WP_DEBUG is set to true in production, revealing sensitive paths or warnings.
Debug Mode Left Enabled on Live Site
Key Points: Error messages and PHP notices are visible to everyone, including attackers.
You’re live. You’re proud. And right in the footer: “Warning: Undefined variable.” Not only ugly — dangerous. Debug mode can reveal server paths, function names, or sensitive code logic.
⚠️ Risks
- Exposes file structure and database queries
- Gives attackers insight into plugin/theme vulnerabilities
- Public display of PHP or MySQL errors
🛠️ Fix in Seconds
define( 'WP_DEBUG', false );Also make sure WP_DEBUG_LOG and WP_DEBUG_DISPLAY are off in production.
📌 Advice
Keep debug on in staging, never in production. It’s like leaving blueprints to your house taped to the front door.