Protect sensitive data stored in server logs

Administrators should be aware that enabling either the "Log incoming SCIM requests (debug)" or "Log user-sync events (debug)" options can result in sensitive user data being written to server logs. These settings are available on the plugin’s Debug configuration page, but only when SCIM or Microsoft Graph-based user synchronization is configured. If enabled, both logs are highly likely to contain confidential information. Therefore, it is critical to implement appropriate security measures to protect these log files and prevent unauthorized access.

The logs in question will be saved in the root folder of the WPO365 | LOGIN plugin, which can be found in WordPress's /wp-content/plugins folder. If you enable logging incoming SCIM requests, then server relative path for the log will be therefore "/wp-content/plugins/wpo365-login/scim.log". When you enable user-sync events, the log will be stored as "/wp-content/plugins/wpo365-login/sync.log".

Depending on your server setup and configuration, one way to prevent unauthorized access to the logged user-sync events, would be by adding an .htaccess file in the root of the wpo365-login folder with the following content.

<Files "sync.log">  
  Require all denied
</Files><br>

This will deny access but will allow you to download the file, e.g. using (s)FTP. To protect the scim.log file, simply change the file name from sync.log to scim.log. 


Please note The information if provided as-is, and that the solution presented in this article, may not be applicable to your server setup and configuration.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us