Exposing PHP Errors to Visitors
Best practices recommend you do not show any technical error messages to users because if they are malicious, those error messages can help them gain knowledge about the technical details of the server and help them refine an attack strategy.
Thus we recommend you turn off the following variable in your conf files:
$display_errors_on_production = false;
If you are not confortable editing your
/conf/_advanced.php file, then you could override any variable by adding them to _local.php.
You may ask why it’s not turned off by default? Because if it’s off the unsophisticated users will post errors to the forums without any technical details and it takes more time to get them to retrieve the tech info than to it takes to fix their problem once we have their tech info.
Turning on debug mode on production servers is a very bad idea because it exposes even more data that can be used by hackers. If you need debug info on a production server, set up a debug password and use
&debug= in the URL. This way only you can see the debug info (and error messages).
For more information about debug mode, please read this: Debugging