An Introduction to the wp-config.php File

Looking to gain a better understanding of what goes on under the hood of your WordPress website? Then buckle up, as we’re about to take a look at one of WordPress’ most important files: wp-config.php.

What is wp-config.php?

So why is the wp-config.php file so important?

This question is relatively easy to answer: wp-config.php is the all-important link between your website and your database. It contains all the essential login credentials that allows WordPress to communicate with the database.

Or, to put it another way: if the file didn’t exist, WordPress couldn’t access the database. With no way to store and retrieve your data, your website just wouldn’t work.

Accessing wp-config.php

By default, WordPress does not come with the wp-config.php file in place – instead, it’s created during the default installation process. More advanced users have the option of creating the file manually, by using the wp-config-sample.php file as foundation. You can also manually access and edit wp-config.php if you have a text editor installed.

By default, wp-config.php is located in your /public_html folder, which can be accessed via an FTP client. If your host uses cPanel, you’ll be able to access your core files through your account, saving you the trouble of installing a separate FTP client like FileZilla.

It’s worth reminding you that wp-config.php is a core file, essential to your WordPress install. I would never recommend making changes to such an important file without first backing up.

Even if you consider yourself an advanced WordPress user, mistakes happen. So be safe, not sorry.

Basic wp-config.php Fields

Now that we have an idea of the file’s primary purpose and where to find it, let’s open it up and take a look inside.

At the top of the file, you’ll find some of the most important fields. They will look like this:

[php]// ** MySQL settings – You can get this info from your web host ** //
/** The name of the database for WordPress */
define(‘DB_NAME’, ‘database_name_here’);

/** MySQL database username */
define(‘DB_USER’, ‘username_here’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘password_here’);

/** MySQL hostname */
define(‘DB_HOST’, ‘localhost’);[/php]

If you’re an inexperienced WordPress user, I’m sure the above code looks more than a little intimidating, am I right? Unless you manually created your MySQL database, these fields are populated automatically, so you won’t need to concern yourself with them too much.

If you did create your MySQL database manually, then you need to input the database name, username, and password in the given space — for example, username_here.

The MySQL hostname works slightly differently, and will vary depending on your hosting provider. Some of the more popular hosting services — including BlueHost, GoDaddy, and HostGator — use the default ‘localhost’ value, so there’s a chance you won’t have to change this at all. I’d strongly recommend contacting your host to ensure this value is correct, however, although some of the values for the most popular hosts are listed here.

If these four fields are populated automatically, why might you need to know about them?

Well, it’s just useful information to have on hand, as mistyped credentials are one of the more common causes of database connection errors — armed with this knowledge, you can jump in and correct them.

And because we’re talking about login credentials here, it’s important that all four values are correct. If they’re not, errors happen, in the same way that you can’t mistype your username and password when trying to access your WordPress dashboard.

wp-config.php Security Keys

The wp-config.php file is also used to define your site’s security keys.

WordPress uses these security keys to authorize and encrypt cookies. As such, you want to make sure they’re really secure — I recommend super-long character strings, far more complex than your average password.

WordPress will automatically generate these for you, although if you’ve installed the wp-config.php file manually, you’ll be responsible for generating your own. This is what the security key section looks like:

[php] * Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define(‘AUTH_KEY’,         ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’,  ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’,    ‘put your unique phrase here’);
define(‘NONCE_KEY’,        ‘put your unique phrase here’);
define(‘AUTH_SALT’,        ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’,   ‘put your unique phrase here’);
define(‘NONCE_SALT’,       ‘put your unique phrase here’);[/php]

Simply add your security key in place of the ‘put your unique phrase here’ text. To help you create uncrackable security keys, WordPress created this tool to generate complex keys for you. Just press refresh to generate another set of credentials. You can then copy and paste the results directly over the top, rather than going through each field one by one.

Why are these fields important? Well, by changing one of the keys, you can instantly boot out all logged in users. This is a useful way to protect your website from known threats.

And, if you’re wondering what the four ‘SALT’ fields are, these essentially double up on the security provided by the primary keys.

Final Thoughts

As one of the core WordPress files, wp-config.php is understandably complicated and somewhat intimidating. Today, I’ve only touched the surface of the wp-config.php file, but I hope it gives you a better understanding of some of the behind-the-scenes WordPress mechanics.

If you want to learn more, particularly the more advanced stuff, WordPress have provided a comprehensive guide to wp-config.php which can be accessed here.

Do you have any tips for working with the wp-config.php file? Share your experiences in the comments below!