While building your website, it can be extremely valuable to display PHP errors on your page. This will help you debug your site, oftentimes clearly showing what’s going wrong. Therefore, it’s good to enable this in your building, staging and testing environments. However, once your website is published to the world, you should not display those errors.
Table of contents
Why should you deactivate showing PHP debug messages?
Security risk
Error messages are meant to be helpful in tracking the location of problems in your code. Therefore, they often contain details about your server environment, file paths, database queries, and even snippets of code. They may also expose version numbers of software you’re running, which can be problematic if you’re not on the most secure version of the software.
In many cases, all this debug information can be exploited by attackers to identify vulnerabilities and launch targeted attacks against your site.
Confusing to users
Most visitors on your websites are not experienced developers, most are not even very tech-savvy at all. They just try to visit and interact with your website. If they’re suddenly confronted with pieces of code, or other text that looks like gibberish to them, they may decide that your website is not a good fit for them and leave.
Best practice
Does that mean you shouldn’t know about errors on your site? Absolutely not! Knowing (and fixing) errors on your pages is of vital importance for the overall health of your website. There are just better options to get informed about them than using your customers as your warning system. Instead, make sure error information is sent to the proper log files, and review those regularly!
How to hide PHP debug messages from your website’s visitors?
Making the following changes is a tad technical. If you’re not sure what you’re doing, it may be a good idea to contact an agency or experienced web developer. We don’t want you to accidentally take your site offline!
Disable WP_DEBUG()
The first step is to make sure WP_DEBUG is disabled. To do this, you’ll have to open a file in WordPress on your server called wp-config.php.
In that file, first look if you can find a line that reads define('WP_DEBUG', true);. If that line exists, all you have to do is change the word true to false.
If there is no such line, you’ll have to add define('WP_DEBUG', false); yourself. You can do this on any blank line in the file, as long as it is above the line that reads as follows:
/* That's all, stop editing! Happy publishing. */
Don’t forget to save your changes!
Disable WP_DEBUG_DISPLAY()
Next, you make sure WP_DEBUG_DISPLAY is disabled, to prevent any PHP debug messages from being displayed publicly on your website. To do this, you’ll have to (re)open the file called wp-config.php.
In that file, first look if you can find a line which reads define('WP_DEBUG_DISPLAY', true);. If that line exists, all you have to do is change the word true to false.
If there is no such line, you’ll have to add define('WP_DEBUG_DISPLAY', false); yourself. You can do this on any blank line in the file, as long as it is above the line that reads as follows:
/* That's all, stop editing! Happy publishing. */
Don’t forget to save your changes!
Why is this Ravi’s Recommendation?
Keeping your website user-friendly and secure improves your website’s credibility and user experience. Scary messages, like a log dump, can frustrate readers, hurt your rankings and cause security problems.
We want your site to thrive, that’s why we’ll remind you to disable the displaying of PHP debug messages on your website in one of Ravi’s Recommendations!