PHP Security Directive: Your Website is Showing PHP Errors

With the display_error PHP configuration directive enabled, untrusted sources can see detailed web application environment error messages which include sensitive information that can be used to craft further attacks. Attackers will do anything to collect information in order to design their attack in a more sophisticated way to eventually hack your website or web application, and causing errors to display is a common starting point. Website errors can always occur, but they should be supressed from being displayed back to the public.Examples of common information revealed in errors are path locations — which expose the main directory path (webroot) of your website, or source code debugging errors which could reveal vulnerabilities that could be exploited to gain illegal access to the site. By studying path locations, an attacker can visualize how your website is designed and structured, and make assumptions on where critical files are stored and how to retrieve them in order to break any security mechanisms to eventually gain full control of the website or application, create malware links, and land your site on the Google Blacklist.


There are many options in the configuration settings of PHP for configuring errors and their behavior (when to show up). PHP errors are enabled in order to let the developer understand the cause of a problem how to get it fixed. However, it is highly recommended to turn PHP errors off on production websites in order to avoid leakage of important information. In case something is not working as it should or as expected, you should contact your developer and let them know of the issue.

After resolving the issue that caused the PHP error, it is highly recommended to disable displaying of errors on production — or live — websites. You can disable display_errors from your site’s php.ini, from the PHP code itself or from the .htaccess as follows:

display_errors = ‘off’
log_errors = ‘on’

php_flag display_errors off
php_flag log_errors on

Turn off error reporting using PHP code in your PHP website

 error_reporting(0); // Turn off all error reporting
Share this post
  • Very useful post. Any idea where I find these files to change them? Thanks

    • Hi Andrew,

      Thank you for showing interest in our online service. The php configuration files are usually stored in different directories, depending on the configuration of your hosting provider. I would recommend you to contact our support on and give them all the details. They will help you solve your issue.

  • i inserted this:

    php_flag display_errors off
    php_flag log_errors on

    in .htaccess but i have internal error server.

    i can’t unfortunately modify my php due to hosting restrictions.

    what shall i do?


    • Hi Matteo,

      Try to contact the hosting provider maybe he will do the change for you. After all it is of no harm. If you still have queries, try posting on our forums. There might be someone in the community who might know more;

  • Php.ini of my site contains
    display_errors =’off’;
    log_errors = ‘on’;
    but WebsiteDefender tells me the problem always

  • Problem solved by adding

    ini_set(‘display_errors’, ‘off’);

    in wp-config.php

    • Hi Gerard,

      Glad you solved the issue and thank you for showing interest in our product.

      If you have any further queries, please submit them to our WebsiteDefender forums.

  • Hi,

    I’m running WSD as well as BulletProof Security, AND still getting this error.
    The problem(?) is that BPS makes it difficult to access htaccess, etc…

    Am I still at risk, or is this warning overkill?


    • Hi Ken,

      Check the comments further up. You can assure yourself it is working by adding a directive in the wp-settings.php.

      For further queries please post on our WebsiteDefender Forums.

  • Hi Robert –

    Thanks for supplying this info and your help! I am not sure if you can answer this – I realize all WordPress themes are different… With that said, when you stated:

    Turn off error reporting using PHP code in your PHP website

    Is there a good place to put this? Does it need to go on ALL pages, or just one?

    It seems as if one of the solutions
    display_errors = ‘off’
    log_errors = ‘on’

    php_flag display_errors off
    php_flag log_errors on

    would be better than the php solution.

    Is it overkill to include both, or is one better than the other.

    Thanks again!

    Be Well.

    • Hi Paul,

      Thank you for the positive comments.

      Such code should be present on all pages, so in that case the best place to put it is in the header file of the theme.

  • Some servers run PHP in “CGI mode” as recommended by the PHP developers (not as an Apache module), so you can’t use “php_value” or “php_flag” commands in .htaccess files. If you try to do so, you’ll see an “internal server error” message.

    You can modify your php.ini file to get the same effect, though. In fact, modifying php.ini is actually more flexible than using php_value or php_flag: there are many things you can’t override using .htaccess files, but you can override almost any PHP setting in the php.ini file. If you don’t have access to PHP.ini, you can add the line below to your wp-config.php file.

