WP-Config: WordPress settings

Last Revised: October 2, 2021

The WordPress configuration file [wp-config.php] hides many features that help improve the security and performance of the system. Do you know all the possibilities it offers you?

NOTE: There are specific articles for the security constants of Cookies and Security Keys.

These elements don’t have to always be in your settings. You simply have to keep in mind that they exist and use them according to your needs. By default, if you don’t add them, they already include certain features and settings.


WordPress Cache (WP_CACHE)

To learn more about this element, please visit the page on Caché.

Memory Limit (WP_MEMORY_LIMIT)

By default WordPress, in simple installation, is configured to consume a maximum of 40MB and in the case of a MultiSite of 64MB; but it is possible that on occasion you receive a message like “Allowed memory size of xxxxxx bytes exhausted” due to the consumption of the template or plugins. In these cases you can modify the maximum amount of memory that each load can use.

define( 'WP_MEMORY_LIMIT', '128M' );

As a general rule, a maximum of 128 MB should be more than enough to work. In case of having very powerful servers with a lot of RAM, and having some complex installation, such as a bbPress, a WooCommerce or similar, you could increase it more.

define( 'WP_MEMORY_LIMIT', '256M' );

Going beyond 256 MB would not be a good option, since it would mean that there is some underlying problem that is making your WordPress worse.

Max Memory Limit (WP_MAX_MEMORY_LIMIT)

In the case of the admin panel, the tasks that are executed can be much more complex and heavy. This is why in the internal case, memory can be increased to different levels.

define( 'WP_MAX_MEMORY_LIMIT', '256M' );

In general, even if it is a complex installation, the administration panel should never exceed the figure of 256 MB.


Disable Plugins and Themes Editors (DISALLOW_FILE_EDIT)

To learn more about this element, please visit the page on File Editing.


To learn more about this element, please visit the TLS Certificate page.


To learn more about this element, please visit the TLS Certificate page.


By default WordPress comes with a high security measure when adding HTML code in posts, comments and other spaces. This system, for example, would avoid the possibility of using the tag <script> that could be adversely affected by XSS attacks.

Even so, this filter can be removed and that all users of the platform have the possibility to include the HTML code they want.


Allow Unfiltered uploads (ALLOW_UNFILTERED_UPLOADS)

To learn more about this element, please visit the page on Upload files without filter.


To learn more about this element, please visit the page on External Servers.

Manage Accessible Hosts (WP_ACCESSIBLE_HOSTS)

To learn more about this element, please visit the page on External Servers.


Disable Automatic Updates (AUTOMATIC_UPDATER_DISABLED)

To learn more about this item, please visit the Automatic Updates page.

Disable Core Updates (WP_AUTO_UPDATE_CORE)

To learn more about this item, please visit the Automatic Updates page.

Disable Plugins and Themes Install and Updates (DISALLOW_FILE_MODS)

To learn more about this element, please visit the page on File Editing.


As a general rule, WordPress knows how to find the option to update itself, or plugins and templates without having to tell you how to do it. But sometimes there are complex installations or servers in which there is some limitation or configuration different from the usual and therefore WordPress will ask for the accesses to be able to make the necessary changes.

If you are in these cases, so as not to have to give access to anyone or yourself not to have to be configuring them every time you ask for them, you can incorporate the data directly into the configuration file.

FS_METHOD indicates which method will be used to perform the update: “direct” (PHP Direct File I/O), “ssh2” (SSH PHP Extension), “ftpext” (FTP PHP Extension for FTP Access) or “ftpsockets” (PHP Sockets Class for FTP Access).
FTP_BASE is the absolute path of WordPress installation.
FTP_CONTENT_DIR is the absolute path of the [wp-content] folder.
FTP_PLUGIN_DIR is the absolute path of the plugins folder.
FTP_PUBKEY is the absolute path of the SSH public key folder.
FTP_PRIKEY is the absolute path of the SSH private key folder.
FTP_USER is the FTP or SSH user.
FTP_PASS is the password for the user. If you use SSH key it can be ignored.
FTP_HOST is the hostname:access port combination (FTP or SSH). The default FTP port is 21 and in SSH it is 22.
FTP_SSL (true / false) depending on the ssl support connection. This is not for SFTP.

