Move Your Damn WordPress Debug Log so It’s Not Accessible via HTTP


Every time I need to view a WordPress debug log, I get a little belly-side security loophole cringe. It completely depends on what information you stuff into it that would cause a security issue, but it’s so easy to mitigate this risk entirely—by storing (and writing to) the file outside of your document root. It drives me bat-shit crazy that anyone with a browser can simply navigate to the blatantly accessible file and view its contents.

In writing this post I searched a few high profile WordPress sites and found a few debug logs in the mix. Most of them returned with 404s, but I did find a few. No juicy debug information though, but I only spent like five minutes looking.

Anyways, I digress.

So, for some time now I’ve been implementing on any of my client websites the following solution to move the debug log to a safer, inaccessible location.

In your wp-config.php add the following:

define('WP_DEBUG', true);
if ( WP_DEBUG ) {

	// turn off wordpress debug (otherwise it will override)
	define( 'WP_DEBUG_LOG', false );

	// specify new safe path
	$path = realpath( $_SERVER["DOCUMENT_ROOT"] . '/..' ) . '/wp-logs/debug.log';
	// enable php error log
	@ini_set( 'log_errors', 'On' ); // enable or disable php error logging (use 'On' or 'Off')
	@ini_set( 'error_log', $path );


A few notes:

  • All of this code assumes you have access to your servers root filesystem. Check with your host if you’re unsure.
  • The code in it’s current form assumes that the folder and file already exist.
  • If nothing is being written to the file after these changes, you may need to adjust the permissions of the folder and file once created.

And for a bonus I use the following awesome function to write to said log file. Compliments of Stu Miller.

if (!function_exists('write_log')) {
    function write_log ( $log )  {
        if ( true === WP_DEBUG ) {
			if( is_array( $log ) || is_object( $log ) ) {
				error_log( print_r( $log, true ) );
			} else {
				error_log( $log );
Posted in: Code Samples, Development  |  Tagged with: , ,  |  Leave a comment
One comment on “Move Your Damn WordPress Debug Log so It’s Not Accessible via HTTP
  1. dinkadonk says:

    Thanks for this tip. I like putting the stuff in an if statement. I made mine a little simpler though, and don’t need a writing function.
    `logs` is a preexisting folder on my system with permissions 700. I put a blank `debug.log` in it with permissions 644.
    `define(‘WP_DEBUG’, false); // set true
    if ( WP_DEBUG ) {
    define(‘WP_DEBUG_LOG’, ‘../logs/debug.log’ );
    define(‘WP_DEBUG_DISPLAY’, false); // don’t display errors on pages
    @ini_set( ‘display_errors’, 0 );

Leave a Reply

Your email address will not be published. Required fields are marked *