Cause: The database credentials in wp-config.php are wrong, or the database server is down.
Fix: Check DB_NAME, DB_USER, DB_PASSWORD, and DB_HOST (sometimes it's localhost:3307 or a URL).
Change false to true to see PHP errors, notices, and warnings. Never do this on a live production site (it will show errors to visitors).
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true ); // Saves errors to /wp-content/debug.log
define( 'WP_DEBUG_DISPLAY', false ); // Hide errors on screen, only log them
Cause: You have spaces, newlines, or BOM characters before the opening <?php or after the closing ?>.
Fix: Remove the closing ?> tag entirely. Modern WordPress best practice is to omit it. wp config.php
To understand the power of wp-config.php, one must understand the WordPress loading sequence. When a user visits a WordPress site, the server executes index.php, which loads wp-blog-header.php. This immediately attempts to locate wp-config.php.
WordPress searches for the file in the following order: Cause: The database credentials in wp-config
If the file is not found, WordPress triggers the installation process (famous "5-minute install") to generate it.
Technical Note: Placing wp-config.php one directory above the web root (public_html) is a security best practice. If the web server configuration fails and exposes PHP files as plain text, the database credentials remain outside the publicly accessible web folder. Cause: You have spaces, newlines, or BOM characters
By default, WordPress saves every change you make. To save database space:
define( 'WP_POST_REVISIONS', false );
// Or limit to 3 revisions:
define( 'WP_POST_REVISIONS', 3 );
| Do ✅ | Don't ❌ |
|-------|---------|
| Set file permissions to 600 or 640 | Leave it readable by everyone (644 or 666) |
| Move it one directory above web root if possible | Commit it to public GitHub repos |
| Use unique, long salts from WordPress.org salt generator | Hardcode credentials in multiple places |
| Keep a secure backup with credentials | Edit it with plain-text-unaware editors that add BOM |
For security, WordPress automatically updates minor core versions. This can be configured for major updates or disabled entirely.
define( 'WP_AUTO_UPDATE_CORE', true ); // Major and Minor updates
define( 'WP_AUTO_UPDATE_CORE', 'minor' ); // Default behavior
define( 'WP_AUTO_UPDATE_CORE', false ); // Disable all core updates