define( 'FS_METHOD', 'ftpext' );
define( 'FTP_BASE', '/path/to/wordpress/' );
define( 'FTP_CONTENT_DIR', '/path/to/wordpress/wp-content/' );
define( 'FTP_PLUGIN_DIR ', '/path/to/wordpress/wp-content/plugins/' );
define( 'FTP_PUBKEY', '/home/username/.ssh/id_rsa.pub' );
define( 'FTP_PRIKEY', '/home/username/.ssh/id_rsa' );
define( 'FTP_USER', 'username' );
define( 'FTP_PASS', 'password' );
define( 'FTP_HOST', 'ftp.example.org' );
define( 'FTP_SSL', false );


Post Auto save interval (AUTOSAVE_INTERVAL)

By default, WordPress automatically saves the contents that are written in an entry every 60 seconds. If you are one of those who writes slowly, you can increase the time, or if you are one of those who is afraid of losing the last sentence you can reduce it.

define( 'AUTOSAVE_INTERVAL', 30 ); // segundos

Empty Trash Days (EMPTY_TRASH_DAYS)

To learn more about this item, please visit the page on Old Copies.

Disable Post Revisions and Revisions Max Count (WP_POST_REVISIONS)

To learn more about this item, please visit the page on Old Copies.

Localization / Languages

WordPress Language (WPLANG)

What is the default language of your WordPress installation? Although it can currently be configured from the admin panel, you can force the language directly from the configuration file.

define( 'WPLANG', 'es_ES' );

WordPress Language Directory (WPLANG_DIR)

If you want to change the path where the default translation files are located, you can do so with another path.

define( 'WP_LANG_DIR', dirname(FILE) . '/wordpress/languages' );

Timelines / Scheduled Tasks

Disable Cron (DISABLE_WP_CRON)

By default WordPress runs a scheduled task system every time a page loads. On high-traffic sites this can block the loading many times of the same execution, and it might be interesting maybe to take it out of the software system and pass it on to something like the WP-CLI. In these cases we can deactivate the crones if we execute them in another way.

define( 'DISABLE_WP_CRON', true );

Alternate Cron (ALTERNATE_WP_CRON)

Crones run asynchronously by default, and this can sometimes be a problem. Although this option is not highly recommended, activating this system will cause a user to load an intermediate page through a redirect and be sent back to the visited page, so that it launches the cron.

define( 'ALTERNATE_WP_CRON', true );

Cron Lock Timeout (WP_CRON_LOCK_TIMEOUT)

Usually the chronos run once a minute, but you may want the system not to overload since you do not have so many tasks to perform and spend that minute to 5 minutes.

define( 'WP_CRON_LOCK_TIMEOUT', 300 ); // segundos


Configure Multi Site (WP_ALLOW_MULTISITE)

With this constant you activate the WordPress MultiSite system that is incorporated into WordPress itself. This system allows you to manage with a single WordPress installation, multiple websites for multiple users.

define( 'WP_ALLOW_MULTISITE', true);

Sub Domain / Folder installs (SUBDOMAIN_INSTALL)

If you want your WordPress MultiSite site to work by subdomains you have to activate this opicón. Otherwise you will have to leave it off and it will work by folders. If you want to use your own domains, you must also activate the option.

define( 'SUBDOMAIN_INSTALL', true);

Domain Current Site (DOMAIN_CURRENT_SITE)

Since you’re going to have multiple websites, which one is going to be the main one? Here you will identify which hostname is going to be the one that uses the home page.


This will be the home folder of the main website. The root folder is usually used, so you shouldn’t change anything.


As you will have multiple sites, the numeric identifier of the initial site. it is usually 1.


Even if you have a network, one thing is the main site and another the main blog. If you want them to be different, you can use this identifier to change it.

