Recently a self-hosted client asked us to do some basic security audits on their website. We went through the usual review, and as part of our remediation process we installed a few plugins to help harden their installation.

Unfortunately one of those plugins began throwing PHP Warnings on the client’s login screen. They seemed innocent enough, but we didn’t want the client to see these messages and start asking why they were there. Typically, these should not appear on your site as long as you have `define(‘WP_DEBUG’, false);` set in your `wp-config.php` but in this case they were still appearing.

Not having access to the hosting environment itself, we knew we couldn’t update the PHP settings manually. Fortunately, some quick Googling led us to this blog post which solved our problems. By updating our `wp-config.php` we solved the issue and successfully suppressed the warnings (which really, you probably should be doing in a production environment anyway to prevent information disclosure).

ini_set('error_reporting', E_ALL );
define('WP_DEBUG', false);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);

The `ini_set()` functions, in order, tell PHP to 1) log all errors, 2) not display those errors on screen, and 3) ensures that all errors/warnings are logged.

The three `define()` functions tell WordPress to 1) not run in Debug mode, 2) log the errors to log file for review later which is stored inside your `/wp-content` directory, and 3) ensures that any errors or warnings that are triggered are not displayed on screen. For more information on the debugging tools available inside WordPress, check out the codex.

This worked for our client’s hosting environment, but YMMV. Good luck!

The JSON REST API is coming to WordPress Core soon, either with 4.1 or 4.2. And while this is a fantastic addition to the WordPress ecosystem and we’re going to see some really awesome stuff built with it… it’s just not going to be for everyone. Not all sysadmins will want a new API enabled that gives 3rd party developers access to their site’s content in an easily-consumed format.

Disable all the thingsFortunately, just like the XML-RPC protocol, the people behind the JSON REST API have implemented filters which allow one to disable the API if you like. The simple Disable JSON API plugin gives turn-key functionality to anyone who wants to turn off the JSON REST API if it is already running, or proactively prevent it from functioning once it comes with WordPress Core. When all new versions of WordPress start to come with the API enabled by default, you’ll know that your site is going to disable it out of the gate.

As with anything, YMMV and this certainly isn’t for everyone. In fact, this plugin may break your website if your theme or plugins rely on the functionality of the API. Use with caution, feel free to disable if it’s not working for you, and enjoy!

Download the plugin from the WordPress repository now!