Publicly visible debuglog (enabled by default) contains confidential info

Hello,

You can enable/disable the logs under:
WooCommerce > settings > payments > stripe > settings > advanced settings > Log error messages.

Enabling the logs entails you will be able to check what was the user’s activity when checking for a transaction, and this is necessary for the most part.

How to properly protect the wc-logs

As a first step to check better into your setup, please share a copy of your site’s System Status, you can find it via WooCommerce > Status. Select “Get system report” and then “Copy for support”.

Thanks.

Thanks for your prompt reply. Wouldn’t it be good to leave the debug option off per default to avoid similar dataleaks for other users who isn’t aware of this problem, and who may not even need the debug log?

### WordPress Environment ###

WordPress address (URL): https://www.templehair.dk
Site address (URL): https://www.templehair.dk
WC Version: 6.5.1
REST API Version: ? 6.5.1
WC Blocks Version: ? 7.4.3
Action Scheduler Version: ? 3.4.0
Log Directory Writable: ?
WP Version: ? 5.9.3 – Der findes en nyere version af WordPress (6.0)
WP Multisite: –
WP Memory Limit: 256 MB
WP Debug Mode: –
WP Cron: ?
Language: da_DK
External object cache: ?

### Server Environment ###

Server Info: LiteSpeed
PHP Version: 7.3.33-1+focal
PHP Post Max Size: 16 MB
PHP Time Limit: 360
PHP Max Input Vars: 3000
cURL Version: 7.68.0
OpenSSL/1.1.1f

SUHOSIN Installed: –
MySQL Version: 5.5.5-10.4.25-MariaDB-1:10.4.25+maria~focal-log
Max Upload Size: 16 MB
Default Timezone is UTC: ?
fsockopen/cURL: ?
SoapClient: ?
DOMDocument: ?
GZip: ?
Multibyte String: ?
Remote Post: ?
Remote Get: ?

