wp-config.php
wp-config.php is the master configuration file for every WordPress installation. It sits in the root directory of your WordPress install and tells WordPress how to connect to its database, what s...
For: WordPress site owners and freelancers who need to understand what wp-config.php does before touching it — or before handing server access to someone else.
wp-config.php is the master configuration file for every WordPress installation. It sits in the root directory of your WordPress install and tells WordPress how to connect to its database, what security keys to use, and how to behave in different environments. Without it, WordPress cannot run.
Answer capsule:
wp-config.phpis a PHP file in the root of your WordPress installation that stores database credentials, secret keys, table prefixes, and environment settings. WordPress reads it on every page load. Editing it incorrectly will take your site offline — always back it up before making changes.
What does wp-config.php do in WordPress?
wp-config.php handles four core jobs: database connection, security authentication keys, table prefix configuration, and debug mode. Every page request WordPress serves begins with this file. As of WordPress 6.5, it also supports the WP_ENVIRONMENT_TYPE constant to define staging, development, or production contexts.
Where is wp-config.php located?
The file lives in the root directory of your WordPress installation — the same folder as wp-login.php and index.php. On most shared hosting setups, that path is public_html/wp-config.php. In our testing across dozens of cPanel accounts, this is the most common location. Some hosts move it one level above the web root as a security measure, which is a practice WordPress officially recommends.
What’s inside wp-config.php?
The file contains PHP constants and variables. The most critical ones:
// Database credentials
define( 'DB_NAME', 'your_database_name' );
define( 'DB_USER', 'your_db_username' );
define( 'DB_PASSWORD', 'your_db_password' );
define( 'DB_HOST', 'localhost' );
// Security keys (unique per site)
define( 'AUTH_KEY', 'put your unique phrase here' );
// Table prefix
$table_prefix = 'wp_';
// Debug mode (disable on live sites)
define( 'WP_DEBUG', false );We see one recurring mistake on client sites: WP_DEBUG left as true on a live production site, which exposes PHP errors and file paths to any visitor. Set it to false before launch.
Can you edit wp-config.php safely?
Yes, but only with a backup in hand first. A single syntax error — a missing semicolon, an extra quote — produces a white screen or 500 error instantly. Before editing, download a copy via FTP or your host’s file manager. For debug mode, table prefix changes, and memory limit increases, direct edits to this file are the right approach; no plugin can safely replace it. A Reddit thread from April 2026 highlighted a cautionary case where a developer ran nano without saving cleanly and accidentally exposed database credentials in a .save temp file — proof that editing this file carelessly carries real consequences.
Related terms
- WordPress database — what wp-config.php connects to
- wp-login.php — the authentication entry point wp-config.php secures with auth keys
- WordPress root directory — where wp-config.php lives
- WP_DEBUG — the constant that controls error visibility
- table prefix — the
$table_prefixvariable that namespaces database tables
Additional reading
- How to edit wp-config.php safely — step-by-step with FTP and cPanel methods
- WordPress security hardening checklist — includes moving wp-config.php above web root
- Fix “Error Establishing a Database Connection” — the most common wp-config.php failure
Last verified: April 2026