Each parameter in the Site administration menus can be configured via config.php. If a value has been set via this method, it is effectively hard-coded and cannot be changed via the Moodle interface, not even by the administrator.

For example, you might want to make sure that an administrator does not, even by accident, turn on HTTPS for logins. Activating this would lock everybody out of the site if no SSL certificate is installed. To do this, enter the following line in config.php:

$CFG->loginhttps=false;

How do you know what the parameter is called? Go to the respective setting in Moodle (in this case Security | HTTP security) and you will see the name of the parameter underneath the label.

If the value is specified in config.php, Moodle will display Defined in config.php beside the parameter, which indicates that the setting cannot be changed by the user. Invalid values are also shown for these hard-coded settings. In the following screenshot, the Debug messages value is incorrect while the Display debug messages value is correct:

If you wish to force plugin settings, you have to put them in a special array called forced_plugin_settings (see the reference to optional parameters later).