For some time I’ve been noticing a strange issue on my website: every once in a while, a file named
error_log would appear in a subdirectory of my document root, visible to anyone who knew to look for it. It seems that whenever there was a PHP error (for example, when a vulnerability probe tried to access a theme file), PHP would dump the error message to a file in that same directory.
Those error messages contained absolute filenames within the server filesystem, so obviously that’s not something I want to be publicly viewable. I figured out that PHP has a setting for where to store error logs, and my web host had it set to just ‘error_log’. When there was an error message to output, PHP would send it to that relative filename, meaning the log file would show up in the same directory as the file where the error occurred.
Luckily, I have the ability to override PHP settings in a .user.ini file. The WordFence firewall (which I highly recommend, by the way) had already created one, so I just added a line setting error_log to an absolute path in my home directory. Problem solved! Now all my PHP errors go to a private file that the rest of the world can’t see.