Fixed location of debug.log file can be a security vector

I run WP_DEBUG on at all times for all my Hosting clients.

This allows me to close all sorts of wholes in code.

Problem is, Evil Doers troll the location of wp-content/debug.log if it exists. Looking through Apace logs turns up a surprising number of orphan lookups on this file. No other access, just a probe attempting to scrape debug.log to decode its content.

The contents of debug.log can be parsed + buggy code can be potentially discovered + exploited.

This is only a problem because debug.log can’t easily be moved.

Inside wp-includes/load.php the line…

ini_set( ‘error_log’, WP_CONTENT_DIR . ‘/debug.log’ );

simply sets the file. There is no override. Any setting of error_log in wp-config.php is overridden by wp-includes/load.php so debug.log always ends up in the same place.

I suggest adding a constant like WP_DEBUG_LOG_FILE so debug.log can be moved somewhere away from prying eyes.