All tools
WordPress tools

wp-config.php Generator

Fill in your database credentials, choose a table prefix and download a complete, hardened wp-config.php with fresh salts and security constants pre-configured.

Fresh salts Custom table prefix DISALLOW_FILE_EDIT FORCE_SSL_ADMIN Debug off Downloadable file
Get started free Sign in

Free · No credit card · 50 credits/day

Security constants included

Constant Value Effect
DISALLOW_FILE_EDIT true Disables Appearance → Theme Editor and Plugins → Editor in wp-admin
DISALLOW_FILE_MODS true Blocks plugin and theme installation, updates and deletion from wp-admin
FORCE_SSL_ADMIN true Forces wp-admin and wp-login.php over HTTPS regardless of request URL
WP_DEBUG false Suppresses PHP error output (file paths, credentials) from public display
WP_AUTO_UPDATE_CORE true Enables automatic minor security updates (e.g., 6.4.1 → 6.4.2)
WP_POST_REVISIONS 5 Limits stored post revisions to 5 — reduces database bloat

Frequently asked questions

What is wp-config.php and why is it important?

The core configuration file for every WordPress installation. Contains: database connection credentials, security keys and salts, table prefix, debug mode and advanced constants for caching, file editing and SSL. Because it contains database credentials, it's a high-value attack target — hardening its contents and permissions is a foundational security step.

What security constants should I add to wp-config.php?

Key constants: DISALLOW_FILE_EDIT (true) — disables theme/plugin file editing in wp-admin; DISALLOW_FILE_MODS (true) — blocks plugin/theme installation from wp-admin (only safe if you can update via SFTP); FORCE_SSL_ADMIN (true) — forces HTTPS on all admin pages; WP_DEBUG (false) — hides file paths and errors from public display; WP_AUTO_UPDATE_CORE (true) — enables automatic minor security updates.

Should I move wp-config.php out of the WordPress root?

WordPress automatically looks one directory above the root (e.g., if WordPress is at /public_html/, it checks /wp-config.php). Moving it one level up keeps it outside the web-accessible directory. Supported natively — no code changes needed. May not provide additional protection on subdirectory installs or certain hosting configurations.

What file permissions should wp-config.php have?

640 or 600. 600 (owner read/write only) is most restrictive — use when WordPress and web server run as the same user. 640 (group read) when the web server user is different from the file owner. Never 644 (world-readable) — on shared hosting any user can read your database credentials. Set via: chmod 640 wp-config.php

Related WordPress tools

Complete your WordPress security setup.

WordPress Salts Generator

Generate fresh security keys to embed in your wp-config.php.

.htaccess Generator

Server-level hardening to complement your wp-config.php settings.

DB Prefix Generator

Generate a custom table prefix to include in wp-config.php.

Start every install with a hardened config

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →