Security Speed

WP-config file optimized set up for speed and security

BY WPreveal Editorial
Last edited:
 October 31, 2023
Reading time:
 5 mins

/

Blog

/

Security, Speed

/

WP-config file optimized ...

💡We may earn a commision if you subscribe to a service from a link on this page.

The WP-config.php file, a cornerstone of your WordPress installation, is often overlooked when it comes to optimization. In this comprehensive guide, we’ll explore why optimizing the WP-config file is crucial for both enhancing the performance and fortifying the security of your WordPress site. We’ll also provide a small “WP-config cheatsheet” at the end which includes all the suggested optimizations. Let’s start by understanding the significance of this process.

Why Optimize WP-config?

The WP-config.php file, located at the root of your WordPress directory, plays a pivotal role in configuring your WordPress website. It contains vital settings, including database connections, authentication keys, and more. Optimizing this file can lead to significant improvements in speed and security. Let’s delve into the key areas where optimizations can make a difference.

Editing WP-config

Before we dive into optimization, it’s essential to know how to access and edit the WP-config file. First of all, the file is inside your main directory of WordPress installation. For example if you use cPanel and your website is the main domain of the current account, you will find your wp-config file under File Manager / public_html. You can do this through your hosting control panel or via FTP. Let’s explore both methods.

Editing via Hosting Panel

  1. Log in to your hosting control panel, such as cPanel or Plesk.
  2. Navigate to the File Manager or a similar tool.
  3. Locate the root directory of your WordPress installation.
  4. Find the WP-config.php file, right-click on it, and select the “Edit” option.

Editing via FTP

  1. Use an FTP client like FileZilla.
  2. Connect to your web server using your FTP credentials.
  3. Navigate to the root directory of your WordPress installation.
  4. Right-click on the WP-config.php file and choose to edit it.

Optimization Options

Now, let’s explore a series of WP-config optimizations that can boost both the performance and security of your WordPress site. Make sure you add your code nearly at the end of file, but before the wp-settings.php call and in between the comment indications:

1. Customizing WP_SITEURL

Your WP_SITEURL setting in the WP-config file allows you to define the WordPress address (URL). This is where your core WordPress files reside, and it should include the http:// part. By specifying WP_SITEURL in your WP-config file, you can reduce the number of database calls when loading your site. Like WP_SITEURL, WP_HOME lets you specify the web address for your WordPress blog that users will type into their browsers to access it. This address should include “http://” at the beginning and should not end with a slash “/”.

define( 'WP_SITEURL', 'https://www.yourwebsite.com');
define( 'WP_HOME', 'https://www.yourwebsite.com' );

If you’ve installed WordPress in a subdirectory, you should set this value accordingly.

2. Optimizing Post Revisions

WordPress automatically stores post revisions, allowing you to revert to previous versions of your posts and pages. However, these revisions can accumulate and potentially bloat your database. You have several options to optimize this:

  • Disable Post Revisions: To completely disable revisions, use the following code:
    define('WP_POST_REVISIONS', false);
  • Specify the Number of Post Revisions: If you want to limit the number of revisions stored, you can set it to a specific number:
    define('WP_POST_REVISIONS', 3);
  • Modify AutoSave Interval: When you’re editing a post, WordPress auto-saves revisions via Ajax. You can adjust the time interval between these auto-saves to ensure you never lose important changes. The default interval is 60 seconds. Change it like this:
    define('AUTOSAVE_INTERVAL', 180); // Set the interval to 180 seconds

These optimizations help save space in your database and improve site performance.

3. Adjusting PHP Memory Limits

The WP_MEMORY_LIMIT option allows you to set the maximum amount of memory that WordPress can consume. If you ever encounter an “Allowed memory size exhausted” error, you might need to increase this limit. WordPress automatically tries to allocate more memory for itself, but you can define a higher limit in your WP-config file:

define('WP_MEMORY_LIMIT', '128M');

You can also set a maximum memory limit for administration tasks using WP_MAX_MEMORY_LIMIT:

define('WP_MAX_MEMORY_LIMIT', '256M');

Make sure these settings precede the inclusion of wp-settings.php. However, be cautious when increasing memory limits, as it might hide underlying issues that need addressing.

