Why is leaving WP_DEBUG_LOG set to true a security risk on a live site?

It writes errors to /wp-content/debug.log, which is publicly accessible by default and has been indexed by Google on thousands of sites, potentially exposing sensitive server information.

How can I safely use WP_DEBUG_LOG without exposing the log file?

Pass a custom, hard-to-guess filename string instead of true, for example define('WP_DEBUG_LOG', 'myRandomFileName.log'), so the file cannot be found by guessing the default path.

How does mySites.guru help manage WordPress debug constants across many sites?

The mySites.guru snapshot reads each site's wp-config.php, flags constants that do not match best practice, and offers one-click toggles to fix them without manual file editing.

WordPress Debug Constants Explained

WordPress has a handful of PHP constants that control how errors are reported. They all live in your /wp-config.php file, and most WordPress developers never touch them. That’s usually fine until something breaks and you have no idea why.

Here’s what each one does, when to use it, and a common mistake with WP_DEBUG_LOG that could be exposing your error logs to the entire internet.

The official docs are over at WordPress.org’s Advanced Administration Handbook if you want the full reference.

WP_DEBUG

This is the main switch. Set it to true and WordPress will show PHP errors, notices, and warnings on screen.

define( 'WP_DEBUG', true );

Leave this on in development, turn it off in production. Simple.

WP_DEBUG_LOG

Instead of printing errors to the screen, this writes them to a log file. Useful for production sites where you don’t want visitors seeing PHP warnings.

define( 'WP_DEBUG_LOG', true );

Here’s the catch: this creates a file at /wp-content/debug.log which, depending on your server config, is publicly accessible. Worse, Google has already indexed thousands of them. Gulp.

allinurl search for wp-content/debug.log

Instead of passing true, pass a custom filename:

define( 'WP_DEBUG_LOG', 'myOwnRandomFileName_as8f6safsif.log' );

Now nobody can guess the URL.

WP_DEBUG_DISPLAY

Controls whether errors show on screen. Set to false on live sites so errors get logged but visitors don’t see them.

define( 'WP_DEBUG_DISPLAY', false );

SCRIPT_DEBUG

Forces WordPress to load the full, unminified versions of its CSS and JS files instead of the minified ones. Handy when you’re debugging front-end issues and need to actually read the source.

define( 'SCRIPT_DEBUG', true );

SAVEQUERIES

Stores every database query in $wpdb->queries so you can inspect them. Good for tracking down slow queries, but leave it off in production because it adds overhead.

define( 'SAVEQUERIES', true );

Checking these across all your sites with mySites.guru

Manually checking wp-config.php on every site gets old fast. The mySites.guru snapshot reads your WordPress config and flags anything that doesn’t match best practice. Most settings have one-click toggles so you can fix them without editing files. The same one-click approach works for other WordPress configuration checks, like removing the WordPress logo from the admin bar.

constants on one WordPress site

You can also view any single constant across all your connected sites at once using the Ultimate Toolset. Click through any snapshot tool to see that value on every site in one view.

view constant across all sites

Need someone to fix it for you?

If debugging isn’t your thing, or you’d rather not deal with it, we offer set-fee site fixes at fix.mysites.guru. No hourly billing, no surprises.

Try mySites.guru free for a month

We haven’t raised our prices since 2012. But if you want to see the toolset for yourself first, you can use mySites.guru free for a whole month.

Out of your depth? Need Help?

Phil Taylor

The Original Joomla Expert – Since 2004

Found issues with your Joomla or WordPress site? Get same-day expert help fixing errors, security issues, and performance problems. Flat-rate pricing, no hourly billing surprises.

● Fix hacked or compromised sites
● Resolve PHP errors & White Screen of Death
● System upgrades & PHP 8 compatibility
● Performance optimization & hosting issues
● £120 flat rate per incident

Get Expert Help TODAY! →

If we can't add value, you don't pay • Same-day turnaround

20+ Years – Fixing Websites

Need Help Addressing Health Check Issues?

Phil Taylor has been fixing Joomla sites since 2004. If it were simple, you would have done it yourself by now. Get professional help from someone who's seen it all.

✓ 20+ years of Joomla & PHP expertise
✓ Same-day turnaround on most issues
✓ No charge if we can't add value or fix the problem