wp-config.php Generator Tool Online

Last updated:

Generate a complete WordPress wp-config.php file with database settings, fresh browser-generated salts, and practical hardening constants. Your credentials stay private because everything runs client-side.

Privacy note: this wp-config.php generator runs entirely in your browser. Nothing is submitted, stored, or logged.

WordPress settings

Recommended hardening constants

Generated wp-config.php

How the wp-config.php Generator Works

This tool creates a WordPress configuration file without sending any data off your device:

  1. Enter database settings, add the database name, username, password, host, table prefix, and charset from your hosting account.
  2. Generate secure salts, the browser creates fresh 64-character WordPress keys and salts using cryptographic randomness.
  3. Choose hardening constants, enable admin SSL, disable dashboard file editing, control core updates, and keep debug output off.
  4. Copy the full file, paste it into wp-config.php in the WordPress root directory.
  5. Test safely, verify the site connects to the database before deleting backups or moving to production.

Why wp-config.php Security Matters

The wp-config.php file is one of the most sensitive files in a WordPress installation. It contains credentials, keys, salts, and constants that influence security posture and update behavior.

  • Authentication protection, fresh salts invalidate predictable cookie signatures and help secure logins.
  • Credential hygiene, clean configuration reduces accidental use of placeholder values or weak table prefixes.
  • Admin hardening, disabling file edits and forcing admin SSL reduce common compromise paths.
  • Migration readiness, auditing configuration is useful before maintenance, redesigns, or WordPress to Astro migrations.

If WordPress maintenance, plugins, and hosting performance are becoming a burden, compare your options with our website speed optimization guide and Astro framework guide.

Recommended WordPress Hardening Constants

These constants are practical defaults for many production WordPress sites. Confirm compatibility with your hosting workflow before deploying.

ConstantPurpose
DISALLOW_FILE_EDITDisables the theme and plugin code editor in wp-admin.
WP_AUTO_UPDATE_COREAllows WordPress core updates, depending on your selected value.
FORCE_SSL_ADMINRequires HTTPS for admin sessions and login screens.
WP_DEBUGKeeps debug notices hidden on production when set to false.
DB_CHARSETDefines the database character set, usually utf8mb4 for modern installs.
$table_prefixSets the WordPress table prefix for this installation.

A secure wp-config.php file is one part of WordPress hardening. Keep plugins minimal, update regularly, use strong hosting, and consider a static architecture when performance and attack surface matter most.

Key wp-config.php Settings Reference

These are the constants and variables most worth knowing when configuring WordPress. Each is defined in wp-config.php above the line that requires wp-settings.php. Confirm values against your hosting environment before deploying to production.

Setting Purpose Example
WP_DEBUGToggles debug output; keep false in productiondefine( 'WP_DEBUG', false );
DISALLOW_FILE_EDITDisables the theme and plugin editor in wp-admindefine( 'DISALLOW_FILE_EDIT', true );
FORCE_SSL_ADMINForces HTTPS for admin and login sessionsdefine( 'FORCE_SSL_ADMIN', true );
WP_MEMORY_LIMITSets the PHP memory limit for front-end requestsdefine( 'WP_MEMORY_LIMIT', '256M' );
AUTOSAVE_INTERVALSeconds between automatic draft saves (default 60)define( 'AUTOSAVE_INTERVAL', 300 );
WP_POST_REVISIONSCaps stored revisions per post; false disables themdefine( 'WP_POST_REVISIONS', 5 );
Authentication keys & saltsEight unique random values that secure cookies and sessionsdefine( 'AUTH_KEY', '...64 random chars...' ); (plus 7 more)
Table prefixPrefix for all database tables; change from wp_ to reduce attack noise$table_prefix = 'wp_';

Configuring wp-config.php correctly is just the start, WordPress stays secure only when it is updated, backed up, and monitored. Our WordPress website maintenance services handle core, theme, and plugin updates, security hardening, and uptime monitoring so your configuration stays safe over time.

Next steps

wp-config.php Generator related tools and articles

Continue with the closest follow-up checks and guides based on this tool's topic, crawl intent, and optimization workflow.

wp-config.php Generator: FAQ

What does the generated wp-config.php include?
It includes database name, user, password, host, charset, an empty DB_COLLATE value, eight keys and salts, the table prefix, selected hardening constants, ABSPATH setup, and the wp-settings.php include. It does not merge custom constants from an existing file.
How are the authentication keys and salts created?
Your browser uses crypto.getRandomValues to generate eight independent 64-character values. Regenerate them for a new output, but replacing salts on a live site will invalidate existing login cookies and sign users out.
Does the generator validate my database credentials?
No. It escapes backslashes and single quotes for the PHP strings but does not connect to the database or verify the host, credentials, charset, permissions, or server-specific socket and port syntax.
How is the database table prefix sanitized?
Characters other than letters, digits, and underscores are removed, and a trailing underscore is added. On an existing site, changing only this value without renaming every related database table will break the connection to the current content.
Should I enable every hardening checkbox?
Review each one for the environment. File editing is commonly disabled in production, core auto-updates need a tested update policy, FORCE_SSL_ADMIN requires working HTTPS, and WP_DEBUG should normally remain false on a public production site.
Can I replace an existing wp-config.php with this output?
Do not replace it blindly. Back up the site and compare the files because an existing configuration may contain environment variables, proxy HTTPS handling, multisite settings, memory limits, custom paths, or hosting-specific directives this generator does not include.
Where should I place and protect the generated file?
WordPress normally reads wp-config.php from the installation root or one directory above it. Transfer it securely, use restrictive permissions appropriate to the host, keep it out of public repositories and support messages, and verify the site before removing the backup.
Are database credentials or salts sent to WebAloha?
No. Generation, regeneration, editing, and copying happen in your browser. The values are not submitted by this tool, though they can still enter your clipboard history or be exposed by local browser extensions and screen sharing.

Free 48-Hour Website Audit

Not sure what to fix first on your own website? We'll review it and tell you, in plain English. Free & non-obligatory.

Thinking About Leaving Slow WordPress Hosting?

We migrate WordPress sites to fast, secure Astro builds with cleaner maintenance and stronger Core Web Vitals.