### Database ###

WC Database Version: 6.5.1
WC Database Prefix: wp_
Total databasest?rrelse: 73.18MB
Database datast?rrelse: 64.87MB
Database indexst?rrelse: 8.31MB
wp_woocommerce_sessions: Data: 2.02MB + Index: 0.05MB + Engine InnoDB
wp_woocommerce_api_keys: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_attribute_taxonomies: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_woocommerce_downloadable_product_permissions: Data: 0.02MB + Index: 0.17MB + Engine InnoDB
wp_woocommerce_order_items: Data: 0.09MB + Index: 0.05MB + Engine InnoDB
wp_woocommerce_order_itemmeta: Data: 1.52MB + Index: 0.53MB + Engine InnoDB
wp_woocommerce_tax_rates: Data: 0.02MB + Index: 0.08MB + Engine InnoDB
wp_woocommerce_tax_rate_locations: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_woocommerce_shipping_zones: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_woocommerce_shipping_zone_locations: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_shipping_zone_methods: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_woocommerce_payment_tokens: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_payment_tokenmeta: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_woocommerce_log: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
store_locator_country: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
store_locator_state: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
store_locator_transactions: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_actionscheduler_actions: Data: 0.06MB + Index: 0.13MB + Engine InnoDB
wp_actionscheduler_claims: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_actionscheduler_groups: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_actionscheduler_logs: Data: 0.05MB + Index: 0.03MB + Engine InnoDB
wp_asl_brands: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_asl_categories: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_asl_configs: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_asl_countries: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_asl_markers: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_asl_settings: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_asl_storelogos: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_asl_stores: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_asl_stores_categories: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_asl_stores_view: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_auto_updates: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_commentmeta: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_comments: Data: 0.28MB + Index: 0.36MB + Engine InnoDB
wp_fusion_forms: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_fusion_form_entries: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_fusion_form_fields: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_fusion_form_submissions: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_links: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_litespeed_url: Data: 0.06MB + Index: 0.06MB + Engine InnoDB
wp_litespeed_url_file: Data: 0.02MB + Index: 0.08MB + Engine InnoDB
wp_login_redirects: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_mailchimp_carts: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_mailchimp_jobs: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_options: Data: 18.03MB + Index: 0.27MB + Engine InnoDB
wp_postmeta: Data: 6.02MB + Index: 3.05MB + Engine InnoDB
wp_posts: Data: 15.02MB + Index: 0.36MB + Engine InnoDB
wp_sbi_feeds: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_sbi_feed_caches: Data: 0.08MB + Index: 0.02MB + Engine InnoDB
wp_sbi_instagram_feeds_posts: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_sbi_instagram_feed_locator: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_sbi_instagram_posts: Data: 0.08MB + Index: 0.00MB + Engine InnoDB
wp_sbi_sources: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_shopmagic_automation_outcome: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_shopmagic_automation_outcome_logs: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_shopmagic_cart: Data: 0.22MB + Index: 0.06MB + Engine InnoDB
wp_shopmagic_guest: Data: 0.05MB + Index: 0.00MB + Engine InnoDB
wp_shopmagic_guest_meta: Data: 0.20MB + Index: 0.08MB + Engine InnoDB
wp_shopmagic_marketing_lists: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_shopmagic_optin_email: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_slp_extendo_meta: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_store_locator: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_termmeta: Data: 0.08MB + Index: 0.03MB + Engine InnoDB
wp_terms: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_term_relationships: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_term_taxonomy: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_update_log: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_usermeta: Data: 0.22MB + Index: 0.19MB + Engine InnoDB
wp_users: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_wcmnd_analytics: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wcpdf_invoice_number: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wcpdf_packing_slip_number: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wc_admin_notes: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wc_admin_note_actions: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wc_category_lookup: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wc_customer_lookup: Data: 0.05MB + Index: 0.03MB + Engine InnoDB
wp_wc_download_log: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_wc_order_coupon_lookup: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_wc_order_product_lookup: Data: 0.08MB + Index: 0.06MB + Engine InnoDB
wp_wc_order_stats: Data: 0.06MB + Index: 0.05MB + Engine InnoDB
wp_wc_order_tax_lookup: Data: 0.05MB + Index: 0.03MB + Engine InnoDB
wp_wc_product_attributes_lookup: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_wc_product_download_directories: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wc_product_meta_lookup: Data: 0.06MB + Index: 0.09MB + Engine InnoDB
wp_wc_rate_limits: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wc_reserved_stock: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wc_tax_rate_classes: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wc_webhooks: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_wdr_order_discounts: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wdr_order_item_discounts: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wdr_rules: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wfblockediplog: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wfblocks7: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_wfconfig: Data: 1.27MB + Index: 0.00MB + Engine InnoDB
wp_wfcrawlers: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wffilechanges: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wffilemods: Data: 8.52MB + Index: 0.00MB + Engine InnoDB
wp_wfhits: Data: 2.02MB + Index: 0.23MB + Engine InnoDB
wp_wfhoover: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wfissues: Data: 0.02MB + Index: 0.06MB + Engine InnoDB
wp_wfknownfilelist: Data: 4.52MB + Index: 0.00MB + Engine InnoDB
wp_wflivetraffichuman: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wflocs: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wflogins: Data: 0.39MB + Index: 0.14MB + Engine InnoDB
wp_wfls_2fa_secrets: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wfls_settings: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wfnotifications: Data: 0.05MB + Index: 0.00MB + Engine InnoDB
wp_wfpendingissues: Data: 0.02MB + Index: 0.06MB + Engine InnoDB
wp_wfreversecache: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wfsnipcache: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_wfstatus: Data: 0.13MB + Index: 0.11MB + Engine InnoDB
wp_wftrafficrates: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wpfm_backup: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wpf_filters: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wpf_modules: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wpf_modules_type: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wpf_usage_stat: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wt_iew_action_history: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wt_iew_cron: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wt_iew_ftp: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wt_iew_mapping_template: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_yoast_indexable: Data: 1.50MB + Index: 0.41MB + Engine InnoDB
wp_yoast_indexable_hierarchy: Data: 0.05MB + Index: 0.05MB + Engine InnoDB
wp_yoast_migrations: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_yoast_primary_term: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_yoast_seo_links: Data: 0.11MB + Index: 0.06MB + Engine InnoDB
wp_yoast_seo_meta: Data: 0.05MB + Index: 0.00MB + Engine InnoDB

