WP Cerber Unexpected Behavior: "Headers Already Sent" Error in Shutdown Handler

Bug Reports
1

Thanks for such a reliable plugin. I’ve been a long-time user and really appreciate it.

Issue Description

Intermittently, WP Cerber triggers “Cannot modify header information - headers already sent” errors when attempting to redirect blacklisted users (Status: 14).

This error does not occur under normal browsing conditions. Our site experiences high-volume automated access (likely from purchasing bots), and the error appears to be triggered during these bursts of rapid requests.

Environment

  • WordPress 6.9

  • WooCommerce 10.4.3

  • WP Cerber 9.6.11

  • PHP 8.3.21

  • Traffic Inspector enabled with “Ignore logged-in users” (tierrnoauth) setting on

Error Log

PHP Warning: Cannot modify header information - headers already sent by 
(output started at .../wp-includes/functions.php:5481) in .../wp-includes/pluggable.php on line 1558

Stack Trace

#0 wp-includes/pluggable.php:1701 wp_redirect
#1 wp-content/plugins/wp-cerber/cerber-common.php:5505 wp_safe_redirect
#2 wp-content/plugins/wp-cerber/cerber-load.php:2024 crb_safe_redirect
#3 wp-content/plugins/wp-cerber/cerber-load.php:1984 cerber_restrict_user
#4 wp-includes/class-wp-hook.php:341 {closure}
#5 wp-includes/pluggable.php:48 do_action('set_current_user')
#6 wp-includes/user.php:3788 wp_set_current_user(0)
#7 wp-includes/pluggable.php:1259 wp_get_current_user()
#8 wp-content/plugins/wp-cerber/cerber-common.php:2203 is_user_logged_in()
#9 wp-content/plugins/wp-cerber/cerber-load.php:7868 crb_is_user_logged_in()
#10 wp-content/plugins/wp-cerber/cerber-load.php:7806 cerber_error_shield()
#11 [internal function]: {closure}()  ← shutdown handler

Suspected Cause

Based on the stack trace, it appears that:

  1. cerber_error_shield() is called during PHP shutdown via register_shutdown_function()

  2. At this point, WordPress’s wp_ob_end_flush_all() has already flushed output buffers and sent headers

  3. cerber_error_shield() calls crb_is_user_logged_in(), which triggers is_user_logged_in()

  4. This fires the set_current_user hook, where Cerber detects a blacklisted user and attempts to redirect

  5. The redirect fails because headers were already sent during shutdown

The issue seems to be that redirect operations are being attempted during the shutdown phase after output has begun.

Current Mitigation

We have disabled the “Ignore logged-in users” setting (tierrnoauth) in Traffic Inspector. This prevents is_user_logged_in() from being called during shutdown and avoids the error, though the root cause remains unresolved.