[wp-trac] [WordPress Trac] #64071: Site Health false positive: WP_DEBUG_LOG warning when debug.log is outside wp-content

WordPress Trac noreply at wordpress.org
Fri Oct 3 06:29:31 UTC 2025 

#64071: Site Health false positive: WP_DEBUG_LOG warning when debug.log is outside
wp-content
-------------------------+------------------------------
 Reporter:  dannythedog  |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Site Health  |     Version:  6.8.3
 Severity:  minor        |  Resolution:
 Keywords:  2nd-opinion  |     Focuses:  administration
-------------------------+------------------------------
Changes (by sabernhardt):

 * component:  General => Site Health


Old description:

> ## Description
> Site Health shows a security warning about `WP_DEBUG_LOG` being publicly
> accessible, even when the debug log file is stored outside the `wp-
> content` directory and is not publicly accessible.
>
> ## Steps to Reproduce
> 1. Configure WordPress with custom debug log location outside `wp-
> content`:
> ```php
> define('WP_DEBUG', true);
> define('WP_DEBUG_LOG', '/var/www/logs/debug.log'); // Outside wp-content
> define('WP_DEBUG_DISPLAY', false);
>
> 2.Ensure the /logs/ directory is not mapped as a public URL
> 3.Verify the file is NOT accessible via HTTP (returns 404)
> 4.Check Site Health (Tools → Site Health → Info)
>
> Expected Behavior
> Site Health should verify whether the debug log file is actually publicly
> accessible before showing the security warning.
> Actual Behavior
> Site Health shows:
>
> "Your site is set to log errors to a potentially public file"
> "The value, WP_DEBUG_LOG, has been added to this website's configuration
> file. This means any errors on the site will be written to a file which
> is potentially available to all users."
>
> This is a false positive when the log file is stored outside wp-content
> or protected by server configuration.
>
> Suggested Fix
> Enhance the Site Health check to:
> 1. Detect if WP_DEBUG_LOG points to a custom path outside wp-content
> 2. Attempt to verify if the file is publicly accessible via HTTP
> 3. Only show the warning if the file is actually in a public directory
>
> Environment
>
> WordPress Version: 6.8.3
> Server: Docker (nginx + php-fpm)
> Debug log location: /var/www/logs/debug.log (outside web root)
> Public accessibility: Verified 404 via curl -I
> https://example.com/logs/debug.log
>
> Additional Context
> This affects Docker/containerized WordPress installations where logs are
> commonly stored in separate volumes outside the public web directory for
> security and log management purposes.

New description:

 Site Health shows a security warning about `WP_DEBUG_LOG` being publicly
 accessible, even when the debug log file is stored outside the `wp-
 content` directory and is not publicly accessible.

 === Steps to Reproduce
 1. Configure WordPress with custom debug log location outside `wp-
 content`:
    {{{#!php
 define('WP_DEBUG', true);
 define('WP_DEBUG_LOG', '/var/www/logs/debug.log'); // Outside wp-content
 define('WP_DEBUG_DISPLAY', false);
    }}}
 2. Ensure the `/logs/` directory is not mapped as a public URL
 3. Verify the file is NOT accessible via HTTP (returns 404)
 4. Check Site Health (Tools → Site Health → Info)

 === Expected Behavior
 Site Health should verify whether the debug log file is actually publicly
 accessible before showing the security warning.

 === Actual Behavior
 Site Health shows:

 "Your site is set to log errors to a potentially public file"
 "The value, WP_DEBUG_LOG, has been added to this website's configuration
 file. This means any errors on the site will be written to a file which is
 potentially available to all users."

 This is a false positive when the log file is stored outside wp-content or
 protected by server configuration.

 === Suggested Fix
 Enhance the Site Health check to:
 1. Detect if `WP_DEBUG_LOG` points to a custom path outside `wp-content`
 2. Attempt to verify if the file is publicly accessible via HTTP
 3. Only show the warning if the file is actually in a public directory

 === Environment

 WordPress Version: 6.8.3
 Server: Docker (nginx + php-fpm)
 Debug log location: `/var/www/logs/debug.log` (outside web root)
 Public accessibility: Verified 404 via `curl -I
 https://example.com/logs/debug.log`

 === Additional Context
 This affects Docker/containerized WordPress installations where logs are
 commonly stored in separate volumes outside the public web directory for
 security and log management purposes.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64071#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list