[wp-trac] [WordPress Trac] #64071: Site Health false positive: WP_DEBUG_LOG warning when debug.log is outside wp-content

WordPress Trac noreply at wordpress.org
Fri Oct 3 05:28:36 UTC 2025 

#64071: Site Health false positive: WP_DEBUG_LOG warning when debug.log is outside
wp-content
----------------------------+-----------------------------
 Reporter:  dannythedog     |      Owner:  (none)
     Type:  enhancement     |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  General         |    Version:  6.8.3
 Severity:  minor           |   Keywords:  2nd-opinion
  Focuses:  administration  |
----------------------------+-----------------------------
 ## Description
 Site Health shows a security warning about `WP_DEBUG_LOG` being publicly
 accessible, even when the debug log file is stored outside the `wp-
 content` directory and is not publicly accessible.

 ## Steps to Reproduce
 1. Configure WordPress with custom debug log location outside `wp-
 content`:
 ```php
 define('WP_DEBUG', true);
 define('WP_DEBUG_LOG', '/var/www/logs/debug.log'); // Outside wp-content
 define('WP_DEBUG_DISPLAY', false);

 2.Ensure the /logs/ directory is not mapped as a public URL
 3.Verify the file is NOT accessible via HTTP (returns 404)
 4.Check Site Health (Tools → Site Health → Info)

 Expected Behavior
 Site Health should verify whether the debug log file is actually publicly
 accessible before showing the security warning.
 Actual Behavior
 Site Health shows:

 "Your site is set to log errors to a potentially public file"
 "The value, WP_DEBUG_LOG, has been added to this website's configuration
 file. This means any errors on the site will be written to a file which is
 potentially available to all users."

 This is a false positive when the log file is stored outside wp-content or
 protected by server configuration.

 Suggested Fix
 Enhance the Site Health check to:
 1. Detect if WP_DEBUG_LOG points to a custom path outside wp-content
 2. Attempt to verify if the file is publicly accessible via HTTP
 3. Only show the warning if the file is actually in a public directory

 Environment

 WordPress Version: 6.8.3
 Server: Docker (nginx + php-fpm)
 Debug log location: /var/www/logs/debug.log (outside web root)
 Public accessibility: Verified 404 via curl -I
 https://example.com/logs/debug.log

 Additional Context
 This affects Docker/containerized WordPress installations where logs are
 commonly stored in separate volumes outside the public web directory for
 security and log management purposes.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64071>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list