Block Access to WordPress’ debug.log

Debugging in WordPress can be very useful. Especially now that PHP 7.4 was released yesterday. WordPress has been known to be slow to bump the minimum PHP version, so it shouldn’t come as a surprise that plugin develops may have deprecated functions in there code, or could be using methods that might throw notices. When I am working on a plugin, feature or writing code in any PHP version I like to tail my error log. WordPress has a great article on this titled “Debugging in WordPress“.

Example wp-config.php for Debugging

The following code, inserted in your wp-config.php file, will log all errors, notices, and warnings to a file called debug.log in the wp-content directory. It will also hide the errors so they do not interrupt page generation.

// Enable WP_DEBUG mode
define( 'WP_DEBUG', true );

// Enable Debug logging to the /wp-content/debug.log file
define( 'WP_DEBUG_LOG', true );

// Disable display of errors and warnings
define( 'WP_DEBUG_DISPLAY', false );
@ini_set( 'display_errors', 0 );

// Use dev versions of core JS and CSS files (only needed if you are modifying these core files)
define( 'SCRIPT_DEBUG', true );

Adding the two constants WP_DEBUG and WP_DEBUG_LOG should be enough to allow WordPress to start writing to the debug.log file. By default this file is located in the wp-content directory which is great since it’s usually a writable directory, but bad since it’s also a publicly accessible directory. That means any one can just visit your site and append /wp-content/debug.log and potentially see log data that could be sensitive or completely irreverent. Regardless, it should be hidden from public view.

Prevent Access to Debug file

Many of my servers are running Apache via a proxy through NGINX. That means I can utilize htaccess rules.

Nginx proxies requests to a local instance of Apache so WordPress and PHP sites can leverage Apache’s advanced per-site configurability.

ServerPilot Features

So my htaccess file contains the following:

<Files "debug.log">
    Require all denied
    Require ip
    Require ip Your.Servers.IP.Address

This will restrict access to the log file to users whom try to access it directly, but allow the server access to it. Be sure to change “Your.Servers.IP.Address” to your servers IP address or IP pool. You can also utilize the Require host like so: Require host Note that the former and code above are for Apache 2.4. If you are running Apache 2.2, you will need to look up the appropriate code for denying access to files.

If you never plan to view your debug.log file from your server, you won’t need the Require ip or host lines. Those are only required if you are using a plugin that reads the debug log and shows it in the dashboard of your WordPress install. Either on a settings page or possibly a dashboard widget (the latter is what I have). This allow me to see if any plugin has a issue after updating or some new issue arrises after I update my PHP version. Which ServerPilot allows me to do with a single toggle 👍🏼.

Additional resources for blocking access to WordPress debug log