Our Unrecognised File Scanner highlighted an issue that we’d like to help everyone address properly.
The scanner works by looking at your core WordPress directories and finding files that shouldn’t be there.
So how do we qualify “shouldn’t be there”? We review each file in your core directories and ask if it was included in the original distribution from WordPress.org.
If the file wasn’t included, then we flag it.
But… some files don’t need to be flagged because they’re important to the normal running of the site. An example of this might be .htaccess
. This is an Apache configuration file and while it doesn’t ship with WordPress, it’s perfectly legitimate.
Another type of file that is found in the core directories is the PHP error log. The default configuration for most web hosts results in error log files scattered throughout your site.
Being scattered is far from ideal, but what can we do about it?
What is the PHP error log file?
While your site is being processed, the code may generate “errors” – notifications, if you like. There are different types of errors, and depending on the nature of your site (production or dev), you’ll want easy access to them.
These errors can be simple notices or warnings, or they could more serious and even “fatal”. PHP will output these errors to a file, or even to the screen (your web page), or do both, depending on how it’s configured.
So yes, how PHP handles error logs and messages is down to how you configure PHP to handle them. It’s up to you.
Your web host has likely configured PHP for you already and, like most people, you’ve never changed it – or never thought to change it.
This is why you have error log files scattered all over your website. And why you sometimes get crazy errors spewed out onto your webpages when something goes wrong – where your visitors can see them!
Conclusion: How errors are handled is up to you. You can change what gets logged, and where they’re output to.
Making PHP errors behave just how you want them to
So now that you know you have power over PHP errors, it’s time to see what powers you have exactly. Here’s a little summary – you can:
- tell PHP whether or not to display errors e.g. output them to your web pages
- tell PHP which error levels to output
- tell PHP which file to output the errors to
- tell PHP not to log any errors!
There’s much more to this, and more advanced ways to handle PHP errors. But we’re going to look at the most simple settings needed to achieve the maximum benefit.
First thing we need to do is decide how we’re going to put these setting in-place. We’re going to assume here that you’re hosting your sites on shared host. This means you have little in the way of configuration options.
There are 2 approaches that we’re going to cover here:
- put the settings in your Apache
.htaccess
file - put the settings in your
.user.ini
file
You’ll have to determine which is your preferred method. If you want to use the latter, you’ll need to check with your web host that they support the .user.ini
file in your sites.
So depending on your chosen method, create a new file with the chosen name on the root of your website. For each of the settings below, add the necessary code.
#1 Prevent Errors Being Displayed On-Screen
.user.ini
; hide errors
display_errors = off
.htaccess
<IfModule mod_php5.c>
php_flag display_errors on
</IfModule>
#2 Set location of the error log output file
.user.ini
; set the log file location - full path, not relative
error_log = /full/path/to/error/log/file
.htaccess
<IfModule mod_php5.c>
php_value error_log ./path_to_error_log_file
</IfModule>
#3 Set the types of errors to log
.user.ini
; log absolutely everything:
error_reporting = -1
; log absolutely nothing:
error_reporting = 0
.htaccess
<IfModule mod_php5.c>
# log absolutely everything
php_value error_reporting -1
</IfModule>
<IfModule mod_php5.c>
# log absolutely nothing
php_value error_reporting 0
</IfModule>
Important Points To Note
- Do not just copy-paste what you see here. Read it and try to understand just a little bit of what is written there.
- If the file that you’re editing previously existed, make a backup and if it goes terribly wrong, just replace the backup.
- If you just skipped item #2, go back to #2.
- I recommend keeping your logs outside of your public HTML folder. So when you set the path to the log file, put it 1 directory above where your WordPress
index.php
file is. - For the
.htaccess
rules you’ll see that each one if wrapped up in an<IFModule mod_php5.c>
block. You don’t need to repeat that every time and you can put it all inside the same block. - You do not need to do both
.user.ini
and.htaccess
. Find the one that works for your environment and use only that. - Again, don’t skip item #2 here… make sure you have a backup before you start editing the files.
Questions, Suggestions and Feedback?
It’s your time to shine. We know this is a massive topic and we could go into much more detail here. But we want to get you aware of the idea that with a little bit of work, you can start to take control of your web hosting setup.
You can control where your log files are. You don’t have to go searching for them when you need them.
If you have any questions or suggestions for adding to this article, please let us know in the comments below.