WordPress full path disclosure
Description
The web server is configured to display detailed PHP error messages that expose the full filesystem paths of application files. When PHP encounters errors or warnings, these messages reveal the complete directory structure where WordPress and its components are installed. This configuration issue is commonly caused by having PHP's display_errors directive enabled in production environments.
Remediation
Disable the display of PHP error messages to end users by configuring the server to suppress error output in production environments. Implement the following changes:
Option 1 - Modify PHP configuration file (php.ini):
display_errors = Off log_errors = On error_log = /var/log/php_errors.log
Option 2 - Configure Apache virtual host or .htaccess file:
php_flag display_errors Off php_flag log_errors On php_value error_log /var/log/php_errors.log
Option 3 - For Nginx with PHP-FPM, add to your php-fpm pool configuration:
php_admin_flag[display_errors] = Off php_admin_flag[log_errors] = On php_admin_value[error_log] = /var/log/php_errors.log
After making changes, restart the web server and PHP service. Verify that errors are being logged to the specified log file rather than displayed to users. Ensure log files are stored outside the web root and have appropriate access restrictions.