When building or debugging a WordPress site, enabling WP_DEBUG
is a common practice. However, many developers overlook the risks of displaying errors publicly. If WP_DEBUG_DISPLAY
is not properly disabled, your site could leak sensitive information directly onto the screen, putting both security and user trust at risk. In this article, we’ll explain what this setting does, why it matters, and how to use it safely in production environments.
WP_DEBUG
: A WordPress constant that activates debugging mode.WP_DEBUG_DISPLAY
: Controls whether PHP errors/warnings appear on your site’s frontend.
// Default behavior when WP_DEBUG is enabled:
define('WP_DEBUG', true);
//define('WP_DEBUG_DISPLAY', true); // By default it gets enabled!
define('WP_DEBUG_LOG', true); // Save errors to debug.log
💡Note: By default, it’s “WP_DEBUG_DISPLAY
” set to true
when WP_DEBUG
is enabled.
Setting it to false
hides the error output from your visitors, while still logging errors in the background (if WP_DEBUG_LOG
is enabled).
Benefits & Risks wp_debug
Benefits of Safe Debugging
- Silent Error Logging: Errors are saved to
wp-content/debug.log
without disrupting visitors. - Emergency Troubleshooting: Debug crashes caused by plugin/theme updates without downtime.
- Security Protection: Hide server paths, database details, or vulnerabilities from attackers.
Risks of Poor Configuration
- Exposed Sensitive Data: Publicly visible errors leak server paths, plugin names, or PHP warnings.
- User Experience Damage: Visitors see broken layouts or cryptic messages (e.g., “Cannot modify header”).
- SEO Harm: Search engines may index error-filled pages.
When to Enable Debugging on a Live Site (Temporarily)
Scenario: Your live site crashes after a WordPress/core/plugin update.
Solution: Enable logging without displaying errors:
If you need to debug an issue on the site, it is a safe way to add these two parameters explicitly in the wp-config.php above this line:/* That's all, stop editing! Happy blogging. */
// In wp-config.php
define('WP_DEBUG', true); // Activate debug mode
define('WP_DEBUG_LOG', true); // Save errors to debug.log
define('WP_DEBUG_DISPLAY', false); // Hide errors from users
@ini_set('display_errors', 0);
/* That's all, stop editing! Happy blogging. */
Steps:
- Add the above lines to
wp-config.php
via SSH/SFTP. - Reproduce the crash to trigger error logging.
- Check
debug.log
for clues (e.g., plugin conflicts, memory limits). - Immediately disable debugging after fixing:
define( 'WP_DEBUG', false );
define('WP_DEBUG_LOG', false);
define('WP_DEBUG_DISPLAY', false);
Best Practices for Debugging Safely
- Never Leave
WP_DEBUG_DISPLAY
Enabled on Live Sites- Default is
true
whenWP_DEBUG
is active, always set it tofalse
manually.
- Default is
- Restrict Access to debug.log: Block public access via
.htaccess
(Apache) or server permissions: - Use Staging Sites for Testing: Debug updates on a staging clone first.
- Add a Cleanup Reminder: Delete or disable
WP_DEBUG
after troubleshooting.
chmod 600 wp-content/debug.log
Conclusion
Enabling wp_debug on a live site can save you during emergencies, but always pair it with wp_debug_display false
to avoid exposing errors. Logging issues silently lets you resolve crashes quickly while maintaining user trust and security.
Action Checklist:
- Enable
WP_DEBUG_LOG
+ disableWP_DEBUG_DISPLAY
explicitly. - Test fixes on staging first.
- Disable WP_DEBUG immediately after resolving the issue.
🔗 Further Reading: WordPress Debugging Codex
Fix errors invisibly.
Protect your site visibly.