WordPress: wp-config.php

Wordpress wp-config

Here we take a look at WordPress’ wp-config.php file, a very important file for configuration settings.

This one is a dangerous PHP file. I say dangerous because if it’s contents is revealed publicly, all hell can break loose. The reason being there is a lot of sensitive information stored in this file. It is recommended that if you can, store this file outside your web server document root. For example, in Apache, this will be htdocs or public_html. You can store this a folder above it and you should set the file permission to be readable only by the owner and group (400/440).

When Apache is installed, the owner and group are the same usually (apache:apache, www-data:www-data, nobody:nobody). Never allow this to be read by everybody. To prevent wp-config.php from being accessed, you can add the following to your .htaccess or httpd.config file:

<Files wp-config.php>
  Order Allow,Deny
  Deny from all

There’s really no sense in going through all the configuration constants in this file as its mostly self explanatory. If you want to know more, you can read about it in the WordPress Codex. However, I would suggest at least looking at it once to get a good feel for its contents.

During installation, this file is modified to correlate with what you type in. The purpose of wp-config.php is to store WordPress configuration settings. Things like:

  • Database configuration
  • Authorization keys
  • Debug switch
  • Anything else that needs to be configured

For developers, a very important constant is also set here – ABSPATH. This is used frequently throughout WordPress source. How frequently? Nearly 800 times. What it is, is the absolute path from the document root to WordPress itself.

The big statement in this file is the last one:

require_once(ABSPATH . 'wp-settings.php');

wp-settings.php brings in a ton of WordPress include files, too many to list.