Site-kit-wp: Potential REST error in WordPress 5.5

I just updated to Wordpress 5.5 and am seeing these errors as well.

Edit - Just FYI I did go through and disable my plugins one by one and it is indeed Site Kit that is causing these error messages.

Edit #2 - I am running version 1.14.0 of the plugin.

Notice: register_rest_route was called incorrectly. The REST API route definition for toolset/v2/search-posts is missing the required permission_callback argument. For REST API routes that are intended to be public, use __return_true as the permission callback. Please see Debugging in WordPress for more information. (This message was added in version 5.5.0.) in /wp-includes/functions.php on line 5225

Notice: register_rest_route was called incorrectly. The REST API route definition for toolset-views/v1/views/(?Pd+).* is missing the required permission_callback argument. For REST API routes that are intended to be public, use __return_true as the permission callback. Please see Debugging in WordPress for more information. (This message was added in version 5.5.0.) in /wp-includes/functions.php on line 5225

Notice: register_rest_route was called incorrectly. The REST API route definition for toolset/v2/search-posts is missing the required permission_callback argument. For REST API routes that are intended to be public, use __return_true as the permission callback. Please see Debugging in WordPress for more information. (This message was added in version 5.5.0.) in /wp-includes/functions.php on line 5225

Notice: register_rest_route was called incorrectly. The REST API route definition for otgs/installer/v1/push/fetch-subscription is missing the required permission_callback argument. For REST API routes that are intended to be public, use __return_true as the permission callback. Please see Debugging in WordPress for more information. (This message was added in version 5.5.0.) in /wp-includes/functions.php on line 5225

Notice: register_rest_route was called incorrectly. The REST API route definition for toolset-dynamic-sources/v1/dynamic-sources is missing the required permission_callback argument. For REST API routes that are intended to be public, use __return_true as the permission callback. Please see Debugging in WordPress for more information. (This message was added in version 5.5.0.) in /wp-includes/functions.php on line 5225

@smwcollege @lukkymike Thanks for reporting. I've tested this on a couple of sites although I've been unable to recreate the same experience. Can you share your Site Health information so we can investigate this further after checking and trying to recreate your setup?

@jamesozzie Can do James. It looks like there's a lot of very specific information in the Site Health info, any chance I can get that to you in a way that's less public?

@lukkymike Sure, you can use this form. Please create a WordPress support forum topic first. If you have any questions let me know.

I've created the forum topic, I apologize I'm not quite seeing how I would share this info privately through the forum. Thanks for the help!

https://wordpress.org/support/topic/rest-error-in-wordpress-5-5/

My bad, you'll find the link here. You can use the WordPress topic URL in order to process the form.

Got it. Filled out and submitted. Thanks!!

Excellent, we can take a look and report back to you from the related WordPress support topic.

Here is our report generated by Site Health:

### wp-core ###

version: 5.5
site_language: en_US
user_language: en_US
timezone: America/Indiana/Indianapolis
permalink: /%postname%/
https_status: true
user_registration: 0
blog_public: 1
default_comment_status: open
multisite: false
user_count: 14
dotorg_communication: true

### wp-paths-sizes ###

wordpress_path: /code
wordpress_size: 169.33 MB (177554298 bytes)
uploads_path: /code/wp-content/uploads
uploads_size: 4.44 GB (4771226375 bytes)
themes_path: /code/wp-content/themes
themes_size: 11.36 MB (11910844 bytes)
plugins_path: /code/wp-content/plugins
plugins_size: 66.68 MB (69920327 bytes)
database_size: 694.91 MB (728662016 bytes)
total_size: 5.36 GB (5759273860 bytes)

### wp-dropins (1) ###

object-cache.php: true

### wp-active-theme ###

name: SMWC Theme (smwc)
version: 1.6.4
author: mjkretsinger
author_website: http://mjkretsinger.com/
parent_theme: none
theme_features: core-block-patterns, menus, post-thumbnails, html5, title-tag, disable-custom-font-sizes, editor-font-sizes, disable-custom-colors, editor-color-palette, responsive-embeds, editor-style
theme_path: /code/wp-content/themes/smwc
auto_update: Disabled