### Post Type Counts ###

attachment: 614
awdp_pt_products: 2
awdp_pt_rules: 2
custom_css: 1
fusion_element: 10
fusion_template: 1
maps: 1
mc4wp-form: 1
nav_menu_item: 22
o-discount: 1
o-list: 2
oembed_cache: 6
page: 54
post: 2
product: 144
product_variation: 13
revision: 593
shop_coupon: 4
shop_order: 302
shop_order_refund: 30
shopmagic_automation: 2
slide: 13
store_locator: 1
uni_cpo_option: 1
woo_discount: 2
woo_discount_cart: 1
wp_global_styles: 1
wpcf7_contact_form: 4
wpsl_stores: 8

### Security ###

Secure connection (HTTPS): ?
Hide errors from visitors: ?

### Active Plugins (32) ###

Ajax Cart AutoUpdate for WooCommerce: af taisho – 1.5.5
Companion Auto Update: af Papin Schipper – 3.8.5
Contact Form 7: af Takayuki Miyoshi – 5.5.6.1
Force Regenerate Thumbnails: af Pedro Elsner – 2.0.6
Avada Builder: af ThemeFusion – 3.7.1
Avada Core: af ThemeFusion – 5.7.1
Hide Shipping Method For WooCommerce Pro: af theDotstore – 1.3.1
Infinite Ajax Scrolling Lite For Woocommerce: af phoeniixx – 1.4.9
Smash Balloon Instagram Feed: af Smash Balloon – 6.0.5
LiteSpeed Cache: af LiteSpeed Technologies – 4.6
Loco Translate: af Tim Whitlock – 2.6.2
Meta Generator and Version Info Remover: af Pankaj Kumar Mondal – 14.0.2
Shipmondo til WooCommerce: af Shipmondo – 4.1.0
LoginWP (Formerly Peter’s Login Redirect): af LoginWP Team – 3.0.0.8
ShopMagic Abandoned Carts: af WP Desk – 2.0.7
ShopMagic for WooCommerce: af WP Desk – 2.37.7
UpdraftPlus – Backup/Restore: af UpdraftPlus.Com
DavidAnderson – 1.22.12

ViaBill – WooCommerce: af ViaBill – 1.1.19
WooCommerce Free Shipping: af Plugin Territory – 5.5.0
Password Strength Settings for WooCommerce: af Daniel Santoro – 3.0.0
Woo Discount Rules PRO 2.0: af Flycart – 2.3.10
Woo Discount Rules: af Flycart – 2.4.1
Advanced Order Export For WooCommerce: af AlgolPlus – 3.3.1
WooCommerce Stripe Gateway: af WooCommerce – 6.4.0
WooCommerce PDF Invoices & Packing Slips: af WP Overnight – 2.14.5
WooCommerce Product SKU Generator: af SkyVerge – 2.4.6
WooCommerce: af Automattic – 6.5.1
Wordfence Security: af Wordfence – 7.5.10
Yoast SEO: af Team Yoast – 18.9
WP Store Locator: af Tijmen Smit – 2.2.235
WPS Hide Login: af WPServeur
NicolasKulka
wpformation – 1.9.4

Zoho Mail: af Zoho Mail – 1.4.8

### Inactive Plugins (6) ###

Advanced Free – Flat shipping WooCommerce: af PI Websolution – 1.6.3.47
Controlled Admin Access: af WPRuby – 1.5.12
Hide My WP Ghost Lite: af WPPlugins – WordPress Security Plugins – 5.0.13
Locatoraid: af plainware.com – 3.9.7
Order Export & Order Import for WooCommerce: af WebToffee – 2.2.3
Store Locator Plus?: af Store Locator Plus? – 5.7