4. Cleanup Image Edits

By default, WordPress creates multiple sets of images when you edit an image. These unnecessary files can clutter your server. To mitigate this, define IMAGE_EDIT_OVERWRITE as true in your WP-config:

define('IMAGE_EDIT_OVERWRITE', true);

This optimization ensures that only one set of image edits is ever created, and when you restore the original image, the edits are promptly removed.

5. Disable WordPress Auto Updates

In some cases, you may want to disable auto-updates to avoid potential issues with customizations or host-supplied updates. By setting AUTOMATIC_UPDATER_DISABLED to true, you gain more control:

define('AUTOMATIC_UPDATER_DISABLED', true);

This is particularly useful before major releases, allowing time for testing on a development or staging environment.

6. Disable WordPress Core Updates

Managing core updates can be vital for site stability. You can do this with the WP_AUTO_UPDATE_CORE constant. Here are the options:

  • Disable all core updates:
    define('WP_AUTO_UPDATE_CORE', false);
  • Enable all core updates, including minor and major:
    define('WP_AUTO_UPDATE_CORE', true);
  • Enable core updates for minor releases (default):
    define('WP_AUTO_UPDATE_CORE', 'minor');

This flexibility allows you to tailor core updates to your site’s specific needs.

7. Disable the Plugin and Theme File Editor

Occasionally, you might want to disable the plugin and theme file editor to prevent unauthorized access to sensitive files. Disabling these editors can also enhance security.

define('DISALLOW_FILE_EDIT', true);

Note that some plugins may be affected by this change, and authors should consider this when developing their plugins.

8. Disable Plugin and Theme Update and Installation

To block users from installing or updating plugins and themes through the WordPress admin area, you can set DISALLOW_FILE_MODS to true. This action also disables the Plugin and Theme File editor, simplifying security management:

define('DISALLOW_FILE_MODS', true);

This optimization is particularly valuable in environments where tight control over changes is essential.

9. Require SSL for Admin and Logins

To ensure secure logins and admin access, you can enforce SSL by setting FORCE_SSL_ADMIN to true:

define('FORCE_SSL_ADMIN', true);

This step prevents passwords and cookies from being transmitted without encryption, significantly improving security.

10. Empty Trash

Control the duration before WordPress permanently deletes posts, pages, attachments, and comments from the trash bin using the EMPTY_TRASH_DAYS constant. The default is 30 days. To disable the trash entirely, set the value to zero:

define('EMPTY_TRASH_DAYS', 0);

This can help manage database clutter and reduce unnecessary data storage.

11. Disable Cron and Cron Timeout

Fine-tune cron jobs by disabling them entirely with DISABLE_WP_CRON:

define('DISABLE_WP_CRON', true);

Additionally, you can control how often a cron process can run with WP_CRON_LOCK_TIMEOUT:

define('WP_CRON_LOCK_TIMEOUT', 60);

These optimizations can help optimize background tasks on your site.

12. Disabling (or Enabling) Debugging with WP_DEBUG

The WP_DEBUG setting allows you to enable debugging in WordPress. When set to true, it reports errors and warnings and enables the use of WP_DEBUG_DISPLAY and WP_DEBUG_LOG settings. In a production environment, where you normally run a live website without any issues, you would want to make sure everything is set to false:

define( 'WP_DEBUG', false);
define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', false );

In case of fatal errors, starting from WordPress 5.2, a new feature called Recovery Mode handles these errors gracefully, showing error messages rather than a white screen. You can disable this feature by setting WP_DISABLE_FATAL_ERROR_HANDLER to true:

define('WP_DISABLE_FATAL_ERROR_HANDLER', false);

This feature prevents visitors from seeing a completely white screen when a fatal error occurs to your website.

