WordPress debug.log

When you install a WordPress site via SpinupWP, both WP_DEBUG and WP_DEBUG_LOG are enabled by default. This is because debug.log is useful for finding obscure issues which are hard to track down, especially on live sites. However, this often goes against conventional wisdom, which generally discourages the use of WP_DEBUG_LOG on live sites. Usually for the following reasons:

  1. The debug.log file is stored in a publicly accessible location. Meaning anyone can view your error logs simply by visiting the log file’s URL (acmepublishing.com/wp-content/debug.log). This can expose potentially sensitive information about your server to would-be hackers.

  2. Log files can grow exponentially in size when left unmonitored. This is especially true of WordPress debug.log, which can quickly fill up due to errors and warnings caused by WordPress themes and plugins.

SpinupWP mitigates both of these issues, allowing you to utilize debug.log without the disadvantages.

Saving debug.log to a better location

By default, WordPress saves debug.log to the wp-content folder which is publicly accessible and not a good place for logs from a security perspective. And so our WordPress plugin changes the path where WordPress saves the debug.log file to /sites/DOMAIN/logs/ so that it is not publicly accessible and sits alongside other log files. If you don’t have our plugin installed, we recommend that you install it.

Since most people expect the debug.log to be located in the wp-content folder, we do add a debug.log symlink that points to the changed path but configure Nginx to disallow access to it.

Denying access to .log files

Nginx is configured to disallow access to .log files. This is achieved via the following Nginx location block:

# Prevent access to certain file extensions
location ~\.(ini|log|conf)$ {
    deny all;

Log Rotation

logrotate is configured to rotate, compress and remove old log files. All *.log files created in your /sites/DOMAIN/logs/ directory will automatically be rotated daily (after reaching 1MB in size). Old versions of log files are compressed with gzip and deleted after 14 days. You can modify this behaviour for each site, by editing your site’s corresponding logrotate config file, located at:


We do not recommend that you enable WP_DEBUG_DISPLAY for live sites.

Start Your 7-Day Free Trial

Start your SpinupWP journey today and spin up your first server within minutes.

Subscribe to get the latest news, updates and optimizations in performance and security.

Thanks for subscribing 👍

To receive awesome stuff, you'll need to head to your inbox and click on the verification link we sent you.
Make sure to check your "spam" folder or your "promotions" tab (if you have Gmail).
If you're still having trouble, then message us at sudo@spinupwp.com.

You are already logged in

It looks like you are already logged in to SpinupWP.

Please log out of this account to continue.

Registration Successful

Thanks for registering for a new
SpinupWP account.

Before getting started, could you verify your email address by clicking on the link we just emailed to you?


Free Trial

Start Your 7-Day Free Trial

No credit card required. All features included.

By signing up to SpinupWP, you agree to our Terms and Conditions.
For privacy related information, view our Privacy Policy.