WP Debug Toolkit 1.1.0 is LIVE. Get $300 discount on the lifetime deal now
Use Discount Code WPDTLTD
Get Started Now
Home
Features
Error Log Viewer
A Better Way to Check WordPress Logs
Query Viewer
Fast, Lightweight Database Monitoring
Email Alerts Viewer
Know About Issues Before Your Clients Do
Pricing
Account
Get WP Debug Toolkit
Home » Docs » Features » Viewer App » Viewer authentication and security

Viewer authentication and security

The WP Debug Toolkit (WPDT) standalone viewer is protected by multiple security layers. Password authentication is mandatory, and additional protections — rate limiting, session controls, CSRF tokens, and path traversal blocking — operate automatically.

Password protection

Password protection has been mandatory since WPDT 1.1.0. There is no way to run the viewer without a password.

  • Minimum length: 8 characters
  • Set during: viewer setup wizard, or changed later at Debug Toolkit > Settings > Viewer
  • Storage: the password hash is written to auth.php in the viewer directory, not stored in the WordPress database. This keeps authentication functional when the database is unreachable.
  • Login screen: visiting the viewer URL shows a login form. You must authenticate before accessing any viewer feature.

Changing the password

Update the viewer password from Debug Toolkit > Settings > Viewer Settings. Enter a new password and save. The new hash replaces the existing one in auth.php. Active sessions are invalidated — you need to log in again with the new password.

WP-CLI

wp dbtk viewer setup --password=new-secure-password

This reinstalls the viewer with the new password while preserving existing configuration and settings.

Rate limiting

The viewer uses progressive lockout to defend against brute-force login attempts. Rate limiting is enforced per IP address.

Lockout escalation

Failed attemptsLockout duration
10 seconds
25 seconds
330 seconds
45 minutes
530 minutes
61 hour
10+24 hours

Each consecutive failed attempt increases the lockout duration. After a successful login, the counter resets for that IP.

Implementation

Rate limiting uses SQLite by default. The database file is stored outside the viewer web root when possible (in wp-content/debug-toolkit-cache/). When the PDO SQLite extension is unavailable on the server, WPDT falls back to a file-based rate limiter that uses JSON files.

Session security

After successful authentication, the viewer creates a session with the following properties:

Session timeout — Sessions expire after 30 minutes of inactivity. After expiration, you are redirected to the login screen.

IP binding — By default, sessions are tied to the client’s IP address. If a request comes from a different IP than the one that authenticated, the session is invalidated. This prevents session hijacking by blocking the use of stolen session tokens from other networks.

Disabling IP binding — In some environments, the client IP changes legitimately during a session (certain proxy configurations, mobile networks, VPN failovers). Disable IP binding from the viewer’s Settings panel if you experience unexpected logouts. Navigate to Settings in the viewer (K key) and toggle Disable IP binding.

Warning: Disabling IP binding reduces session security. Only disable it if you experience repeated session invalidation from IP changes.

CSRF protection

All state-changing API actions (modifying settings, toggling debug constants, disabling plugins) require a valid CSRF token. The token is generated when the session starts and included in every mutating request from the React app. Requests without a valid token are rejected with a 403 response.

Path traversal protection

The viewer API validates all file path parameters to prevent directory traversal attacks. Requests that attempt to access files outside the allowed directories are blocked.

Blocked files

The API maintains a blocklist of sensitive files that are never served regardless of the request path:

  • wp-config.php
  • .htaccess
  • .htpasswd
  • .env
  • id_rsa
  • id_dsa
  • .ssh
  • config.php (viewer configuration)
  • auth.php (viewer password hash)
  • rate-limiter.db
  • .git directories
  • .sqlite files
  • secure-debug.php (GridPane debug configuration)
  • Any file outside the configured log directory and WordPress installation paths

Requests for blocked files return a 403 error with no file content.

Security headers

The viewer API sets security headers on every response:

  • X-Content-Type-Options: nosniff — prevents MIME type sniffing
  • X-Frame-Options: DENY — blocks embedding in iframes
  • X-XSS-Protection: 1; mode=block — enables browser XSS filtering
  • Referrer-Policy: strict-origin-when-cross-origin — limits referrer information
  • Content-Security-Policy — restricts script and resource loading to same-origin
  • Cache-Control: no-cache, no-store, must-revalidate — prevents caching of API responses

Action whitelist

The API accepts only a defined set of actions. Any request with an unrecognized action is rejected with a 400 response. Action names are sanitized to allow only lowercase alphanumeric characters, hyphens, and underscores.

Session management

  • Session IDs are regenerated on login to prevent session fixation attacks
  • Cookies are set with httponly, secure (on HTTPS), and samesite=Strict flags
  • Authentication events (failures, IP mismatches, session timeouts) are logged for monitoring

Sensitive data protection

Log content displayed in the viewer is filtered to redact sensitive values (database credentials, authentication salts, API keys) before rendering.

On this page
Home Features Support
Error Log Viewer
A Better Way to Check WordPress Logs
Query Viewer
Fast, Lightweight Database Monitoring
Site Monitor
Know About Issues Before Your Clients Do
Try WP Debug Toolkit
The best error log viewer with amazing developer tools to help you troubleshoot your WordPress site securely and efficiently. Something something more.
Try Now
Get WP Debug Toolkit