### wp-mu-plugins (1) ###

Pantheon: version: 0.1, author: Pantheon

### wp-plugins-active (40) ###

ACF: Better Search: version: 3.5.3, author: Mateusz Gbiorczyk, Auto-updates disabled
ACF Content Analysis for Yoast SEO: version: 2.6, author: Thomas Kräftner, ViktorFroberg, marol87, pekz0r, angrycreative, Team Yoast, Auto-updates disabled
Advanced Custom Fields: Nav Menu Field: version: 2.0.0, author: Faison Zutavern, Auto-updates disabled
Advanced Custom Fields PRO: version: 5.8.13, author: Elliot Condon (latest version: 5.8.14), Auto-updates disabled
Akismet Anti-Spam: version: 4.1.6, author: Automattic, Auto-updates disabled
Breadcrumb NavXT: version: 6.5.0, author: John Havlik, Auto-updates disabled
Column Shortcodes: version: 1.0, author: Codepress (latest version: 1.0.1), Auto-updates disabled
Content Audit: version: 2.0, author: Stephanie Leary, Auto-updates disabled
Disable Gutenberg Blocks - Block Manager: version: 1.0.8, author: Danny Cooper, Auto-updates disabled
Email Address Encoder: version: 1.0.21, author: Till Krüss, Auto-updates disabled
Enable Media Replace: version: 3.4.1, author: ShortPixel, Auto-updates disabled
Force Strong Passwords: version: 1.8.0, author: Jason Cosper, Auto-updates disabled
HashBar - WordPress Notification Bar: version: 1.1.2, author: HT Plugins (latest version: 1.1.3), Auto-updates disabled
Instagram Feed Pro Personal: version: 5.6.4, author: Smash Balloon, Auto-updates disabled
Lightbox with PhotoSwipe: version: 3.0.6, author: Arno Welzel, Auto-updates disabled
Limit Login Attempts Reloaded: version: 2.15.1, author: WPChef, Auto-updates disabled
MCE Table Buttons: version: 3.3, author: Jake Goldman, 10up, Oomph, Auto-updates disabled
MJK Wufoo Integration: version: 1.0, author: MJ Kretsinger, Auto-updates disabled
Native PHP Sessions for WordPress: version: 1.2.0, author: Pantheon, Auto-updates disabled
Nested Pages: version: 3.1.11, author: Kyle Phillips, Auto-updates disabled
Pantheon Advanced Page Cache: version: 1.0.0, author: Pantheon, Auto-updates disabled
Popup Maker: version: 1.11.1, author: Popup Maker, Auto-updates disabled
Post Duplicator: version: 2.21, author: Metaphor Creations, Auto-updates disabled
Public Post Preview: version: 2.9.1, author: Dominik Schilling, Auto-updates disabled
Real Media Library: version: 4.9.1, author: devowl.io, Auto-updates disabled
Redirection: version: 4.8, author: John Godley, Auto-updates disabled
Regenerate Thumbnails Advanced: version: 2.3.1, author: ShortPixel, Auto-updates disabled
Relevanssi: version: 4.7.2.1, author: Mikko Saari (latest version: 4.8.0), Auto-updates disabled
Revisionize: version: 2.3.3, author: Jamie Chong, Auto-updates disabled
Search Exclude: version: 1.2.5, author: Roman Pronskiy, Auto-updates disabled
Simple History: version: 2.35.1, author: Pär Thernström, Auto-updates disabled
Site Kit by Google: version: 1.13.1, author: Google (latest version: 1.14.0), Auto-updates disabled
Smush: version: 3.6.3, author: WPMU DEV, Auto-updates disabled
SVG Support: version: 2.3.18, author: Benbodhi, Auto-updates disabled
WP Accessibility: version: 1.7.1, author: Joe Dolson, Auto-updates disabled
WP Lazy Loading: version: 1.1, author: The WordPress Team, Auto-updates disabled
WP Mail SMTP: version: 2.2.1, author: WPForms, Auto-updates disabled
WP Redis: version: 1.1.0, author: Pantheon, Josh Koenig, Matthew Boynes, Daniel Bachhuber, Alley Interactive, Auto-updates disabled
WP Retina 2x: version: 5.6.1, author: Jordy Meow, Auto-updates disabled
Yoast SEO: version: 14.7, author: Team Yoast, Auto-updates disabled

### wp-plugins-inactive (1) ###

Regenerate Thumbnails: version: 3.1.3, author: Alex Mills (Viper007Bond), Auto-updates disabled

