Site Health false positive: WP_DEBUG_LOG warning when debug.log is outside wp-content - Ticket #64071 #10684
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
|
Hi Team, Can you please help review and update the wordings if needed? Thank You, |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
…t false positives
westonruter
left a comment
westonruter
left a comment
There was a problem hiding this comment.
If we wanted to go the extra mile, there could be a loopback request to try to actually request the file over HTTP to see if it returns anything. This may not be helpful in the end, however, as the file may not be present if nothing has been written to the log yet. Just an idea.
Thanks @westonruter, I thought of an edge case as well, what if there is no any log file present, then |
Good point. Well, in that case you could always check to see if wordpress-develop/src/wp-includes/load.php Lines 622 to 623 in 5a53b94 If, however, they do something like: define( 'WP_DEBUG_LOG`, ABSPATH . 'debug.log' );Then checking |
There was a problem hiding this comment.
Pull request overview
This PR fixes a false positive in WordPress Site Health where a warning about WP_DEBUG_LOG being set to a potentially public file is shown even when the debug log is configured to be outside the wp-content directory (and thus not publicly accessible).
Changes:
- Modified the debug mode check to determine if error log files are within or outside the WordPress document root
- Added different status levels (critical vs good) and messages based on whether the log file is publicly accessible
- Differentiated messaging between WP_DEBUG_LOG constant usage and direct PHP error_log configuration
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if ( ! empty( ini_get( 'error_log' ) ) ) { | ||
| $debug_log_path = realpath( dirname( ini_get( 'error_log' ) ) ) . DIRECTORY_SEPARATOR; | ||
| $absolute_path = realpath( ABSPATH ) . DIRECTORY_SEPARATOR; | ||
| $is_public_log = $debug_log_path && $absolute_path && str_starts_with( $debug_log_path, $absolute_path ); |
There was a problem hiding this comment.
The variable name $is_public_log is misleading when it's false. A value of false could mean either "the log is not public" (which is good) or "we couldn't determine the path" (which is an error). Consider renaming or restructuring to make the distinction clearer, or handle the error case explicitly.
There was a problem hiding this comment.
Implemented as below,
$log_path_status = 'private';
if ( false === $debug_log_path ) {
$log_path_status = 'error';
} elseif ( str_starts_with( $debug_log_path . DIRECTORY_SEPARATOR, $absolute_path ) ) {
$log_path_status = 'public';
}
$is_wp_debug_log = defined( 'WP_DEBUG_LOG' ) && WP_DEBUG_LOG;
if ( $log_path_status === 'public' ) {
$result['label'] = __( 'Your site is set to log errors to a potentially public file' );
$result['status'] = 'critical';
} elseif ( $log_path_status === 'private' ) {
$result['label'] = __( 'Your site is set to log errors to a file outside the document root' );
$result['status'] = 'good';
} else {
$result['label'] = __( 'Unable to determine error log file location' );
$result['status'] = 'critical';
}Update the $result['description'] based on the $log_path_status as below,
if ( $is_wp_debug_log ) {
$result['description'] .= sprintf(
'<p>%s</p>',
sprintf(
/* translators: %s: WP_DEBUG_LOG */
$log_path_status === 'public'
? __( 'The constant, %s, has been added to this website’s configuration file. This means any errors on the site will be written to a file which is likely publicly accessible.' )
: ( $log_path_status === 'private'
? __( 'The configuration constant, %s, is enabled. In addition, your site is set to write errors to a file outside the WordPress directory, which is a good practice as the log file should not be publicly accessible.' )
: __( 'The configuration constant, %s, is enabled, but the log file location could not be determined.' )
),
'<code>WP_DEBUG_LOG</code>'
)
);
} else {
$result['description'] .= sprintf(
'<p>%s</p>',
$log_path_status === 'public'
? __( 'The error log path has been configured to a file within your WordPress directory. This means any errors on the site will be written to a file which is likely publicly accessible.' )
: ( $log_path_status === 'private'
? __( 'The error log path has been configured to a file outside your WordPress directory. This is a good practice as the log file should not be publicly accessible.' )
: __( 'The error log path could not be determined. Please check your PHP configuration.' )
)
);
}There was a problem hiding this comment.
@hbhalodia Could the setting of the $result['description'] be moved up to the existing if/elseif/else for $log_path_status? This would ensure there is only one set of conditions, and it would address the nested ternary feedback from Copilot in #10684 (comment)
There was a problem hiding this comment.
This is now moved to if/elseif/else condition. But we have to check for $is_wp_debug_log constant being set or not. So it would be something like below,
if ( 'public' === $log_path_status ) {
$result['label'] = __( 'Your site is set to log errors to a potentially public file' );
$result['status'] = 'critical';
if ( $is_wp_debug_log ) {
$result['description'] .= sprintf(
'<p>%s</p>',
sprintf(
/* translators: %s: WP_DEBUG_LOG */
__( 'The constant, %s, has been added to this website’s configuration file. This means any errors on the site will be written to a file which is likely publicly accessible.' ),
'<code>WP_DEBUG_LOG</code>'
)
);
} else {
$result['description'] .= sprintf(
'<p>%s</p>',
__( 'The error log path has been configured to a file within the WordPress directory. This means any errors on the site will be written to a file which is likely publicly accessible.' )
);
}
} elseif ( 'private' === $log_path_status ) {
$result['label'] = __( 'Your site is set to log errors to a file outside the document root' );
$result['status'] = 'good';
if ( $is_wp_debug_log ) {
$result['description'] .= sprintf(
'<p>%s</p>',
sprintf(
/* translators: %s: WP_DEBUG_LOG */
__( 'The configuration constant, %s, is enabled. In addition, your site is set to write errors to a file outside the WordPress directory, which is a good practice as the log file should not be publicly accessible.' ),
'<code>WP_DEBUG_LOG</code>'
)
);
} else {
$result['description'] .= sprintf(
'<p>%s</p>',
__( 'The error log path has been configured to a file outside the WordPress directory. This is a good practice as the log file should not be publicly accessible.' )
);
}
} else {
$result['label'] = __( 'Unable to determine error log file location' );
$result['status'] = 'critical';
if ( $is_wp_debug_log ) {
$result['description'] .= sprintf(
'<p>%s</p>',
sprintf(
/* translators: %s: WP_DEBUG_LOG */
__( 'The configuration constant, %s, is enabled, but the log file location could not be determined.' ),
'<code>WP_DEBUG_LOG</code>'
)
);
} else {
$result['description'] .= sprintf(
'<p>%s</p>',
__( 'The error log path could not be determined. Please check your PHP configuration.' )
);
}
}
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
3 participants
Trac ticket: https://core.trac.wordpress.org/ticket/64071
Screenshots
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.