Every time I need to view a WordPress debug log, I get a little belly-side security loophole cringe. It completely depends on what information you stuff into it that would cause a security issue, but it’s so easy to mitigate this risk entirely—by storing (and writing to) the file outside of your document root. It drives me bat-shit crazy that anyone with a browser can simply navigate to the blatantly accessible file and view its contents.
In writing this post I searched a few high profile WordPress sites and found a few debug logs in the mix. Most of them returned with 404s, but I did find a few. No juicy debug information though, but I only spent like five minutes looking.
Anyways, I digress.
So, for some time now I’ve been implementing on any of my client websites the following solution to move the debug log to a safer, inaccessible location.
In your wp-config.php add the following:
define('WP_DEBUG', true); if ( WP_DEBUG ) { // turn off wordpress debug (otherwise it will override) define( 'WP_DEBUG_LOG', false ); // specify new safe path $path = realpath( $_SERVER["DOCUMENT_ROOT"] . '/..' ) . '/wp-logs/debug.log'; // enable php error log @ini_set( 'log_errors', 'On' ); // enable or disable php error logging (use 'On' or 'Off') @ini_set( 'error_log', $path ); }
A few notes:
- All of this code assumes you have access to your servers root filesystem. Check with your host if you’re unsure.
- The code in it’s current form assumes that the folder and file already exist.
- If nothing is being written to the file after these changes, you may need to adjust the permissions of the folder and file once created.
And for a bonus I use the following awesome function to write to said log file. Compliments of Stu Miller.
if (!function_exists('write_log')) { function write_log ( $log ) { if ( true === WP_DEBUG ) { if( is_array( $log ) || is_object( $log ) ) { error_log( print_r( $log, true ) ); } else { error_log( $log ); } } } }
Thanks for this tip. I like putting the stuff in an if statement. I made mine a little simpler though, and don’t need a writing function.
`logs` is a preexisting folder on my system with permissions 700. I put a blank `debug.log` in it with permissions 644.
`define(‘WP_DEBUG’, false); // set true
if ( WP_DEBUG ) {
define(‘WP_DEBUG_LOG’, ‘../logs/debug.log’ );
define(‘WP_DEBUG_DISPLAY’, false); // don’t display errors on pages
@ini_set( ‘display_errors’, 0 );
}`