  ',4NYlUz-OTjBE<Pnuex@ S!sS.0|G#)0nPzrLgEwcD?_4M)33dg#>jb;v-O`j?Ba');
define('LOGGED_IN_KEY',    ',l^M!/&f8Ej9%.UpUqO.oR}Q[Le.c<F7:v3cJU:Ycl7 {t-=d-,cs4xiHJ)x }nY');
define('NONCE_KEY',        '=%Sn2^r_n<dT]tfEIVT6I0m( y?j.louD6-~h)*M*iSe@GHh4`c|<WF*]++a;z8z'); define('AUTH_SALT', '4ddR>jNus>]$=%x?{S&7joCW4!T1:t W&s|9kIc9jf_Y`;YH!;(vX|OWm~D,Ohca');
define('SECURE_AUTH_SALT', 'wH-6a~yTWQ]e|?Zn4hIxq}ew0;y=$YN#Vmr82 ^!s%:.Xy}~n];W>Q24)rK5U;p-');
define('LOGGED_IN_SALT',   'V8dL9}>S|m_sW?|AzaSU]tF.rHf-}]EzU9HzN&vU(V6q&]{lQ_)+}T1l{+^XHf7?');
define('NONCE_SALT',       '<*/_L vjAB9+7xJ]n/jLK)Om#+An-O@#D2j/}P`_!wi`m.V0A6/UZf-=OnV)aCgF');

 

Housekeeping

We can also perform housekeeping tasks, ensuring our database doesn’t get clogged with endless revisions. By default all revisions are stored in the database and for save-click-happy people this can start to add up. We also allow our media files to be deleted, but nothing too magical there.

/* Specify maximum number of Revisions. */
define( 'WP_POST_REVISIONS', '20' );


/* Media Trash. */
define( 'MEDIA_TRASH', true );

 

Multisite Functionality

You can then specify if you’re working on a multisite, one of WordPress’ wonderful features allowing you to turn your single blog into a network quickly and easily.

/* Multisite. */
define( 'WP_ALLOW_MULTISITE', false );

 

Debugging

For debugging we have included our local development set up below. We get a few options when configuring our debug settings, choosing whether to display them on screen (a big no-no for production websites!), log them in debug files (a nicer solution, but ensure you regularly check and archive them to prevent file bloat) and the ability to save database queries for later analysis. For our local development we generally have everything switched on, though for production websites these are all generally turned off to prevent any unwanted, scary messages (though by production there should be no errors!).

/* WordPress debug mode for developers. */
define( 'WP_DEBUG',         true );
define( 'WP_DEBUG_LOG',     true );
define( 'WP_DEBUG_DISPLAY', false );
define( 'SCRIPT_DEBUG',     false );
define( 'SAVEQUERIES',      true );

 

Server / WP Settings

You can even throw in some server configuration. For example if your website is particularly memory intensive then use WordPress’ build in memory limits to ease congestion. Note that for increasing memory, you’ll also need to update your php.ini file. We have also found this a good section to specify our MAX_INPUT_VARS limit, as we work quite extensively with ACF.

/* PHP Memory */
define( 'WP_MEMORY_LIMIT', 	'64M' );
define( 'WP_MAX_MEMORY_LIMIT', 	'256M' );

 

CRON Jobs

Having a default, public-facing WordPress CRON can be quite annoying. The default CRON will trigger from a users browser and for large queries and processes you may end up driving one of your customers away every x minutes. By disabling the CRON and switching to a good ol’ fashion Apache CRON job you can put the emphasis on internal server processes and spare your users. But to reiterate, you will need to enable CRON jobs at a server level in addition to this, and you can read more about that here.

/* CRON */
define( 'DISABLE_WP_CRON',      'true' );
define( 'ALTERNATE_WP_CRON',    'false' );

 

Automatic Updates

If you have been keeping an eye on the WordPress community and the news around it, then you will have seen the recent concerns around versions 4.7.2 and 4.7.3. There have been a number of core security issues that arose and although they were patched before any exploits were discovered, and WordPress worked with large-scale hosts to prevent any issues, some websites were still affected. With this next block you’d have been safe without having to do anything.

This chunk enables minor updates (not major, as this can sometimes break functionality and it’s best to have your agency migrate and test) and if you’re not in an environment that supports WP_DEBUG then no plugin or theme files can be modified. This is fantastic for version control and security.

/* Updates */
define( 'WP_AUTO_UPDATE_CORE', 'minor' );

if( ! WP_DEBUG ) {
	define( 'DISALLOW_FILE_MODS', true );
	define( 'DISALLOW_FILE_EDIT', true );
}

 

Default URLs

This next step helps with migrations, ensuring that our base domain and WordPress domain match correctly.

/* Set the site addresses. */
define( 'WP_HOME',	'http://local.mywebsite.com' );
define( 'WP_SITEURL',	'http://local.mywebsite.com' );

 

Making the magic happen

And then just the boring run-of-the-mill WordPress magic that makes everything work. Best to keep this here!

/* Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');

/* Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

 

And that’s all, if you have anything else that you put in your WordPress config then comment below and let us know!

Related posts