From f99e00995384ce27b84dcd92ab62fdaada03e072 Mon Sep 17 00:00:00 2001 From: hbhalodia Date: Tue, 6 Jan 2026 11:40:24 +0530 Subject: [PATCH 1/9] CoreTrac-64071 Show different warning if debug.log is publicly accessible --- .../includes/class-wp-site-health.php | 42 ++++++++++++++----- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/src/wp-admin/includes/class-wp-site-health.php b/src/wp-admin/includes/class-wp-site-health.php index a5a8c7f4dade2..0fba3cda20c36 100644 --- a/src/wp-admin/includes/class-wp-site-health.php +++ b/src/wp-admin/includes/class-wp-site-health.php @@ -1409,18 +1409,40 @@ public function get_test_is_in_debug_mode() { if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { if ( defined( 'WP_DEBUG_LOG' ) && WP_DEBUG_LOG ) { - $result['label'] = __( 'Your site is set to log errors to a potentially public file' ); + // Resolve the actual log path. + $log_path = WP_DEBUG_LOG === true ? WP_CONTENT_DIR . '/debug.log' : WP_DEBUG_LOG; + $log_path = realpath( $log_path ); + $absolute_path = realpath( ABSPATH ); - $result['status'] = str_starts_with( ini_get( 'error_log' ), ABSPATH ) ? 'critical' : 'recommended'; + // Only show warning if log is inside ABSPATH (publicly accessible). + // If paths cannot be resolved or log is outside ABSPATH, skip the warning. + if ( $log_path && $absolute_path && str_starts_with( $log_path, $absolute_path ) ) { + $result['label'] = __( 'Your site is set to log errors to a potentially public file' ); - $result['description'] .= sprintf( - '

%s

', - sprintf( - /* translators: %s: WP_DEBUG_LOG */ - __( 'The value, %s, has been added to this website’s configuration file. This means any errors on the site will be written to a file which is potentially available to all users.' ), - 'WP_DEBUG_LOG' - ) - ); + $result['status'] = 'critical'; + + $result['description'] .= sprintf( + '

%s

', + sprintf( + /* translators: %s: WP_DEBUG_LOG */ + __( 'The value, %s, has been added to this website’s configuration file. This means any errors on the site will be written to a file which is potentially available to all users.' ), + 'WP_DEBUG_LOG' + ) + ); + } elseif ( $log_path && $absolute_path && ! str_starts_with( $log_path, $absolute_path ) ) { + $result['label'] = __( 'Your site is set to log errors to a file outside the public directory' ); + + $result['status'] = 'good'; + + $result['description'] .= sprintf( + '

