Regarding this answer, is correct to add the file debug.log in this way?

RewriteRule (?:debug|readme|license|changelog|-config|-sample)\.(?:php|md|txt|html|log?) - [R=404,NC,L]

Kind Regards

Regarding this answer, is correct to add the file debug.log in this way?

RewriteRule (?:debug|readme|license|changelog|-config|-sample)\.(?:php|md|txt|html|log?) - [R=404,NC,L]

Kind Regards

• htaccess
• security
• wp-debug

• 1 "is correct to add the file debug.log in this way?"- Do you mean in terms of modifying that directive? Well, it depends on exactly what you are trying to achieve. If you simply want to "hide" debug.log from HTTP access then that directive arguably does too much. Since there are no anchors on the regex it could potentially conflict with valid URLs - depending on where you place the directive in your .htaccess file. Then again, it could do exactly what you require. – MrWhite Commented Oct 5, 2020 at 16:28
• Yes, basically debug.log, but without deny, with 404. May you suggest me a rule less "too much" please? – Ponzio Pilato Commented Oct 5, 2020 at 16:30

1 Answer 1

Yes, basically debug.log, but without deny, with 404

Yes, that directive will serve a "404 Not Found" when attempting to request debug.log.

|log?

However, because of the ? in the above regex, it will also block debug.lo. Is that intentional? In fact, if that is intentional then you could simply remove the g? part - since it serves no purpose. But if not, then remove the trailing ? to match debug.log only.

However, it also potentially blocks any URL that simply contains debug.log in the URL-path (since there are no anchors ^ or $ or word boundaries on the regex). For example, the following innocent URL(s) will also be blocked if the directive appears before the WordPress front-controller:

/what-is-the-meaning-of-debug.log-on-my-filesystem
/are-changelog.md-files-really-necessary

(Should you have articles with such a title/slug.)

For this reason, this directive should probably be located at the end of the .htaccess file, after the WordPress front-controller, so that you only block access to physical files. This will also be marginally more efficient.

[R=404,NC,L] - minor point... the L flag is not strictly required here. L is implied when specifying a non-3xx return code.

To simply block (with a 404) requests for debug.log (all lowercase) in the document root only then the following would be sufficient:

RewriteRule ^debug\.log$ - [R=404]