How to secure the log file

  • Hi,

    In its ‘Health’ screen, WordPress tells me that there is a potential risk in logging PHP errors in a file on the server. How can I protect this file while allowing your plugin to write to it?

    Thanks in advance

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Janis Elsts

    (@whiteshadow)

    One option would be to move the log file outside the web root so that it’s not accessible to site visitors. For example, if the file is currently at /home/example/public_html/log.txt, you could move it to /home/example/custom-logs/log.txt. The plugin cannot do this automatically. You would need to move the file manually and change the log file path in the code that enables error logging.

    Another option is to block access to the file using .htaccess rules. If you use the automatic setup feature in Error Log Monitor, the plugin already tries to do this for you. The elm-error-logs directory that it creates should have a .htaccess file that blocks access to all files in that directory. However, I’m not sure that WordPress can detect that kind of a .htaccess block – it might still think that the file is public even if access is blocked. I think moving the file to a place outside the directory that contains website files would be move reliable.

    Thread Starter Fred17

    (@f14m07)

    Thanks for your quick answer. There is a .htaccess which deny all. The file is 660. But maybe WP doesn’t see that. I’m reluctant to place the file above the root because I’m not sure my host allows it

    Plugin Author Janis Elsts

    (@whiteshadow)

    I think blocking access with .htaccess should be enough in practice, as long as the code is actually working. You can test it by trying to open the file in the browser.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.