Are you looking for a Faster and More Secure WordPress Site?

Last updated on December 26th, 2015 at 10:30 pm

WordPress Configuration Cheat Sheet for wp-config.php

If you want to make your WordPress Site load faster and more secure in just a few seconds, without changing hosts or even asking a pro to help you then the following Cheat Sheet is a MUST read for you!

Make your WordPress Site Run Faster, Hardcode your Blog Address and Site Address

This is really useful if you want improve your WordPress site performance because it reduces the number of queries made to your WordPress database by your themes and plugins looking to get and display your blog and site url.

define('WP_HOME', 'http://yoursite.com'); // blog url
define('WP_SITEURL', 'http://yoursite.com'); // site url

For improving even more your website by eliminating database requests you can hardcode your Theme and StyleSheet Path as well

define('TEMPLATEPATH', '/absolute/path/to/wp-content/themes/active-theme'); // theme url
define('STYLESHEETPATH', '/absolute/path/to/wp-content/themes/active-theme'); // theme stylesheet url

Enable Cache

WordPress lets you enable caching feature with this snippet:

define( 'WP_CACHE', true );

Move your wp-content and discourage any potential intruders from spending time on your website

define ('WP_CONTENT_DIR','/full/path/to/your/content/dir');	
define ('WP_CONTENT_URL','http://yoursite.com/full/path/to/your/content/dirs/url');

Restrict Access to the wp-config.php File

If you want to make your WordPress site hacker proof then this snippet should be on top of your todo list. Just copy and then paste the following code into your .htaccess file and prevent wannabe intruders to load your wp-config.php file directly from their browser.

# protect wpconfig.php
<files wp-config.php>
    order allow,deny
    deny from all
</files>

Prevent WordPress from asking FTP credentials

If you don't want WP to ask your FTP credentials every time you are trying to install a plugin or theme then use the following code snippet:

define('FS_METHOD', 'direct');

Please note that this may reduce your website protection from intruders.

Get WordPress to remember your FTP credentials

In case you still want to avoid filling the FTP credentials but your host is not permitting the above snippet then you can hardcode your ftp login details in your wp-config.php:

define('FTP_HOST', 'ftp.yoursite.com');
define('FTP_USER', 'Your_FTP_Username');
define('FTP_PASS', 'Your_FTP_password');
define('FTP_SSL', true); // If you can use a SSL connection set this to true

Disallow direct file edition

WordPress lets you edit your theme or plugins using an internal code editor, if you don't want to have this editor available to people logging into WP Dashboard as admins then use the following code snippet:

define('DISALLOW_FILE_EDIT', TRUE);

Disable Editing of Plugin & Theme Files

If you host and/or manage your clients website you can prevent them by editing existing theme and plugin files

define('DISALLOW_FILE_EDIT',true);

With the the following command you can also restrict any installation of a plugin or theme

define('DISALLOW_FILE_MODS',true);

Force SSL usage on your wp-admin directory

Bullet Proof your WP Dashboard by forcing the use of SSL on all admin pages. In order this to work as expected your server must support SSL.

define('FORCE_SSL_ADMIN', true);

This will make browsing your Dashboard much more safer than before.
You can also force the use of SSL only on the login page by using this code:

define('FORCE_SSL_LOGIN', true);

Block external requests by installed plugins and themes

Some themes and plugins are sending external requests to your website making it slower to respond, in general a safe practice but if you feel you don't want to accept the request then use the following line of code:

define('WP_HTTP_BLOCK_EXTERNAL', true);

Be careful though because many of the latest plugins and themes are using those request to function so if you experience any problems and you still want to use this security measure then whitelist the source of those requests by using the following code:

define('WP_ACCESSIBLE_HOSTS', 'pluginorthemeurl.com');

Security Keys, what about them

In your wp-config.php there are 8 lines that mention the security keys of your WordPress Installation, even though these are created automatically when installing WP you can re-create them by visiting this link(https://api.wordpress.org/secret-key/1.1/salt/)
Keep in mind that your WP Security Keys are crucial for your WP site security since they make harder to have your passwords crack therefore you must make sure every time they are setup in your wp-config file.
This is how they should look like:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

Increase WordPress Memory Limit

WordPress by default can increase the php memory limit it uses up to 32M, if this is not enough for your blog then its very likely you'll receive a warning such as "Allowed memory size of xxxxxx bytes exhausted". Next step for you in order to get rid of that limitation would be to increase the php memory limit by using the following line of code:

define('WP_MEMORY_LIMIT', '96M');

Some web hosts disable your ability to increase PHP memory so you have to ask them to do it instead.

