Publicly accessible config, backup, or log file found: wp-content/debug.log

Home Forums BulletProof Security Pro Publicly accessible config, backup, or log file found: wp-content/debug.log

This topic contains 4 replies, has 2 voices, and was last updated by  AITpro Admin 1 year, 5 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #31887

    alan sills
    Participant

    Wordfence found this file and suggests it get locked down – wordfence says it can hide it in the htaccess file – but before I did anything I figured I’d ask if BPS can (or should) lock down this file:

    Publicly accessible config, backup, or log file found: wp-content/debug.log
    URL: http://rvacrossamerica.net/wp-content/debug.log
    Severity: Warning
    Status New
    http://rvacrossamerica.net/wp-content/debug.log is publicly accessible and may expose sensitive information about your site. Files such as this one are commonly checked for by scanners such as WPScan and should be removed or made inaccessible.
    Tools:Hide this file in .htaccess Delete this file (can’t be undone).

    #31889

    AITpro Admin
    Keymaster

    @ alan sills – This is a question you need to ask Wordfence about.  The error message is a Wordfence issue.

    #31890

    alan sills
    Participant

    Thanks, the reason I posted here is to see if the debug.log file is one that typically needs to be locked down – and if so, to see if BPS can do it. Further, if I use wordfence, it seems to be prepared to modify the htaccess file (it says it will hide the log in htaccess), so if I do that, do I first need to turn off autorestore in BPS? Al

    #31891

    AITpro Admin
    Keymaster

    I can’t think of any reason why you would want to hide that file.  Let me test using some htaccess code to block/forbid that file and see if that breaks anything.  The WordPress /wp-content/debug.log is used when you turn on WordPress debugging.

    #31892

    AITpro Admin
    Keymaster

    Ok I tested blocking the debug.log file with existing BPS htaccess code and it does not break anything.  Do the steps below to block/forbid the debug.log file from being publicly accessible via a Browser,

    1. Copy the htaccess code below to this BPS Root Custom Code text box: CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES
    2. Click the Save Root Custom Code button.
    3. Go to the Security Modes page and click the Root BulletProof Mode Activate button.

    # DENY BROWSER ACCESS TO THESE FILES
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
    # To be able to view these files from a Browser, replace 127.0.0.1 with your actual
    # current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1
    # Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1
    # Note: The BPS System Info page displays which modules are loaded on your server.
    
    <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php|debug\.log)">
    <IfModule mod_authz_core.c>
    Require all denied
    #Require ip 127.0.0.1
    </IfModule>
    
    <IfModule !mod_authz_core.c>
    <IfModule mod_access_compat.c>
    Order Allow,Deny
    Deny from all
    #Allow from 127.0.0.1
    </IfModule>
    </IfModule>
    </FilesMatch>
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.