- 1
Turn off debug display in production
In wp-config.php, keep debugging off (or log-only) on live sites — never display errors to visitors.
define( 'WP_DEBUG', false ); // If you must log, keep display off: // define( 'WP_DEBUG', true ); // define( 'WP_DEBUG_LOG', true ); // define( 'WP_DEBUG_DISPLAY', false ); - 2
Block access to the log file
Deny web access to debug.log in .htaccess so it can't be downloaded:
<Files debug.log> Require all denied </Files> - 3
Delete existing logs
Remove any current /wp-content/debug.log after you've fixed the underlying errors — it may already contain sensitive data.
Is your site affected?
Run a free external scan — 36 checks, no login or plugin required.
More fix guides
How to Fix Cross-Site Scripting (XSS) in WordPress
Sanitize input, escape output, patch vulnerable plugins, and add a Content-Security-Policy.
How to Fix SQL Injection in WordPress
Patch vulnerable plugins and use $wpdb->prepare() for every query with user input.
How to Disable XML-RPC in WordPress
Block xmlrpc.php unless you need it — it enables brute-force amplification and pingback DDoS.
How to Add Security Headers to WordPress
Add HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.