    <?php <—(Paste the code below after this line in wp-config.php)

    Hope this helps

  • Hi,

    I am new to WordPress, and I really like WebsiteDefender. I am still having an issue with this.

    I have tried different things to fix the php errors showing, but when I try to change some files, I can not log in, or all I get are php errors across the screen.

    If someone can let me know if I have this correct:

    In the .htaccess file, this code goes in there:

    php_flag display_errors off
    php_flag log_errors on

    In the php.ini file, this code goes in there:

    (I do not see this file. Can someone let me know where this is?)

    display_errors = ‘off’
    log_errors = ‘on’

    <?php <—(Paste the code below after this line in wp-config.php)

    So the correct way is if all 3 of these files are changed, the issue should go away and I should have a green check mark. Correct?

    Thanks a bunch!


    • Hi Jen,

      Thank you for showing interest in our service.

      You do not need to edit 3 files, but only apply the changes to one of them. Depending if you are hosting your WordPress on your own server, or if it is a hosted solution you apply the recommended fix. Please note that these are generic recommendations but unfortunately do not apply to everyone because many different hosting providers have different settings etc. I would recommend you to ask the hosting provider about this.

      Do not hesitate to contact us in case of any further queries.

  • So, which code is proper?
    What is difference between them?

  • error_reporting(0);



    • HI Przepisy,

      It depends on what your hosting provider supports. Both codes are fine, you should try one, see if it works and if not try the other.

  • Thanks Bobby,

    Feb 21st comment, put this into wp-config.php rather than fiddle around in .htaccess and it appear to have sorted out the warning I was receiving.

  • Hi Robert,

    How about this code?

    define('error_reporting', false);
    ini_set('display_errors', false);

    Is the code above correct?

    • Hi Arie,

      Yes it should be correct if inserted in the actual website code. Ideally you should make it in the header file so it applies to all pages being loaded.

  • I have tried all three changes alone and in different combinations but your scanner still says the problem is not fixed. What should I do now.


  • @Bobby

    Thanks for the code and exact location to insert it! It works perfectly

    <?php <—(Paste the code below after this line in wp-config.php)

    Once again Thanks!

  • When I look at my .htaccess file, this is all there is:

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    Where am I supposed to put:
    php_flag display_errors off
    php_flag log_errors on

    • Hi Michael,

      You can put them after the line #END WordPress

  • Forgot to mention, I can not see my php.ini file. So I am guessing my host restricts access to this.

    • Hi Michael,

      Unfortunately many hosting providers hide php.ini from their customers. In this case I would recommend you to drop them an email to make the change for you or apply such change in the .htaccess file.

  • Hey,

    been having this issue, and fooling around with php code without really knowing what I’m doing wasn’t fun, but, found a super simple way to fix this myself.

    Now, this likely only applies if you’re using HostGator, but if so, go to Cpanel –> Software/Services –> click on ‘php.ini Quick Config’ –> click enable QuickConfig –> then scroll down to the display_errors section and click the ‘off ‘ radio button, since the on button was clicked in my case. Then click save settings, and voila! Done, and didn’t need to know any php code either.

    I should note that before I did this, I called HostGator support and got them to add the php.ini to my home directory so I could try to change the code myself, but really not sure if this step is necessary or not, since I didn’t do anything to php.ini other that what I mentioned above. I’m also on a shared server.

    Hope this helps another non-programmer guy out there who’s using HostGator fix this.

    • Hi Christian,

      Very helpful answer for everyone. Thank you for sharing. Most hosting providers use the same settings and software, so this change should apply to all.

  • Hi,
    My site is in oscommerce 2.2 rc2a.
    Where I can find those files php.ini and .htaccess?
    Many thanks for your help.

    • Hi Claudio,

      Irrelevant of what CMS solution you are using, the php.ini file typically resides in a non web directory and you can modify it from your hosting provider’s cpanel. As regards the .htaccess file, typically there is one in the root directory of your website. If there isn’t one, you should create one. Though make sure you use directives that do not conflict with oscommerce. I would recommend you to refer to their documentation for more information.

  • thx for your tutorial!!! I lenaerd alot! has the series of PHP Forum tutorial finished? or few more lessons? I watched all the tutorial in your websites!Thanks for your sharing and time!!! WE really appreciate it!

  • Leave a Reply

    Your email address will not be published.