Join Jeff Starr for an in-depth discussion in this video Disable error display, part of WordPress: Developing Secure Sites .
- [Instructor] Displaying PHP errors and warnings in the browser may be useful during site development. But on a live production site, it's a security risk that should be avoided. This video explains how to make sure that your Wordpress-powered site is configured to not display errors. Here is what we are talking about in this tutorial. When errors are displayed on your site, as they are here, sensitive information about your server and setup are revealed to the public. So anyone or thing that catches the error may use it to exploit your site.
For example, as you can see here, the full server path is revealed, along with the function names and other information that could provide an attacker with leverage. And to regular visitors, it just looks bad, like there's some serious problems with your site. So we're going to lock this down, and make sure that doesn't happen. By default, error display is disabled by Wordpress. So if you're setting up a new site, there shouldn't be anything to worry about. But if your site has been around a while, and there have been changes made, or work has been done on the server, or maybe your host or associate has helped to troubleshoot an issue, then there is a chance that Wordpress is configured to display errors.
And so why take a chance? It's just not worth it, especially when it takes literally five seconds to check and lock things down. All you need to do is open the Wordpress configuration file. Scroll down, and look for the following line. As you can see, currently the value of the debug constant is set to true, followed by two similar constants, debug log and debug display, which are also set to true. This is why the errors are displayed on our demo site.
So to stop our site from displaying errors, we need to set those debug constants to false. Let's go ahead and make the required changes. After changing all values to false, we can save our changes and upload the file to the server. Note, that if you don't see all of these constants in your configuration file, that's okay, because their default values are all false. For more details, check out the Wordpress codex. At this point, we've change the debug constants to false, and have uploaded the configuration file to the server.
So now let's revisit the example post and see if the errors are still displayed. We refresh the page, and perfecto, error display is now disabled for the site. Note that it's important to keep an eye on your site's errors, even when they're not displayed on the front end. Check out the tutorial on further security techniques later in this series for more information. In this video, we prevent sensitive server information from being displayed publicly online. By disabling error display on live production sites, we close the gap and further tighten the security of our Wordpress site.
This is another example of how being mindful and checking the details can help keep your site safe and secure.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security