WordPress Security Tips Part 10 – Secure Your Debug Logs

During development of plugins or themes, as well as during deployment of a WordPress site, developers or system administrators may enable debug logs to log any PHP errors that occur.

WordPress makes use of the WP_DEBUG constant which is defined in wp-config.php. The constant is used to trigger the debug mode throughout WordPress. The constant is set to be false by default.

Developers and administrators may also enable the WP_DEBUG_LOG and WP_DEBUG_DISPLAY companion constants to WP_DEBUG. WP_DEBUG_LOG creates a log file in the wp-contents folder, while WP_DEBUG_DISPLAY controls whether debug messages are shown inside the HTML of pages or not.

Any of the above will be useful while a theme, plugin or site is in development, however, if enabled on a production website, it might cause information disclosure – allowing malicious users to view errors and additional logging information. The WP_DEBUG constant should be disabled on production systems by either removing the constant from the wp-config.php file, or setting it to false as follows.

define( 'WP_DEBUG', false );

Read the entire article on How to prevent a WordPress hack

Share this post
Ian Muscat

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.