%s

', + sprintf( + /* translators: %s: WP_DEBUG_LOG */ + __( 'The value, %s, has been configured to write errors to a file outside the WordPress directory. This is a good practice as the log file is not publicly accessible.' ), + 'WP_DEBUG_LOG' + ) + ); + } } if ( defined( 'WP_DEBUG_DISPLAY' ) && WP_DEBUG_DISPLAY ) { From bcebdf81ca11d576cd372a1d8ea078f00627dde9 Mon Sep 17 00:00:00 2001 From: hbhalodia Date: Tue, 6 Jan 2026 11:46:42 +0530 Subject: [PATCH 2/9] CoreTrac-64071 Update the wordings and code structure --- src/wp-admin/includes/class-wp-site-health.php | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/src/wp-admin/includes/class-wp-site-health.php b/src/wp-admin/includes/class-wp-site-health.php index 0fba3cda20c36..28f9f9229fb03 100644 --- a/src/wp-admin/includes/class-wp-site-health.php +++ b/src/wp-admin/includes/class-wp-site-health.php @@ -1409,14 +1409,11 @@ public function get_test_is_in_debug_mode() { if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { if ( defined( 'WP_DEBUG_LOG' ) && WP_DEBUG_LOG ) { - // Resolve the actual log path. - $log_path = WP_DEBUG_LOG === true ? WP_CONTENT_DIR . '/debug.log' : WP_DEBUG_LOG; - $log_path = realpath( $log_path ); - $absolute_path = realpath( ABSPATH ); - - // Only show warning if log is inside ABSPATH (publicly accessible). - // If paths cannot be resolved or log is outside ABSPATH, skip the warning. - if ( $log_path && $absolute_path && str_starts_with( $log_path, $absolute_path ) ) { + $debug_log_path = WP_DEBUG_LOG === true ? WP_CONTENT_DIR . '/debug.log' : WP_DEBUG_LOG; + $debug_log_path = realpath( $debug_log_path ); + $absolute_path = realpath( ABSPATH ); + + if ( $debug_log_path && $absolute_path && str_starts_with( $debug_log_path, $absolute_path ) ) { $result['label'] = __( 'Your site is set to log errors to a potentially public file' ); $result['status'] = 'critical'; @@ -1429,7 +1426,7 @@ public function get_test_is_in_debug_mode() { 'WP_DEBUG_LOG' ) ); - } elseif ( $log_path && $absolute_path && ! str_starts_with( $log_path, $absolute_path ) ) { + } else { $result['label'] = __( 'Your site is set to log errors to a file outside the public directory' ); $result['status'] = 'good'; From 3749fefe3ced4646735f64013929e8c3dd995f0b Mon Sep 17 00:00:00 2001 From: hbhalodia Date: Thu, 8 Jan 2026 12:18:15 +0530 Subject: [PATCH 3/9] CoreTrac-64071 Add the directory separator to absolute path to prevent false positives --- src/wp-admin/includes/class-wp-site-health.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-admin/includes/class-wp-site-health.php b/src/wp-admin/includes/class-wp-site-health.php index 28f9f9229fb03..845c6e1fcc354 100644 --- a/src/wp-admin/includes/class-wp-site-health.php +++ b/src/wp-admin/includes/class-wp-site-health.php @@ -1411,7 +1411,7 @@ public function get_test_is_in_debug_mode() { if ( defined( 'WP_DEBUG_LOG' ) && WP_DEBUG_LOG ) { $debug_log_path = WP_DEBUG_LOG === true ? WP_CONTENT_DIR . '/debug.log' : WP_DEBUG_LOG; $debug_log_path = realpath( $debug_log_path ); - $absolute_path = realpath( ABSPATH ); + $absolute_path = realpath( ABSPATH ) . DIRECTORY_SEPARATOR; if ( $debug_log_path && $absolute_path && str_starts_with( $debug_log_path, $absolute_path ) ) { $result['label'] = __( 'Your site is set to log errors to a potentially public file' ); From 863600296cfbfd72d4fafd190917135d59f8afdf Mon Sep 17 00:00:00 2001 From: hbhalodia Date: Thu, 8 Jan 2026 12:59:11 +0530 Subject: [PATCH 4/9] CoreTrac-64071 Update wordings in message to show in site-health for debug constants --- src/wp-admin/includes/class-wp-site-health.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/wp-admin/includes/class-wp-site-health.php b/src/wp-admin/includes/class-wp-site-health.php index 845c6e1fcc354..19062d32bbf86 100644 --- a/src/wp-admin/includes/class-wp-site-health.php +++ b/src/wp-admin/includes/class-wp-site-health.php @@ -1422,12 +1422,12 @@ public function get_test_is_in_debug_mode() { '

%s

', sprintf( /* translators: %s: WP_DEBUG_LOG */ - __( 'The value, %s, has been added to this website’s configuration file. This means any errors on the site will be written to a file which is potentially available to all users.' ), + __( 'The constant, %s, has been added to this website’s configuration file. This means any errors on the site will be written to a file which is likely publicly accessible.' ), 'WP_DEBUG_LOG' ) ); } else { - $result['label'] = __( 'Your site is set to log errors to a file outside the public directory' ); + $result['label'] = __( 'Your site is set to log errors to a file outside the document root' ); $result['status'] = 'good'; @@ -1435,7 +1435,7 @@ public function get_test_is_in_debug_mode() { '

