WordPress debug mode
Description
WordPress provides a built-in debugging feature controlled by the WP_DEBUG constant in the wp-config.php file. When enabled, this feature logs PHP errors, warnings, notices, and other diagnostic information to a file located at ./wp-content/debug.log. This website has WordPress debug mode enabled with the debug log file accessible to unauthenticated users. Debug logs often contain sensitive technical information including file paths, database queries, plugin/theme details, and potentially credentials or API keys, which attackers can leverage to identify additional vulnerabilities or plan targeted attacks against the application.
Remediation
Immediately disable WordPress debug mode on production environments and remove or restrict access to existing debug log files. Follow these steps to remediate:
1. Disable debug mode by editing wp-config.php and setting:
define('WP_DEBUG', false);
define('WP_DEBUG_LOG', false);
define('WP_DEBUG_DISPLAY', false);2. Delete the existing debug log file to remove any previously logged sensitive information:rm ./wp-content/debug.log3. Restrict access via .htaccess (if debug logging is required) by creating or updating ./wp-content/.htaccess:
<Files debug.log> Order allow,deny Deny from all </Files>4. Use environment-specific configurations to ensure debug mode is only enabled in development environments, never in production. Consider using environment variables or separate configuration files for different deployment stages.