Title: WordPress internal path vulnerability Last modified: August 19, 2016 --- # WordPress internal path vulnerability * Resolved [steve-d](https://wordpress.org/support/users/steve-d/) * (@steve-d) * [15 years, 10 months ago](https://wordpress.org/support/topic/wordpress-internal-path-vulnerability/) * This is odd. A scan shows some kind of error, giving away internal path information. This never showed up before and the most recent upgrade was just the Twenty Ten Theme to 1.1 * The internal path anomaly is . . (I used * just to not give out information here.) / data/*/*/*/*/*/user/*/*/*/wp-content/themes/default/index.php * So how do I turn off errors with no php.ini? display_errors = Off * Using WordPress 3.0 Viewing 6 replies - 1 through 6 (of 6 total) * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [15 years, 10 months ago](https://wordpress.org/support/topic/wordpress-internal-path-vulnerability/#post-1603248) * A … scan? What kind of scan? Is this on the front end of your site? * Thread Starter [steve-d](https://wordpress.org/support/users/steve-d/) * (@steve-d) * [15 years, 10 months ago](https://wordpress.org/support/topic/wordpress-internal-path-vulnerability/#post-1603263) * > A … scan? * An external vendor scan. Basically the main question is how to set display_errors = Off at this point. * Could be a host issue I don’t know. * > internal paths > PHP is very good in leaking the internal paths of your system in case of errors. > You can find out exactly where the blog is hosted (/var/www, /home/user, etc) > and you can 99% of the time guess the user name used for administration. * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [15 years, 10 months ago](https://wordpress.org/support/topic/wordpress-internal-path-vulnerability/#post-1603268) * Probably not a WordPress thing but a PHP one, yeah. * Hmmm. If you can’t get at php.ini I think you can put `error_reporting(0);` somewhere in your code, but I don’t know where to cover all of WordPress. * I’d ask my host to turn it off in the php.ini if you’re that worried. * Thread Starter [steve-d](https://wordpress.org/support/users/steve-d/) * (@steve-d) * [15 years, 10 months ago](https://wordpress.org/support/topic/wordpress-internal-path-vulnerability/#post-1603278) * > I’d ask my host to turn it off in the php.ini * They just upgraded php could be it. My other option might be an htaccess tweak of some kind. * Thread Starter [steve-d](https://wordpress.org/support/users/steve-d/) * (@steve-d) * [15 years, 10 months ago](https://wordpress.org/support/topic/wordpress-internal-path-vulnerability/#post-1603321) * It was being caused by the WordPress Default Theme. * Thread Starter [steve-d](https://wordpress.org/support/users/steve-d/) * (@steve-d) * [15 years, 10 months ago](https://wordpress.org/support/topic/wordpress-internal-path-vulnerability/#post-1603341) * Let me clarify it was the original default theme not Twenty Ten that somehow produced this anomaly. My fix was simply to delete the old default theme. Which I do not use anyway. Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘WordPress internal path vulnerability’ is closed to new replies. * In: [Installing WordPress](https://wordpress.org/support/forum/installation/) * 6 replies * 2 participants * Last reply from: [steve-d](https://wordpress.org/support/users/steve-d/) * Last activity: [15 years, 10 months ago](https://wordpress.org/support/topic/wordpress-internal-path-vulnerability/#post-1603341) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics