WordPress debug.log

When you install a WordPress site via SpinupWP, both WP_DEBUG and WP_DEBUG_LOG are enabled by default. This is because debug.log is useful for finding obscure issues which are hard to track down, especially on live sites. However, this often goes against conventional wisdom, which generally discourages the use of WP_DEBUG_LOG on live sites. Usually for the following reasons:

  1. The debug.log file is stored in a publicly accessible location. Meaning, anyone can view your error logs simply by visiting the log file’s URL (acmepublishing.com/wp-content/debug.log). This can expose potentially sensitive information about your server to would-be hackers.

  2. Log files can grow exponentially in size when left unmonitored. This is especially true of WordPress debug.log, which can quickly fill up due to errors and warnings caused by WordPress themes and plugins.

SpinupWP mitigates both of these issues, allowing you to utilize debug.log without the disadvantages.

Saving debug.log to a better location

By default, WordPress saves debug.log to the wp-content folder, which is publicly accessible and not a good place for logs from a security perspective. And so, our WordPress plugin changes the path where WordPress saves the debug.log file to /sites/DOMAIN/logs/ so that it is not publicly accessible and sits alongside other log files. If you don’t have our plugin installed, we recommend that you install it.

Since most people expect the debug.log to be located in the wp-content folder, we do add a debug.log symlink that points to the changed path but configure Nginx to disallow access to it.

Denying access to .log files

Nginx is configured to disallow access to .log files. This is achieved via the following Nginx location block:

# Prevent access to certain file extensions
location ~\.(ini|log|conf)$ {
    deny all;
}

Log Rotation

logrotate is configured to rotate, compress and remove old log files. All *.log files created in your /sites/DOMAIN/logs/ directory will automatically be rotated daily (after reaching 1MB in size). Old versions of log files are compressed with gzip and deleted after 14 days. You can modify this behaviour for each site, by editing your site’s corresponding logrotate config file, located at:

/etc/logrotate.d/DOMAIN

We do not recommend that you enable WP_DEBUG_DISPLAY for live sites.