Fixed location of debug.log file can be a security vector
-
I run WP_DEBUG on at all times for all my Hosting clients.
This allows me to close all sorts of wholes in code.
Problem is, Evil Doers troll the location of wp-content/debug.log if it exists. Looking through Apace logs turns up a surprising number of orphan lookups on this file. No other access, just a probe attempting to scrape debug.log to decode its content.
The contents of debug.log can be parsed + buggy code can be potentially discovered + exploited.
This is only a problem because debug.log can’t easily be moved.
Inside wp-includes/load.php the line…
ini_set( ‘error_log’, WP_CONTENT_DIR . ‘/debug.log’ );
simply sets the file. There is no override. Any setting of error_log in wp-config.php is overridden by wp-includes/load.php so debug.log always ends up in the same place.
I suggest adding a constant like WP_DEBUG_LOG_FILE so debug.log can be moved somewhere away from prying eyes.
- The topic ‘Fixed location of debug.log file can be a security vector’ is closed to new replies.