Easily move your WordPress Installation

This is a great snippet that can help you move your website from one server to another.
WordPress supports an automatic relocation method intended to be a quick assist to getting a site working when relocating a site to a new domain or subdomain/folder.
Before moving your files and db add the following line of code on your wp-config and then save.

define('RELOCATE',true);

When you are done moving your WordPress Site and Database log in with your original WP credentials at http://yournewsite.com/login.php and browse to the Settings --> General page and check if the Home URl has changed to the new one.
When done go back to your wp-config.php file and remove the snippet.
Be careful though that this constant only helps to move your website and cannot change all of the links that are hardcoded in your website content, you must do this yourself using a text editor.

Automatic Database Repair

Added with Version 2.9, there is automatic database optimization support, which you can enable by adding the following constant to your wp-config.php file only when the feature is required.

define('WP_ALLOW_REPAIR', true);

With that in place, visit the following URL to open the "Database Repair" page:
http://yoursite.com/wp-admin/maint/repair.php
Be careful though because Database Repair page is openly accessible by anyone who finds it so its best to disable/remove it after done using it.

Enable Live Debug Logging

Show Debug messgaes only when using a special debug parameter in the url.

if ( isset($_GET['debug']) && $_GET['debug'] == 'debug')
define('WP_DEBUG', true);

after saving your wp-config.php you can debug any WordPress Page by visiting the following url:
http://yoursite.com/yourpageurl?debug=debug

Automatically empty trash and spam comments

This is a simple way that you can schedule emptying your trash(this includes spam comments too) every X days, where X is the amount of days for the wp-config.php to wait before deleting trash.

define('EMPTY_TRASH_DAYS', 1);

Override WordPress File Permissions

If you are having issues with your host having restrictive permissions for all users files then I suggest you find a new one. If for some reason this is not a viable solution then you can override those file and directory permissions by using the following 2 lines of code inside your wp-config.php file:

define('FS_CHMOD_FILE', 0755);
define('FS_CHMOD_DIR', 0644);

Auto-Save configuration and Post Revision Overrides

WordPress by default saves your post every 60 seconds, if you want to extend the autosave interval then use this, where 160 isa the seconds for interval to run:

define( 'AUTOSAVE_INTERVAL', 160 );

Overriding WordPress Post Revisions can improve your wordpress website performance, specially of you have 10 or more revisions per post.
You can either limit the number of revisions per post:

define('WP_POST_REVISIONS', 5);

or you can disable revisions by using this snippet:

define('WP_POST_REVISIONS', false);

Apply Custom User and Usermeta Tables

define('CUSTOM_USER_TABLE', $table_prefix.'my_users');

Disable WordPress Core Updates

By default WordPress has enabled core updates for minor releases.
If you want to all core updates then copy the following snippet:

#Disable all core updates:
define( 'WP_AUTO_UPDATE_CORE', false );

If you want to allow all core updates including minor and major then use this code:

#Enable core updates for minor releases (default):
define( 'WP_AUTO_UPDATE_CORE', 'minor' );
define('CUSTOM_USER_META_TABLE', $table_prefix.'my_usermeta');

As always if you have any questions or comments you can submit them using the comment form at the end of this post or email them to Fix My WP through the Support Request Form.

Source: /wp-includes/default-constants.php
Image Credit: http://commons.wikimedia.org/wiki/User:Hariadhi

Makis Mourelatos

WordPress Security Engineer at FixMyWP
WC Athens 2016 co-organizer, WP Support and Security Aficionado, Wannabe Kitesurfer.

Comments (1)

  1. Gulf State Software Reply

    April 10, 2016 at 12:39 am

    I don’t know what to say , all WP config together , just saved this page for future.

Leave a Reply

Your email address will not be published. Required fields are marked *