In a development environment where you want to debug you should use:

define( 'WP_DISABLE_FATAL_ERROR_HANDLER', true ); 
define( 'WP_DEBUG', true ); 
define( 'WP_DEBUG', true ); 
define( 'WP_DEBUG_DISPLAY', true ); 
define( 'WP_DEBUG_LOG', true);

In a production environment you should make sure the below are set:

define( 'WP_DISABLE_FATAL_ERROR_HANDLER', false ); 
define( 'WP_DEBUG', false ); 
define( 'WP_DEBUG_DISPLAY', false ); 
define( 'WP_DEBUG_LOG', false );

In case you need to debug a live site you could use:

define( 'WP_DISABLE_FATAL_ERROR_HANDLER', false ); 
define( 'WP_DEBUG', true ); 
define( 'WP_DEBUG_DISPLAY', false ); 
define( 'WP_DEBUG_LOG', true );

13. Caching with WP_CACHE

Caching can significantly boost your site’s speed. To enable caching in WordPress, define WP_CACHE as true in your WP-config file:

define('WP_CACHE', true);

//bonus for those using Litespeed
define('LSCACHE_ESI_SILENCE', true); //hide LScache HTML comments

This setting includes the wp-content/advanced-cache.php script when wp-settings.php runs, improving your site’s performance. This setting is automatically configured for you by most of cache plugins, so it’s better to not add it yourself in case you already use a cache plugin solution.

14. Salt Keys refresh

Salt keys are an often overlooked but vital aspect of WordPress security. These are random strings of characters used to enhance the encryption of information stored in users’ cookies and passwords. Here’s how they look like in your WP-config file:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

By replacing 'put your unique phrase here' with complex, random strings, you significantly enhance the security of your site. To generate these salts, you can use WordPress’s official Salt Key generator (https://api.wordpress.org/secret-key/1.1/salt/).

Your salt keys should be kept secret and unique for each site. Updating these keys at regular intervals is also advisable. For example, after migrating your website or after removing access to a previous administrator user, or if you think you’ve been hacked, make sure you refresh you salt keys.

Wrapping up the whole suggested code:

For those you don’t want to think it through too much, we have gathered our suggestions for a production website, all in one code block:

define( 'WP_MEMORY_LIMIT', '128M' ); // for a small simple business website

define( 'WP_DEBUG', false );
define( 'WP_DISABLE_FATAL_ERROR_HANDLER', false ); // For WordPress 5.2 and later
define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', false );

define( 'WP_POST_REVISIONS', false );
//define( 'AUTOSAVE_INTERVAL', 180 ); //if you want to enable this, add at least 1 above

define( 'WP_SITEURL', 'https://www.yourwebsite.com' );
define( 'WP_HOME', 'https://www.yourwebsite.com' );

define( 'IMAGE_EDIT_OVERWRITE', true );

define('FORCE_SSL_ADMIN', true);

define('WP_CRON_LOCK_TIMEOUT', 120);

define( 'AUTOMATIC_UPDATER_DISABLED', false );
define( 'WP_AUTO_UPDATE_CORE', minor );

define( 'DISALLOW_FILE_EDIT', true ); //you can change it only when needed
define( 'DISALLOW_FILE_MODS', true );//you can change it only when needed

Stay safe and fast with best setup for WP-config!

Optimizing your WP-config file is an essential step in enhancing your WordPress site’s performance and security. The options outlined in this article provide valuable tools to fine-tune your site to meet your specific requirements. By carefully configuring your WP-config file, you can enjoy a faster, more secure, and highly efficient WordPress website.

Remember to take backups before making any changes to your WP-config file, as this is a crucial component of your website’s functionality. And always test optimizations in a staging environment before applying them to a live site.

In this guide, we’ve provided a detailed walkthrough of various WP-config optimizations and explained how to edit this important file through your hosting panel or FTP. By implementing these optimizations, you can unlock the full potential of your WordPress website.

🚀 Suggested Reading: Now you know how to optimize your wp-config.php file easily. Check out our suggestion for using Cloudflare’s DNS in order to improve your TTFB for free.
WPReveal