Recently a self-hosted client asked us to do some basic security audits on their website. We went through the usual review, and as part of our remediation process we installed a few plugins to help harden their installation.

Unfortunately one of those plugins began throwing PHP Warnings on the client’s login screen. They seemed innocent enough, but we didn’t want the client to see these messages and start asking why they were there. Typically, these should not appear on your site as long as you have define('WP_DEBUG', false); set in your wp-config.php but in this case they were still appearing.

Not having access to the hosting environment itself, we knew we couldn’t update the PHP settings manually. Fortunately, some quick Googling led us to this blog post which solved our problems. By updating our wp-config.php we solved the issue and successfully suppressed the warnings (which really, you probably should be doing in a production environment anyway to prevent information disclosure).

The ini_set() functions, in order, tell PHP to 1) log all errors, 2) not display those errors on screen, and 3) ensures that all errors/warnings are logged.

The three define() functions tell WordPress to 1) not run in Debug mode, 2) log the errors to log file for review later which is stored inside your /wp-content directory, and 3) ensures that any errors or warnings that are triggered are not displayed on screen. For more information on the debugging tools available inside WordPress, check out the codex.

This worked for our client’s hosting environment, but YMMV. Good luck!