$base = '/';
define( 'DOMAIN_CURRENT_SITE', 'mysite.example.com' );
define( 'PATH_CURRENT_SITE', '/' );
define( 'SITE_ID_CURRENT_SITE', 1 );
define( 'BLOG_ID_CURRENT_SITE', 2 );


Database Name (DB_NAME)

The name of the database. Provide your supplier or create it yourself.

Database Host (DB_HOST)

The hostname or IP address where the database server is located. If it is on the same machine you can usually use “localhost”.

Database User (DB_USER)

The user accessing the previous database.

Database Password (DB_PASSWORD)

The password for that database user.

Database Tables Prefix ($table_prefix)

The database prefix. To learn more about this element, please visit the page on Permissions to database.

Database Charset (DB_CHARSET)

The type of characters in which the information will be stored. As a general rule it is “utf8”, although if you need a site with more complex characters (Chinese, Japanese, Arabic …) you can use “utf8mb4”.

Database Collation (DB_COLLATE)

If you have selected a type of characters in the previous constant, with this you can specify the character set. The usual is “utf8_general_ci” or “utf8mb4_general_ci”.

define( 'DB_NAME', 'database_name_here' );
define( 'DB_USER', 'username_here' );
define( 'DB_PASSWORD', 'password_here' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', 'utf8mb4_general_ci' );
$table_prefix = 'wp_';

Database Tables Auto Repair (WP_ALLOW_REPAIR)

If at any given time you have problems with access to the tables or they are corrupted, you can try to make them self-repair by loading the next identifier once. It should only be used exceptionally and once (if possible when the site is in maintenance mode and not accessible to many people).

define( 'WP_ALLOW_REPAIR', true );

Database Don’t upgrade Global Tables (DO_NOT_UPGRADE_GLOBAL_TABLES)

In those cases where you have tables with a large number of elements, such as a bbPress installation with many users, or installations that share the user table, you should prevent the automatic update and do it manually from one of the sites or in a controlled way.



Debug WordPress (WP_DEBUG)

Allows you to enable or disable the WordPress debugging mode. This system is very interesting and important to check that all the code works correctly, both with the compatibility of PHP, and with the functions that are no longer used (deprecated).

define( 'WP_DEBUG', true );

Debug Display (WP_DEBUG_DISPLAY)

Once you’ve turned on debug mode, you can configure whether you want error messages to be displayed on the screen. If this is the case (this system works well for example in staging mode) on the screen you would see the error messages in the place where they are generated.

define( 'WP_DEBUG_DISPLAY', true );

Debug Log (WP_DEBUG_LOG)

The same case as the previous point, but that will save the logs in [/wp-content/debug.log].

define( 'WP_DEBUG_LOG', true );

Script Debugging (SCRIPT_DEBUG)

If you need to analyze the JavaScript files, you can activate the debugging mode that will mainly change the use of the [.min.js] files to that of the [.js].

define( 'SCRIPT_DEBUG', true );

Save Database Queries (SAVEQUERIES)

This system allows you to store all the queries that are made on each loaded page. Keep in mind that when saved it has an impact on the performance of the site, so it should only be used in specific cases and preferably never in production.

define( 'SAVEQUERIES', true );

Later, if you want to show all the queries and their data, you can add this code in the [footer.php] of your template, so that being an administrator you can see that data.

if ( current_user_can( 'administrator' ) ) {
  global $wpdb;
  echo "<pre>";
  print_r( $wpdb->queries );
  echo "</pre>";

Concatenate JavaScript (CONCATENATE_SCRIPTS)

To make the administration panel work faster, the scripts are usually concatenated, so if you want to see in detail what happens, you have to deactivate this option to be able to correctly analyze each file separately.

define( 'CONCATENATE_SCRIPTS', true );


In case of being behind a proxy, WordPress is able to get behind a proxy-cache and only respond to certain elements.


It is the proxy host . The moment this hostname or IP is indicated, the system is automatically activated.


The port on which the proxy works. There is no default port, so this element is mandatory activation if used.


If your proxy has a username and password, here we should indicate the user.


If your proxy has a username and password, here we should indicate the password.


