Home › Forums › BulletProof Security Pro › Publicly accessible config, backup, or log file found: wp-content/debug.log
- This topic has 4 replies, 2 voices, and was last updated 7 years, 4 months ago by AITpro Admin.
-
AuthorPosts
-
alan sillsParticipant
Wordfence found this file and suggests it get locked down – wordfence says it can hide it in the htaccess file – but before I did anything I figured I’d ask if BPS can (or should) lock down this file:
Publicly accessible config, backup, or log file found: wp-content/debug.log
URL: http://rvacrossamerica.net/wp-content/debug.log
Severity: Warning
Status New
http://rvacrossamerica.net/wp-content/debug.log is publicly accessible and may expose sensitive information about your site. Files such as this one are commonly checked for by scanners such as WPScan and should be removed or made inaccessible.
Tools:Hide this file in .htaccess Delete this file (can’t be undone).AITpro AdminKeymaster@ alan sills – This is a question you need to ask Wordfence about. The error message is a Wordfence issue.
alan sillsParticipantThanks, the reason I posted here is to see if the debug.log file is one that typically needs to be locked down – and if so, to see if BPS can do it. Further, if I use wordfence, it seems to be prepared to modify the htaccess file (it says it will hide the log in htaccess), so if I do that, do I first need to turn off autorestore in BPS? Al
AITpro AdminKeymasterI can’t think of any reason why you would want to hide that file. Let me test using some htaccess code to block/forbid that file and see if that breaks anything. The WordPress /wp-content/debug.log is used when you turn on WordPress debugging.
AITpro AdminKeymasterOk I tested blocking the debug.log file with existing BPS htaccess code and it does not break anything. Do the steps below to block/forbid the debug.log file from being publicly accessible via a Browser,
1. Copy the htaccess code below to this BPS Root Custom Code text box: CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES
2. Click the Save Root Custom Code button.
3. Go to the Security Modes page and click the Root BulletProof Mode Activate button.# DENY BROWSER ACCESS TO THESE FILES # Use BPS Custom Code to modify/edit/change this code and to save it permanently. # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html # To be able to view these files from a Browser, replace 127.0.0.1 with your actual # current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1 # Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1 # Note: The BPS System Info page displays which modules are loaded on your server. <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php|debug\.log)"> <IfModule mod_authz_core.c> Require all denied #Require ip 127.0.0.1 </IfModule> <IfModule !mod_authz_core.c> <IfModule mod_access_compat.c> Order Allow,Deny Deny from all #Allow from 127.0.0.1 </IfModule> </IfModule> </FilesMatch>
-
AuthorPosts
- You must be logged in to reply to this topic.