I’m running into a security issue with a WordPress plugin. The plugin writes a log file to the uploads folder, which is publicly accessible via the browser on Nginx servers.
Originally, the log was saved to:
$log_file = WP_CONTENT_DIR . '/site.log';
But due to WordPress compliance and server permission issues (especially on shared hosts), we moved the log file to the uploads directory to ensure it’s writable. That worked — but now the file is exposed to the public, which is a security risk.
I don’t have access to the server config or Nginx rules, so I need to implement a fix within the plugin code itself.
Any suggestions on how to secure or hide the log file from direct access, while keeping it writable across different hosting environments?