It prevents access and only allows these hosts access. This list can use “wildcards” with the character *.

define('WP_PROXY_HOST', '');
define('WP_PROXY_PORT', '8080');
define('WP_PROXY_USERNAME', 'mi_usuario');
define('WP_PROXY_PASSWORD', 'mi_CoNtra$n4');
define('WP_PROXY_BYPASS_HOSTS', 'localhost, www.example.com, *.wordpress.org');

Route changes

wp-content folder (WP_CONTENT_DIR/WP_CONTENT_URL)

If you want to change the [wp-content] folder to another place, you can use it by entering the new path. In the same way, you should indicate what the accessible public route will be.

define( 'WP_CONTENT_DIR', ABSPATH . 'wp-content' ); // no trailing slash, full paths only - WP_CONTENT_URL is defined further down
define( 'WP_CONTENT_URL', get_option('siteurl') . '/wp-content'); // full url - WP_CONTENT_DIR is defined further up


If you want to change the plugins folder, you can do so by indicating the new path, both physical and public.

define( 'WP_PLUGIN_DIR', WP_CONTENT_DIR . '/plugins' ); // full path, no trailing slash
define( 'WP_PLUGIN_URL', WP_CONTENT_URL . '/plugins' ); // full url, no trailing slash

In the same way we can change the paths of the “must-use” folders of the plugins that users cannot modify.

define( 'WPMU_PLUGIN_DIR', WP_CONTENT_DIR . '/mu-plugins' ); // full path, no trailing slash
define( 'WPMU_PLUGIN_URL', WP_CONTENT_URL . '/mu-plugins' ); // full url, no trailing slash


By default the WordPress MultiSite system creates its own folder structure. If you want to change it you can do it through these constants.

define( 'UPLOADBLOGSDIR', 'wp-content/blogs.dir' );
define( 'UPLOADS', UPLOADBLOGSDIR . '/' . $site_id . '/files/' );
define( 'BLOGUPLOADDIR', WP_CONTENT_DIR . '/blogs.dir/' . $site_id . '/files/' );

Miscellaneous elements

Trash for media (MEDIA_TRASH)

If you want that when deleting a multimedia element it is not deleted directly but that it goes to its own trash (by default deactivated), you can do it by activating the system that allows it.

define('MEDIA_TRASH', true);

Default template (WP_DEFAULT_THEME)

WordPress always has a template at its core, by default the last one that is released by the team. If you want another template to be activated by default (or for example if your template is deleted unintentionally), you can indicate the slug you want to put by default.

define( 'WP_DEFAULT_THEME', 'twentysixteen' );

Minimum core load (SHORTINIT)

Sometimes you can use WordPress as a management core, but not with all the necessary elements to put it publicly. If you want to load a reduced version that allows you to use the power (for example for a BackPress-based system) you can activate a quick and minimum start.

define( 'SHORTINIT', true );

Bundle Upgrade

WordPress usually incorporates a series of templates and plugins by default when the initial installation is done or when there is a major version change. If you are one of those who removes the default templates and do not want them to be added again with a new version, you can block it.


Feeds / RSS

WordPress includes a number of features for external reading of RSS/Atom feeds. This configuration causes that by default elements are cached so that the load is not executed for each user visit. But these elements can be modified.

Enable cache (MAGPIE_CACHE_ON)

define('MAGPIE_CACHE_ON', true);

Cache Directory (MAGPIE_CACHE_DIR)

define('MAGPIE_CACHE_DIR', './cache');


define('MAGPIE_CACHE_AGE', 3600); // 3600 segundos


define('MAGPIE_CACHE_FRESH_ONLY', false);

Debugging Feed Reading (MAGPIE_DEBUG)

define('MAGPIE_DEBUG', true);

Set the User-Agent (MAGPIE_USER_AGENT)

define('MAGPIE_USER_AGENT', 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0');


define('MAGPIE_FETCH_TIME_OUT', 5); // 5 segundos

Useo de gzip (MAGPIE_USE_GZIP)

define('MAGPIE_USE_GZIP', true);

Seguir con Seguridad para WordPress

About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.