PHP Warning: Undefined array key 0 in Has_Multiple_Admins.php line 93 (multisite

svenms
(@svenms)

1 day, 17 hours ago
Hello,

I’m reporting a PHP warning triggered by Site Kit on a multisite installation.

Environment
- WordPress: 6.9.4
- Site Kit: 1.178.0
- PHP: 8.2.28
- Multisite: yes
Warning (full message)

PHP Warning: Undefined array key 0 in /home/jzv4lkm/public_html/wp-content/plugins/google-site-kit/includes/Core/Authentication/Has_Multiple_Admins.php on line 93

(Adjust the filesystem path if you paste this on a different server.)

What happens
When Site Kit evaluates whether the site has multiple administrators, it calls <code class=””>get_super_admins() and then, inside the multisite branch, accesses <code class=””>$super_admins[0] after only checking <code class=””>! empty( $super_admins ).

In PHP 8+, that triggers “Undefined array key 0” when the array is non-empty but does not have a <code class=””>0 key (e.g. a sparse / non–zero-indexed array), which can occur depending on how the super admin list is stored or filtered.

Suggested direction
Before using <code class=””>$super_admins[0], the code could guard with <code class=””>isset( $super_admins[0] ) or normalize with something like <code class=””>$login = reset( $super_admins ); / <code class=””>array_values( $super_admins ) so the first login is read safely.

Expected behavior
No PHP warnings when counting administrators on multisite.

Thank you for considering a fix in a future release.

Viewing 4 replies - 1 through 4 (of 4 total)

wpfixpath
(@wpfixpath)

1 day, 12 hours ago

This looks like a real plugin-side edge case, not a normal site configuration issue.

The key point is that ! empty( $super_admins ) only proves the array has values. It does not prove index 0 exists. On multisite, if get_super_admins() returns a keyed or sparse array, $super_admins[0] can throw this PHP 8 warning.

The safer pattern would be one of:

$login = reset( $super_admins );

or:

$super_admins = array_values( $super_admins );
$login = $super_admins[0] ?? null;
Before patching locally, I would check whether anything is filtering or modifying the super admin list. Search custom plugins/theme code for site_admins or get_super_admins.

For production, I would not suppress warnings as the fix. Confirm the array shape first, then let Site Kit patch the access pattern.
Thread Starter svenms
(@svenms)

1 day, 12 hours ago
Hello, and thanks again for confirming this is a plugin-side edge case.

I ran the checks you suggested and validated the result directly in our multisite environment.

Codebase checks:

I searched our codebase under wp-content (active plugins, mu-plugins, and theme functions.php files) for anything that might modify the super admin list before Site Kit reads it.
- No filters found for:
  - site_admins
  - pre_option_site_admins
  - pre_site_option_site_admins
  - site_option_site_admins
- No custom assignments to global $super_admins found outside WordPress core.
- Only read-only consumers of get_super_admins() were found (for example Wordfence, Freemius-based plugins, and Site Kit itself).
Runtime verification (WP-CLI):

get_super_admins() returned: type=array count=1 keys=[5] key0_exists=no

Raw multisite option value: site_admins = {“5″:”svenms”}

Conclusion:

This confirms the edge case:
- The array is non-empty, so !empty($super_admins) is true.
- But index 0 does not exist (sparse/non-zero-based keys).
- Therefore $super_admins[0] triggers “Undefined array key 0” on PHP 8+.
Additional check (2FA plugin):

We also reviewed the active 2FA plugin (wp-2fa). It does not reference site_admins, get_super_admins, or related site_admins filters, so it does not appear to be causing this condition.

Safer access pattern suggestion:

Option 1: $login = reset($super_admins);

Option 2: $super_admins = array_values($super_admins); $login = $super_admins[0] ?? null;

Thank you.
- This reply was modified 1 day, 11 hours ago by svenms.
- This reply was modified 1 day, 11 hours ago by svenms.
- This reply was modified 1 day, 11 hours ago by svenms.
wpfixpath
(@wpfixpath)

1 day, 11 hours ago
This is good evidence and confirms the exact failure mode.

The important part is:
- get_super_admins() returns a non-empty array
- the only key is 5
- key 0 does not exist
- raw site_admins is {"5":"svenms"}
So the current check:

! empty( $super_admins )
is not sufficient before reading:

$super_admins[0]
The issue is not whether the site has a super admin. It does. The issue is that get_super_admins() does not guarantee a zero-based array.

For reproduction, a multisite install with a sparse site_admins option should be enough:

update_site_option( ‘site_admins’, array( 5 => ‘svenms’ ) );
Then any code path that assumes $super_admins[0] can trigger the PHP 8 warning.

The plugin-side fix should avoid assuming key 0, for example:

$login = reset( $super_admins );
or normalize first:

$super_admins = array_values( $super_admins );
$login = $super_admins[0] ?? null;
A site-side workaround would be to normalize the stored site_admins option, but that should not be necessary for Site Kit to avoid the warning.
Plugin Support James Osborne
(@jamesosborne)

1 day, 8 hours ago

Thanks for reporting this @svenms, and for the useful input @wpfixpath. I opened a GitHub issue for this, which you’ll find below:
https://github.com/google/site-kit-wp/issues/12671

Feel free to chime in there, or subscribe for updates. Hopefully we can get this address with one of the upcoming releases, given we have a bi-weekly release cycle. Thanks again for raising this, and in turn making it a more robust plugin for multisite users!

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.