Publicly accessible config, backup, or log file found: wp-content/debug.log

Home Forums BulletProof Security Pro Publicly accessible config, backup, or log file found: wp-content/debug.log

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • December 23, 2016 at 6:32 pm #31887
    alan sills
    Participant

    Wordfence found this file and suggests it get locked down – wordfence says it can hide it in the htaccess file – but before I did anything I figured I’d ask if BPS can (or should) lock down this file:

    Publicly accessible config, backup, or log file found: wp-content/debug.log
    URL: http://rvacrossamerica.net/wp-content/debug.log
    Severity: Warning
    Status New
    http://rvacrossamerica.net/wp-content/debug.log is publicly accessible and may expose sensitive information about your site. Files such as this one are commonly checked for by scanners such as WPScan and should be removed or made inaccessible.
    Tools:Hide this file in .htaccess Delete this file (can’t be undone).

    December 23, 2016 at 6:40 pm #31889
    AITpro Admin
    Keymaster

    @ alan sills – This is a question you need to ask Wordfence about.  The error message is a Wordfence issue.

    December 23, 2016 at 6:55 pm #31890
    alan sills
    Participant

    Thanks, the reason I posted here is to see if the debug.log file is one that typically needs to be locked down – and if so, to see if BPS can do it. Further, if I use wordfence, it seems to be prepared to modify the htaccess file (it says it will hide the log in htaccess), so if I do that, do I first need to turn off autorestore in BPS? Al

    December 23, 2016 at 7:07 pm #31891
    AITpro Admin
    Keymaster

    I can’t think of any reason why you would want to hide that file.  Let me test using some htaccess code to block/forbid that file and see if that breaks anything.  The WordPress /wp-content/debug.log is used when you turn on WordPress debugging.

    December 23, 2016 at 7:15 pm #31892
    AITpro Admin
    Keymaster

    Ok I tested blocking the debug.log file with existing BPS htaccess code and it does not break anything.  Do the steps below to block/forbid the debug.log file from being publicly accessible via a Browser,

    1. Copy the htaccess code below to this BPS Root Custom Code text box: CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES
    2. Click the Save Root Custom Code button.
    3. Go to the Security Modes page and click the Root BulletProof Mode Activate button.

    # DENY BROWSER ACCESS TO THESE FILES
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
# To be able to view these files from a Browser, replace 127.0.0.1 with your actual
# current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1
# Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1
# Note: The BPS System Info page displays which modules are loaded on your server.

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php|debug\.log)">
<IfModule mod_authz_core.c>
Require all denied
#Require ip 127.0.0.1
</IfModule>

<IfModule !mod_authz_core.c>
<IfModule mod_access_compat.c>
Order Allow,Deny
Deny from all
#Allow from 127.0.0.1
</IfModule>
</IfModule>
</FilesMatch>
  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.