### Dropin Plugins (1) ###

object-cache.php: object-cache.php

### Settings ###

API Enabled: ?
Force SSL: –
Currency: DKK (DKK)
Currency Position: right_space
Thousand Separator: .
Decimal Separator: ,
Number of Decimals: 2
Taxonomies: Product Types: external (external)
grouped (grouped)
simple (simple)
variable (variable)

Taxonomies: Product Visibility: exclude-from-catalog (exclude-from-catalog)
exclude-from-search (exclude-from-search)
featured (featured)
outofstock (outofstock)
rated-1 (rated-1)
rated-2 (rated-2)
rated-3 (rated-3)
rated-4 (rated-4)
rated-5 (rated-5)

Connected to WooCommerce.com: –
Enforce Approved Product Download Directories: –

### WC Pages ###

Shop basisside: #16557 – /shop-with-sidebar-2/
Kurv: #16564 – /cart/
Checkout: #84 – /checkout/
Min konto: #85 – /login/
Vilk?r og betingelser: #20387 – /betingelser/

### Theme ###

Name: Avada Child
Version: 1.0.0
Author URL: https://theme-fusion.com
Child Theme: ?
Parent Theme Name: Avada
Parent Theme Version: 7.7.1
Parent Theme Author URL: https://themeforest.net/user/ThemeFusion
WooCommerce Support: ?

### Templates ###

Overrides: Avada/woocommerce/cart/cart.php
Avada/woocommerce/checkout/form-pay.php
Avada/woocommerce/checkout/review-order.php
Avada/woocommerce/checkout/thankyou.php
Avada-Child-Theme/woocommerce/emails/email-order-items.php
Avada/woocommerce/loop/loop-start.php
Avada/woocommerce/single-product/add-to-cart/variable.php
Avada/woocommerce/single-product/short-description.php
Avada/woocommerce/single-product/tabs/additional-information.php
Avada/woocommerce/single-product/tabs/description.php

### Action Scheduler ###

Gennemf?rt: 89
Oldest: 2022-04-24 15:04:48 +0200
Newest: 2022-05-24 11:36:45 +0200

### Status report information ###

Generated at: 2022-05-25 13:20:35 +02:00

Hi @nalleg,

I’ve checked this on a new installation of WooCommerce Stripe Payment Gateway and the “Log error messages” under “Advanced settings” is disabled by default. If yours appears enabled after each time you disable it, there is likely an ongoing conflict on your site with the theme or one of your other plugins.

Read more about plugin and theme conflicts in our Self-Service Guide.

How to properly protect the wc-logs and other folders from public access (HTTP) on nginx and OpenLiteSpeed who does not support the “deny from all” in htaccess?

This question will be best answered by your hosting provider. They should provide more details on how to properly secure the folder in your specific environment.

Best regards.

Thanks for testing that. I was otherwise certain I hadn’t enabled it myself.

While it is positive that debugging appears not to be enabled per default, the security aspect is still very relevant for all users who enable this option, not knowing that the debug files are automatically publicly available.

Any suggestions for securing the folder are welcome, especially as I host the site on my own droplet, and because other users (everyone not running Apache) are affected.

Hi @nalleg

While it is positive that debugging appears not to be enabled per default, the security aspect is still very relevant for all users who enable this option, not knowing that the debug files are automatically publicly available.

I’d suggest posting this to our Idead Board, which is where our community can share their feedback or feature requests for WooCommerce plugins or services. The more popular an idea becomes, the more of a priority it is for our developers to review it. You can find the Ideas Board here:
https://ideas.woocommerce.com/forums/133476-woocommerce

Any suggestions for securing the folder are welcome, especially as I host the site on my own droplet, and because other users (everyone not running Apache) are affected.

On a search, I found the following documentation on non htaccess directory access restriction:

Nginx:
https://ubiq.co/tech-blog/nginx-restrict-access-to-directory-and-subdirectories/

OpenLiteSpeed:
https://openlitespeed.org/kb/access-control/#Deny_Access_to_a_Directory_with_Rewrite_Rules

I hope that helps

We haven’t heard back from you in a while, (I think that at this point you have been able to find a solution) so I’m going to mark this as resolved – we’ll be here if and/or when you are ready to continue.

Thanks.