%s

', sprintf( /* translators: %s: WP_DEBUG_LOG */ - __( 'The value, %s, has been configured to write errors to a file outside the WordPress directory. This is a good practice as the log file is not publicly accessible.' ), + __( 'The configuration constant, %s, has been set to write errors to a file outside the WordPress directory. This is a good practice as the log file should not be publicly accessible' ), 'WP_DEBUG_LOG' ) ); From ffda9d84203ed83031858ed81cf7cd6a60ca1a91 Mon Sep 17 00:00:00 2001 From: hbhalodia Date: Fri, 9 Jan 2026 10:02:16 +0530 Subject: [PATCH 5/9] CoreTrac-64071 Check the directory of log instead of checking file --- src/wp-admin/includes/class-wp-site-health.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-admin/includes/class-wp-site-health.php b/src/wp-admin/includes/class-wp-site-health.php index 19062d32bbf86..bd98483958c43 100644 --- a/src/wp-admin/includes/class-wp-site-health.php +++ b/src/wp-admin/includes/class-wp-site-health.php @@ -1410,7 +1410,7 @@ public function get_test_is_in_debug_mode() { if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { if ( defined( 'WP_DEBUG_LOG' ) && WP_DEBUG_LOG ) { $debug_log_path = WP_DEBUG_LOG === true ? WP_CONTENT_DIR . '/debug.log' : WP_DEBUG_LOG; - $debug_log_path = realpath( $debug_log_path ); + $debug_log_path = realpath( dirname ( $debug_log_path ) ) . DIRECTORY_SEPARATOR; $absolute_path = realpath( ABSPATH ) . DIRECTORY_SEPARATOR; if ( $debug_log_path && $absolute_path && str_starts_with( $debug_log_path, $absolute_path ) ) { From b98ece613c9fc6cf9e7f47d043a5644209a1b81a Mon Sep 17 00:00:00 2001 From: hbhalodia Date: Fri, 9 Jan 2026 10:05:32 +0530 Subject: [PATCH 6/9] CoreTrac-64071 Fix phpcs error --- src/wp-admin/includes/class-wp-site-health.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-admin/includes/class-wp-site-health.php b/src/wp-admin/includes/class-wp-site-health.php index bd98483958c43..f622af863b7de 100644 --- a/src/wp-admin/includes/class-wp-site-health.php +++ b/src/wp-admin/includes/class-wp-site-health.php @@ -1410,7 +1410,7 @@ public function get_test_is_in_debug_mode() { if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { if ( defined( 'WP_DEBUG_LOG' ) && WP_DEBUG_LOG ) { $debug_log_path = WP_DEBUG_LOG === true ? WP_CONTENT_DIR . '/debug.log' : WP_DEBUG_LOG; - $debug_log_path = realpath( dirname ( $debug_log_path ) ) . DIRECTORY_SEPARATOR; + $debug_log_path = realpath( dirname( $debug_log_path ) ) . DIRECTORY_SEPARATOR; $absolute_path = realpath( ABSPATH ) . DIRECTORY_SEPARATOR; if ( $debug_log_path && $absolute_path && str_starts_with( $debug_log_path, $absolute_path ) ) { From 2da8e227d537ce68980c0d5161b5ff6e8be1f992 Mon Sep 17 00:00:00 2001 From: hbhalodia Date: Fri, 9 Jan 2026 10:27:58 +0530 Subject: [PATCH 7/9] CoreTrac-64071 Update the debug_log_path to use error_log config --- src/wp-admin/includes/class-wp-site-health.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/wp-admin/includes/class-wp-site-health.php b/src/wp-admin/includes/class-wp-site-health.php index f622af863b7de..2f0313f4b8486 100644 --- a/src/wp-admin/includes/class-wp-site-health.php +++ b/src/wp-admin/includes/class-wp-site-health.php @@ -1409,8 +1409,7 @@ public function get_test_is_in_debug_mode() { if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { if ( defined( 'WP_DEBUG_LOG' ) && WP_DEBUG_LOG ) { - $debug_log_path = WP_DEBUG_LOG === true ? WP_CONTENT_DIR . '/debug.log' : WP_DEBUG_LOG; - $debug_log_path = realpath( dirname( $debug_log_path ) ) . DIRECTORY_SEPARATOR; + $debug_log_path = realpath( dirname( ini_get( 'error_log' ) ) ) . DIRECTORY_SEPARATOR; $absolute_path = realpath( ABSPATH ) . DIRECTORY_SEPARATOR; if ( $debug_log_path && $absolute_path && str_starts_with( $debug_log_path, $absolute_path ) ) { From ad94980adf9632c5627ad2415543c9f9891771d3 Mon Sep 17 00:00:00 2001 From: hbhalodia Date: Mon, 12 Jan 2026 09:23:16 +0530 Subject: [PATCH 8/9] CoreTrac-64071 Fix grammetical mistake --- src/wp-admin/includes/class-wp-site-health.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-admin/includes/class-wp-site-health.php b/src/wp-admin/includes/class-wp-site-health.php index 48fa53949db30..eb02cfcb8a55f 100644 --- a/src/wp-admin/includes/class-wp-site-health.php +++ b/src/wp-admin/includes/class-wp-site-health.php @@ -1434,7 +1434,7 @@ public function get_test_is_in_debug_mode() { '

