high risk

How to Fix an Exposed WordPress Debug Log

A publicly readable /wp-content/debug.log can leak file paths, database errors, plugin internals, and sometimes credentials. It appears when WP_DEBUG logging is left on in production and the log file is web-accessible.

  1. 1

    Turn off debug display in production

    In wp-config.php, keep debugging off (or log-only) on live sites — never display errors to visitors.

    define( 'WP_DEBUG', false );
    // If you must log, keep display off:
    // define( 'WP_DEBUG', true );
    // define( 'WP_DEBUG_LOG', true );
    // define( 'WP_DEBUG_DISPLAY', false );
  2. 2

    Block access to the log file

    Deny web access to debug.log in .htaccess so it can't be downloaded:

    <Files debug.log>
      Require all denied
    </Files>
  3. 3

    Delete existing logs

    Remove any current /wp-content/debug.log after you've fixed the underlying errors — it may already contain sensitive data.

Is your site affected?

Run a free external scan — 36 checks, no login or plugin required.

Scan your site free

More fix guides