### wp-media ###

image_editor: WP_Image_Editor_Imagick
imagick_module_version: 1690
imagemagick_version: ImageMagick 6.9.10-86 Q16 x86_64 2020-01-13 https://imagemagick.org
file_uploads: File uploads is turned off
post_max_size: 100M
upload_max_filesize: 100M
max_effective_size: 100 MB
max_file_uploads: 20
imagick_limits: 
    imagick::RESOURCETYPE_AREA: 126 GB
    imagick::RESOURCETYPE_DISK: 9.2233720368548E+18
    imagick::RESOURCETYPE_FILE: 24576
    imagick::RESOURCETYPE_MAP: 126 GB
    imagick::RESOURCETYPE_MEMORY: 63 GB
    imagick::RESOURCETYPE_THREAD: 16
gd_version: bundled (2.1.0 compatible)
ghostscript_version: 9.25

### wp-server ###

server_architecture: Linux 4.19.112+ x86_64
httpd_software: nginx/1.16.1
php_version: 7.4.9 64bit
php_sapi: fpm-fcgi
max_input_variables: 10000
time_limit: 120
memory_limit: 512M
max_input_time: 900
upload_max_size: 100M
php_post_max_size: 100M
curl_version: 7.61.1 OpenSSL/1.1.1c
suhosin: false
imagick_availability: true
pretty_permalinks: true
htaccess_extra_rules: true

### wp-database ###

extension: mysqli
server_version: 10.0.23-MariaDB-log
client_version: mysqlnd 7.4.9

### wp-constants ###

WP_HOME: https://wp55-smwc.pantheonsite.io
WP_SITEURL: https://wp55-smwc.pantheonsite.io
WP_CONTENT_DIR: /code/wp-content
WP_PLUGIN_DIR: /code/wp-content/plugins
WP_MAX_MEMORY_LIMIT: 512M
WP_DEBUG: true
WP_DEBUG_DISPLAY: true
WP_DEBUG_LOG: /code/wp-content/uploads/debug.log
SCRIPT_DEBUG: false
WP_CACHE: false
CONCATENATE_SCRIPTS: undefined
COMPRESS_SCRIPTS: undefined
COMPRESS_CSS: undefined
WP_LOCAL_DEV: undefined
DB_CHARSET: utf8mb4
DB_COLLATE: undefined

### wp-filesystem ###

wordpress: writable
wp-content: writable
uploads: writable
plugins: writable
themes: writable
mu-plugins: writable

### google-site-kit ###

version: 1.13.1
php_version: 7.4.9
wp_version: 5.5
reference_url: https://wp55-smwc.pantheonsite.io
amp_mode: no
site_status: not-connected
user_status: not authenticated
active_modules: site-verification, search-console, adsense, analytics, pagespeed-insights, tagmanager
required_scopes: 
    openid: ✅
    https://www.googleapis.com/auth/userinfo.profile: ✅
    https://www.googleapis.com/auth/userinfo.email: ✅
    https://www.googleapis.com/auth/siteverification: ✅
    https://www.googleapis.com/auth/webmasters: ✅
    https://www.googleapis.com/auth/adsense.readonly: ✅
    https://www.googleapis.com/auth/analytics.readonly: ✅
    https://www.googleapis.com/auth/tagmanager.readonly: ✅
search_console_property: https://wp55-smwc.pantheonsite.io/
adsense_account_id: none
adsense_client_id: none
adsense_account_status: none
adsense_use_snippet: yes
analytics_account_id: 7344•••
analytics_property_id: UA-7344•••••
analytics_profile_id: 1310•••••
analytics_use_snippet: no
tagmanager_account_id: 5111•••••
tagmanager_container_id: GTM-TK7•••
tagmanager_amp_container_id: none
tagmanager_use_snippet: yes

### wp_mail_smtp ###

version: 2.2.1
license_key_type: lite
debug: No debug notices found.
db_tables: wp_wpmailsmtp_tasks_meta

Our setup is a little different from a typical WordPress server, since we're on the Pantheon cloud platform. This isn't our production environment, but the server configuration should be a clone of what we're running live.

Additional support topics reporting this same issue:
https://wordpress.org/support/topic/site-hang-after-plugin-activate/

And also a user in the below topic, with one additional user highlighting the same in the original support support:
https://wordpress.org/support/topic/site-kit-encountered-an-error-6/#post-13265327

As of WordPress 5.5 a doing it wrong warning is thrown when a route is registered without a permission_callback (see [https://make.wordpress.org/core/2020/07/22/rest-api-changes-in-wordpress-5-5/)). Depending on a user's configuration, these errors may cause issues or be otherwise visible.