%s

', sprintf( /* translators: %s: WP_DEBUG_LOG */ - __( 'The configuration constant, %s, has been set to write errors to a file outside the WordPress directory. This is a good practice as the log file should not be publicly accessible' ), + __( 'The configuration constant, %s, has been set to write errors to a file outside the WordPress directory. This is a good practice as the log file should not be publicly accessible.' ), 'WP_DEBUG_LOG' ) ); From 551f125c799412db94456a137c2da3c0a46c5a07 Mon Sep 17 00:00:00 2001 From: hbhalodia Date: Mon, 12 Jan 2026 09:45:20 +0530 Subject: [PATCH 9/9] CoreTrac-64071 Update message based on how log file is being set --- .../includes/class-wp-site-health.php | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/src/wp-admin/includes/class-wp-site-health.php b/src/wp-admin/includes/class-wp-site-health.php index eb02cfcb8a55f..a0d0cba142f9f 100644 --- a/src/wp-admin/includes/class-wp-site-health.php +++ b/src/wp-admin/includes/class-wp-site-health.php @@ -1408,35 +1408,37 @@ public function get_test_is_in_debug_mode() { ); if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) { - if ( defined( 'WP_DEBUG_LOG' ) && WP_DEBUG_LOG ) { - $debug_log_path = realpath( dirname( ini_get( 'error_log' ) ) ) . DIRECTORY_SEPARATOR; - $absolute_path = realpath( ABSPATH ) . DIRECTORY_SEPARATOR; + if ( ! empty( ini_get( 'error_log' ) ) ) { + $debug_log_path = realpath( dirname( ini_get( 'error_log' ) ) ) . DIRECTORY_SEPARATOR; + $absolute_path = realpath( ABSPATH ) . DIRECTORY_SEPARATOR; + $is_public_log = $debug_log_path && $absolute_path && str_starts_with( $debug_log_path, $absolute_path ); + $is_wp_debug_log = defined( 'WP_DEBUG_LOG' ) && WP_DEBUG_LOG; - if ( $debug_log_path && $absolute_path && str_starts_with( $debug_log_path, $absolute_path ) ) { + if ( $is_public_log ) { $result['label'] = __( 'Your site is set to log errors to a potentially public file' ); - $result['status'] = 'critical'; + } else { + $result['label'] = __( 'Your site is set to log errors to a file outside the document root' ); + $result['status'] = 'good'; + } + if ( $is_wp_debug_log ) { $result['description'] .= sprintf( '

%s

', sprintf( /* translators: %s: WP_DEBUG_LOG */ - __( 'The constant, %s, has been added to this website’s configuration file. This means any errors on the site will be written to a file which is likely publicly accessible.' ), + $is_public_log + ? __( 'The constant, %s, has been added to this website’s configuration file. This means any errors on the site will be written to a file which is likely publicly accessible.' ) + : __( 'The configuration constant, %s, has been set to write errors to a file outside the WordPress directory. This is a good practice as the log file should not be publicly accessible.' ), 'WP_DEBUG_LOG' ) ); } else { - $result['label'] = __( 'Your site is set to log errors to a file outside the document root' ); - - $result['status'] = 'good'; - $result['description'] .= sprintf( '

%s

', - sprintf( - /* translators: %s: WP_DEBUG_LOG */ - __( 'The configuration constant, %s, has been set to write errors to a file outside the WordPress directory. This is a good practice as the log file should not be publicly accessible.' ), - 'WP_DEBUG_LOG' - ) + $is_public_log + ? __( 'The error log path has been configured to a file within your WordPress directory. This means any errors on the site will be written to a file which is likely publicly accessible.' ) + : __( 'The error log path has been configured to a file outside your WordPress directory. This is a good practice as the log file should not be publicly accessible.' ) ); } }