Publicly accessible config, backup, or log file found: wp-content/debug.log Type

Hi @mj00712, thanks for getting in touch with us.

These aren’t errors as such, they’re scan results to ensure your site is as correctly configured as possible.

php.ini shouldn’t live in the wp-admin folder and your debug.log should be hidden when attempting to view it in a browser. With the debug.log file notice, you should be given the option to hide it and also see an option to remove other files that appear in WordPress core folders erroneously such as the php.ini in this case?

If not, you can try adding the following manually to your .htaccess file:

<Files "debug.log">
    Require all denied
    Require ip 127.0.0.1
    Require ip Your.Servers.IP.Address
</Files>

Your server’s IP address can be found by navigating to Wordfence > Tools > Diagnostic > Connectivity and you will see “IP(s) used by this server.

You can also delete the php.ini from wp-admin manually using your hosting file manager or FTP if Wordfence cannot due to permissions. Let us know if it’s constantly replaced automatically after deletion and your host claims not to require it in this location.

Thanks,

Peter.

Check this image for the ini files found in File manager

Which one should I delete

Hi @mj00712,

The .bak files will be non-critical as they’re effectively backup files and won’t be currently in-use so they could be deleted. The other file isn’t the one being flagged in your scan so I wouldn’t recommend deleting that in case it’s critical to the running of a component on your site.

Provided you remove the ones that Wordfence suggests have been altered or shouldn’t be present in WordPress core, you should stop seeing the message in future scans.

Thanks,

Peter.