This doesn't seem to affect Site Kit - Our routes are all set up with register_route while the changes in 5.5 where to register_rest_route. In my testing Site Kit does not throw this error. Still, it is worth ensuring all routes contain the callback.

Reviewing our callbacks, Felix noted that the post search route is missing this now required callback. Reviewing all of our routes this is the only one I see that is missing the callback.

We can probably use an existing callback, eg:
'permission_callback' => $can_authenticate,

Moving this to prioritization, cc: @felixarntz.

@adamsilverstein I've opened #1924 to deal with the post search REST route.

The reports of these users don't seem related to that though, so it has to be something else. Have you tried using one of those plugins with Site Kit? The only thing I could see is some sort of conflict, although I'm not even sure how having Site Kit active could trigger that PHP warning for another plugin 🤔

@felixarntz @adamsilverstein regarding the OP - the reason why these appear to be Site Kit related is due to our preloaded REST responses which initialize the REST API. This causes these route validation notices to be raised, which would normally be raised during a normal REST request as well, only users wouldn't probably see the notices.

Interestingly, the warning for the post-search route _is not raised_ even with WP 5.5 due to the way we register our routes. Our routes are currently registered on the WP_REST_Server directly using the instance passed from the rest_api_init action.
https://github.com/google/site-kit-wp/blob/1c9f13947cba8d9953ca57b9e87d05c1993d212c/includes/Core/REST_API/REST_Routes.php#L124-L129

This bypasses the validation that happens when a route is registered when calling register_rest_route. When I update line 128 above to use register_rest_route instead, the notice is raised as expected:

PHP Notice:  register_rest_route was called <strong>incorrectly</strong>. The REST API route definition for <code>google-site-kit/v1/core/search/data/post-search</code> is missing the required <code>permission_callback</code> argument. For REST API routes that are intended to be public, use <code>__return_true</code> as the permission callback. Please see <a href="https://wordpress.org/support/article/debugging-in-wordpress/">Debugging in WordPress</a> for more information. (This message was added in version 5.5.0.) in /var/www/html/wp-includes/functions.php on line 5225

Although I prefer the current design over using a global function for registering the route from an OO perspective, we should probably use the function as it seems to be the preferred/proper way to register a route as WP core does not use \WP_REST_Server::register_route outside of register_rest_route or the WP_REST_Server class.

Aside from that, after activating all the modules, I can confirm that the post-search route is the only one that raises this warning.

Note that this issue is related to #1882 but that is specific to routes only used in our E2E tests.

@aaemnnosttv Nice sleuthing on the underlying (preload) reason our code might throw the error (if it were using the register_rest_route function). Switching to register_rest_route might make sense since that seems more recommended (and gets us the additional validation we are missing).

The reports of these users don't seem related to that though, so it has to be something else. Have you tried using one of those plugins with Site Kit?

@jamesozzie mentioned spending time trying plugins from the support issues and was unable to reproduce the issue, perhaps the user's were on older versions of these plugins. They would already get warnings in their logs, but because of our REST route preloading, Site Kit may have elevated these errors to happening in the page load context and thus appear to be visible only when Site Kit is active.

@adamsilverstein I can confirm what you're indicating here. When I was attempting to identify the issue on my site, I started at the top of my list of plugins, disabling them one by one, to find the culprit and stopped when I got to Site Kit because the error messages went away.

I re-enabled Site Kit and continued down the list and found that several other plugins that I'm using, all part of the Toolset (https://toolset.com/) that system seem to be at the core of this. As I disabled each one, more of the messages started to disappear, and when I had all of the Toolset plugins disabled, the messages were gone completely. I'll be opening a thread on their forum as well.

Update (before even completing this comment) - I thought I'd leave the last bit in there just for context, but as I was going through and re-enabling the Toolset plugins, I noticed that there was an update for them, posted yesterday (I usually try to stay on top of updates), which has resolved this issue for me. I am able to have the Toolset plugins and Site Kit enabled simultaneously without issue.

For others experiencing this issue, it would be good to analyze the other plugins you may have on your site, it appears that Site Kit is merely caught in the crossfire on this one.

Thanks for the updates @lukkymike, that's really helpful!

@adamsilverstein @aaemnnosttv Given this issue was caused by other plugins not providing a permission_callback, I believe we should close this. There is #1924 to fix our own post search route.