Init WordPress Log
======================

A lightweight, self-hosted PHP log viewer focused on WordPress sites.
Reads logs directly from wp-content (debug log, WooCommerce logs, and
popular security plugins), then presents them in a clean, searchable UI
with filtering, live tail, and basic access control.

Ideal for developers who want to inspect WordPress errors, WooCommerce
issues, and security events without SSHing into the server or touching
system-level /var/log files.

----------------------------------------------------------------------
FEATURES
----------------------------------------------------------------------

- 100% self-hosted — single PHP app, no external services.
- Designed specifically for WordPress environments:
  * wp-content/debug.log
  * WooCommerce logs (auto-detect latest .log file)
  * Common security plugins (Wordfence, iThemes Security, Sucuri)
- Multiple log sources shown in a sidebar, one-click switching.
- Syntax-like highlighting by level:
  * ERROR / FATAL
  * WARNING
  * NOTICE / DEPRECATED
  * INFO / generic lines
- Search box with debounce (live filtering over recent lines).
- Level filter (All / Error / Warning / Notice / Info).
- Live tail mode with configurable refresh interval.
- Line limit selector (e.g. last 100 / 500 / 1000 lines).
- Download raw log file and optional clear log (if writable).
- Smart UI details:
  * Always scrolls to bottom on update
  * Shows file size and number of lines displayed
  * Remembers last selected source, filters, and search via localStorage

Security-focused:

- Logs are only read from inside wp-content (configurable allowed dirs).
- Real paths are trimmed on display (shown from /wp-content/... only).
- No direct access to system-level /var/log directories.
- Login required to access UI:
  * Session-based authentication
  * Session timeout with configurable lifetime
  * Session cookie hardened (HttpOnly, SameSite=Strict, Secure if HTTPS)
  * CSRF protection for login and destructive actions (clear log)
  * Login rate limiting with temporary lockout after too many failures
- Optional HTTPS enforcement (redirect HTTP → HTTPS).
- No database required, all configuration via PHP array.

----------------------------------------------------------------------
CONFIGURATION
----------------------------------------------------------------------

Core configuration lives in `includes/config.php`.

Basic authentication:

    'username'      => 'admin',

    // Option 1: plain text password (simple, less secure)
    'password'      => 'password',

    // Option 2: password_hash (more secure, takes precedence if non-empty)
    // Example: password_hash('Your-Strong-Password', PASSWORD_DEFAULT)
    'password_hash' => '',

Security options:

    'session_timeout'    => 3600,  // seconds (1 hour)
    'force_https'        => false, // true to force HTTPS redirect
    'login_max_attempts' => 5,     // failed attempts before lockout
    'login_lockout_time' => 600,   // seconds (10 minutes)

Allowed log locations (for safety):

    'allowed_log_dirs'   => [
        $WP_CONTENT,
        $WP_UPLOADS,
    ];

Only files inside these directories are considered readable by the
viewer. This prevents accidental exposure of sensitive system paths.

Performance options:

    'max_lines'        => 1000,                // max lines to read per request
    'max_file_size'    => 50 * 1024 * 1024,    // 50MB
    'refresh_interval' => 3,                   // seconds for live tail

Log sources:

Each source refers either to a specific file, or to a folder containing
multiple .log files (where the latest one will be selected).

    'sources' => [
        [
            'id'    => 'wp_debug',
            'label' => 'WordPress Debug',
            'path'  => $WP_CONTENT . '/debug.log',
            'type'  => 'wordpress',
            'icon'  => '🔷',
        ],
        [
            'id'    => 'woo_latest',
            'label' => 'WooCommerce (Latest Log)',
            'path'  => $WP_UPLOADS . '/wc-logs',
            'type'  => 'woocommerce',
            'icon'  => '🛒',
        ],
        [
            'id'    => 'wordfence',
            'label' => 'Wordfence Firewall',
            'path'  => $WP_CONTENT . '/wflogs',
            'type'  => 'wordfence',
            'icon'  => '🛡️',
        ],
        [
            'id'    => 'ithemes',
            'label' => 'iThemes Security',
            'path'  => $WP_UPLOADS . '/ithemes-security/logs',
            'type'  => 'ithemes',
            'icon'  => '🔐',
        ],
        [
            'id'    => 'sucuri',
            'label' => 'Sucuri Security',
            'path'  => $WP_UPLOADS . '/sucuri',
            'type'  => 'sucuri',
            'icon'  => '🧱',
        ],
    ],

System requirements:

- PHP >= 7.4 (PHP 8+ recommended)
- Extensions: json, mbstring (optional but recommended)
- Sessions enabled
- File read permissions for the selected log files

----------------------------------------------------------------------
USAGE
----------------------------------------------------------------------

1. Place the app in your WordPress project

   Example structure:

       /wp-config.php
       /wp-content/
       /init-wordpress-log/
           index.php
           /includes
           /assets

   The viewer assumes it sits inside the same project root as
   `wp-content`. If you move it elsewhere, adjust the paths in
   `includes/config.php` accordingly.

2. Configure logs and auth

   Open `includes/config.php` and set:

   - `username`
   - Either:
     * `password` (plain text)
     * or `password_hash` using `password_hash()` in PHP
   - Confirm the log paths match your environment (especially WooCommerce
     and security plugins).
   - Tweak `allowed_log_dirs` if your logs live in a custom subfolder.

3. Ensure WordPress debug log is enabled (optional but recommended)

   In `wp-config.php`:

       define( 'WP_DEBUG', true );
       define( 'WP_DEBUG_LOG', true );

   This will create and write to `wp-content/debug.log`.

4. Access the viewer in your browser

   Example URL:

       https://example.com/init-wordpress-log/

   Log in with the credentials configured in `includes/config.php`.

5. Using the UI

   - Select a log source from the left sidebar (e.g. “WordPress Debug”).
   - Use the toolbar:
     * Search input to filter lines by keyword (e.g. “SQLSTATE”).
     * Line count selector (100 / 500 / 1000).
     * Level filter (All / Error / Warning / Notice / Info).
     * Live Tail checkbox to auto-refresh using the configured interval.
     * Refresh button to manually reload the latest lines.
     * Download button to download the full resolved log file.
     * Clear button to truncate the log (only if the file is writable).

   The viewer automatically scrolls to the bottom on each load and shows
   how many lines are displayed, plus the total file size.

----------------------------------------------------------------------
NOTES
----------------------------------------------------------------------

- This tool is focused on WordPress-level logs under `wp-content`. It is
  not intended to read system-wide logs such as `/var/log/nginx/error.log`.
- All file operations are constrained to `allowed_log_dirs`, helping to
  prevent accidental exposure of unrelated or sensitive files.
- When a source points to a directory (such as WooCommerce logs), the
  app automatically selects the newest `.log` file in that folder.
- Paths shown in the UI are trimmed to start at `/wp-content/...` to
  avoid leaking full server paths.
- Login security includes:
  * Hardened session cookies
  * Configurable session timeout
  * CSRF protection for login and destructive actions
  * Brute-force protection via rate limiting and temporary lockout
- For production deployments, it is strongly recommended to:
  * Change the default credentials immediately
  * Serve the viewer over HTTPS
  * Optionally restrict access via HTTP auth, IP allowlists, or a
    separate admin VPN.
- Clearing logs requires that the underlying log file is writable by
  the PHP user. If not writable, the Clear action will fail gracefully.
- No database is used; everything is file-based and configuration-driven.

----------------------------------------------------------------------
CREDIT
----------------------------------------------------------------------

© Init HTML  
https://inithtml.com
