Support » Plugin: iThemes Security (formerly Better WP Security) » Cannot modify header information…class-itsec-ssl.php

  • Resolved philraymond

    (@philraymond)


    This is showing up often in debug.log. Any help? WordPress 5.6.1 and iThemes Security 7.9.0.

    [08-Feb-2021 00:41:11 UTC] PHP Warning: Cannot modify header information – headers already sent by (output started at /home/hello/public_html/wp-content/plugins/better-wp-security/core/modules/ssl/class-itsec-ssl.php:131) in /home/hello/public_html/wp-includes/pluggable.php on line 1296

    [08-Feb-2021 00:41:11 UTC] PHP Warning: Cannot modify header information – headers already sent by (output started at /home/hello/public_html/wp-content/plugins/better-wp-security/core/modules/ssl/class-itsec-ssl.php:131) in /home/hello/public_html/wp-includes/pluggable.php on line 1299

Viewing 14 replies - 1 through 14 (of 14 total)
  • Thread Starter philraymond

    (@philraymond)

    Oh, and along with it:

    [08-Feb-2021 00:41:11 UTC] PHP Notice: Undefined index: HTTP_HOST in /home/hello/public_html/wp-content/plugins/better-wp-security/core/modules/ssl/class-itsec-ssl.php on line 131

    nlpro

    (@nlpro)

    Hi Phil,

    Most probably the PHP Notice as provided in the last post is from a WP CLI command while the iTSec plugin SSL module is enabled.
    (The 2 PHP Warnings from your initial post are the consequence of the PHP Notice).

    If you read through the relevant code in the better-wp-security/core/modules/ssl/class-itsec-ssl.php file, you’ll notice that the iTSec plugin SSL module will only redirect to HTTPS when:

    'cli' !== php_sapi_name()

    and will not redirect to HTTPS when:

    'cli' === php_sapi_name()

    However in reality, when running a WP CLI command the value returned by the PHP php_sapi_name() function will not always be ‘cli’ …

    So it appears the iTSec plugin SSL module is using the PHP php_sapi_name() function to determin whether a WP request is a WP CLI command or not. This is normally done using:

    if ( defined( 'WP_CLI' ) && WP_CLI ) {

    The odd thing is that other iTSec plugin modules use the correct CLI detection method … just not the SSL module (bug).

    There is a quick way to check what value is being returned by the PHP php_sapi_name() function in your WordPress env. Simply log into the WordPress Dashboard and navigate to the Tools/Site Health menu option. Then click on the Info tab. Next scroll down and click on the Server section to expand. Check the value for PHP SAPI. Since we are interfacing from a browser to a web server, you’ll allways find the value is something different than ‘cli’.

    Only when running a WP CLI command you’ll be able to detect the actual (and relevant) value returned by the PHP php_sapi_name() function.

    Unfortunately I haven’t yet figured out a way to get the same Site Health info from WP CLI. I call upon the community for help 😉

    To prevent any confusion, I’m not iThemes.

    • This reply was modified 3 months ago by nlpro.
    • This reply was modified 3 months ago by nlpro.
    • This reply was modified 3 months ago by nlpro.

    @philraymond,

    Three potential fixes for your issue:

    Option 1: Undefined index: HTTP_HOST
    Option 2: Undefined index: HTTP_HOST
    Option 3: Undefined index: HTTP_HOST

    Please let us know if any worked.

    Cheers!

    Thread Starter philraymond

    (@philraymond)

    Thanks so much to both of you for taking the time to share such thorough answers.

    @jetxpert your solutions look feasible, but they will all break eventually when the plugin is updated, right?

    @philraymond,

    Try the potential solutions first (individually). If any work, then you have the following options:

    (1) Contact your host to see if they are restricting your website. If so, suggest a .htaccess modification to reflect the solution you found. Once implemented, you can restore the modified files back to their original configuration. Make a backup first.

    OR

    (2) Develop, search for, or request a code snippet for your functions.php file. The snippet should override future plugin updates.

    Cheers!

    Thread Starter philraymond

    (@philraymond)

    Thanks, this seems to have worked for now:

    if ( defined( 'WP_CLI' ) && WP_CLI ) {

    Interesting how some of these issues in the WordPress core are so old and still unresolved. I just found a 5-year-old bug in wp-includes/canonical.php that has yet to be fixed.

    @philraymond,

    Awesome. Can you share in more detail what you did?

    Cheers!

    • This reply was modified 2 months, 4 weeks ago by jetxpert.
    Thread Starter philraymond

    (@philraymond)

    private function redirect_to_https() {
    if ( defined( 'WP_CLI' ) && WP_CLI ) { //phil
    $redirect = "https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}";
    wp_redirect( $redirect, 301 );
    exit();
    } //phil
    }

    I wrapped it in that IF statement directly in class-itsec-ssl.php.

    Yep, it may break when the plugin is updated.

    @philraymond,

    Thanks! Let’s hope this gets looked at and fixed soon by both WP and iTSec. WP 5.7 promises to fix many bugs.

    Cheers!

    Add the method below to the ITSEC_SSL class:

    private function itsec_wp_is_cli() {
    	return defined( 'WP_CLI' ) && WP_CLI;
    }

    Then in the init() method replace (line 72):

    } else if ( enabled' === $settings['require_ssl'] && 'cli' !== php_sapi_name() && 'GET' === $_SERVER['REQUEST_METHOD'] ) {

    with:

    } else if ( enabled' === $settings['require_ssl'] && ! $this->itsec_wp_is_cli() && 'GET' === $_SERVER['REQUEST_METHOD'] ) {

    and (for consistency) in the do_conditional_ssl_redirect() method (line 90):

    if ( 'cli' === php_sapi_name() ) {

    with:

    if ( $this->itsec_wp_is_cli() ) {

    • This reply was modified 2 months, 4 weeks ago by nlpro.
    • This reply was modified 2 months, 4 weeks ago by nlpro.
    • This reply was modified 2 months, 4 weeks ago by nlpro.

    @nlpro,

    Thanks. We’re good without modifying the code. However, we tried to implement your above changes and got a fatal error which was fixed by applying a small change to your code (‘ found missing before enabled):

    Line 72 should be:

    } else if ( 'enabled' === $settings['require_ssl'] && ! $this->itsec_wp_is_cli() && 'GET' === $_SERVER['REQUEST_METHOD'] ) {

    Cheers!

    @jetxpert

    Excellent! Apologies for the typo 😉

    Has this bug been fixed yet?

    It’s not really a bug. Using WP_CLI constant is more robust (and preferred method).
    It’s certainly not wrong to use PHP php_sapi_name() function, but it’s less robust.

    If the wrong PHP binary is called by WP CLI, the PHP php_sapi_name() function may not return the expected value (cli).

Viewing 14 replies - 1 through 14 (of 14 total)
  • You must be logged in to reply to this topic.