When WordPress debugging is enabled (WP_DEBUG_LOG), errors and warnings are written to /wp-content/debug.log. If this file is publicly accessible, it can reveal sensitive information to attackers.
What debug.log Can Expose
- Database queries and connection details
- File system paths (server directory structure)
- Plugin and theme errors with stack traces
- PHP warnings revealing code logic
- Potentially sensitive user data
Method 1: Block Access via .htaccess
Add this to the .htaccess file in your wp-content directory:
<Files debug.log>
Order allow,deny
Deny from all
</Files>Method 2: Block Access via Nginx
location ~* /debug\.log$ {
deny all;
return 404;
}Method 3: Move the Log File
You can change the log file location to outside the web root in wp-config.php:
define('WP_DEBUG', true);
define('WP_DEBUG_LOG', '/home/user/logs/wp-debug.log');
define('WP_DEBUG_DISPLAY', false);This stores the log file outside the publicly accessible directory, making it impossible to access via URL.
Best Practice: Disable on Production
On production sites, debugging should generally be disabled:
define('WP_DEBUG', false);
define('WP_DEBUG_LOG', false);
define('WP_DEBUG_DISPLAY', false);Verify with InspectWP
InspectWP checks whether /wp-content/debug.log is publicly accessible. After securing it, run a new scan to confirm the file is no longer reachable.