Google Dork; WordPress debug.log

This is an epic sigh, failure moment.

via GIPHY

According to the documentation, WordPress allows the setup of debugging to a file, when issues are encountered inside the software. All well and good, I’d expect that. What I wouldn’t expect is the file it dumps the data into – to be WORLD READABLE!

But I suppose this is WordPress, and they’re well known for doing dumb shit like this constantly.

Google Dork: https://google.com/search?q=inurl:wp-content/debug.log

If you run WordPress, please make sure this file is not world-readable – please protect it with your Apache/Nginx/IIS config – don’t rely on it not being visible in a directory list!

I’ve submitted this to exploit-db and their Google Hacking database.