REST API: Log doing_it_wrong notices to debug.log

[ilclaudio]

Fixes #64260. The doing_it_wrong_trigger_error filter was preventing all doing_it_wrong notices from being logged during REST requests. This change ensures notices are written to debug.log while still preventing trigger_error() from interfering with REST responses.

Now the error is filterd but in the debug.log file you can see a meeesage like this:

[21-Nov-2025 14:01:41 UTC] REST API - Doing it wrong: register_rest_route - The REST API route definition for test/v1/example is missing the required permission_callback argument. For REST API routes that are intended to be public, use __return_true as the permission callback. (This message was added in version 5.5.0.)

Trac ticket: https://core.trac.wordpress.org/ticket/64260

[github-actions]

Hi @ilclaudio! 👋

Thank you for your contribution to WordPress! 💖

It looks like this is your first pull request to wordpress-develop. Here are a few things to be aware of that may help you out!

No one monitors this repository for new pull requests. Pull requests must be attached to a Trac ticket to be considered for inclusion in WordPress Core. To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description.

Pull requests are never merged on GitHub. The WordPress codebase continues to be managed through the SVN repository that this GitHub repository mirrors. Please feel free to open pull requests to work on any contribution you are making.

More information about how GitHub pull requests can be used to contribute to WordPress can be found in the Core Handbook.

Please include automated tests. Including tests in your pull request is one way to help your patch be considered faster. To learn about WordPress' test suites, visit the Automated Testing page in the handbook.

If you have not had a chance, please review the Contribute with Code page in the WordPress Core Handbook.

The Developer Hub also documents the various coding standards that are followed:

• PHP Coding Standards
• CSS Coding Standards
• HTML Coding Standards
• JavaScript Coding Standards
• Accessibility Coding Standards
• Inline Documentation Standards

Thank you,
The WordPress Project

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Unlinked Accounts

The following contributors have not linked their GitHub and WordPress.org accounts: @claudiobat.

Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases.

Core Committers: Use this line as a base for the props when committing in SVN:

Props ioclaudio, westonruter, juanmaguitar.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[github-actions]

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

• The Plugin and Theme Directories cannot be accessed within Playground.
• All changes will be lost when closing a tab with a Playground instance.
• All changes will be lost when refreshing the page.
• A fresh instance is created each time the link below is clicked.
• Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
  it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

[ilclaudio]

It looks like one of the GitHub Actions jobs failed due to a transient network issue (curl error 7 while downloading from packagist.org) and not because of my code changes.
Could someone please re-run the failed job? Thank you!

[westonruter]

Could someone please re-run the failed job? Thank you!

Re-run!

[juanmaguitar]

@ilclaudio There's some feedback provided in this PR.
Do you think you'll have time to address it in time for WP 7.0?

[ilclaudio]

Hi @juanmaguitar I have only proposed a patch but I'm not responsible to include it into the official code. I honestly don't know what else to do.

[juanmaguitar]

@ilclaudio, first of all thank for proposing this patch for the ticket :)

There's some feedback on the PR provided by @westonruter that still needs to be addressed

why not just remove the doing_it_wrong_trigger_error filter altogether?

A response to that comment would be helpful to move forward with this PR

[claudiobat]

@ilclaudio, first of all thank for proposing this patch for the ticket :)

There's some feedback on the PR provided by @westonruter that still needs to be addressed

why not just remove the doing_it_wrong_trigger_error filter altogether?

A response to that comment would be helpful to move forward with this PR

Sorry for the late reply, feedback addressed.

[ilclaudio]

Thanks for the feedback @westonruter.
Both points addressed in the latest commits and tests are passing.
Sorry for the confusion with my work account @claudiobat: my account for WordPress contributions is @ilclaudio, linked to my WordPress.org profile @ioclaudio.
This is my first contribution attempt, I guess it shows.

[westonruter]

I don't think we need wp_strip_all_tags() here. This is going straight to the error log, so it is not being displayed anywhere. I don't feel strongly about this, however.

Suggested change

	error_log( 'PHP Notice: ' . wp_strip_all_tags( $string ) . $caller );
	error_log( 'PHP Notice: ' . $string . $caller );

[westonruter]

🤖 Automated code review from Claude Code (high-effort recall pass), requested by @westonruter.

No crashing bugs found — the change is additive. Below are correctness edge cases and a couple of altitude/consistency concerns left as inline comments. These are suggestions from an automated reviewer; please use judgment.

[westonruter]

🤖 Claude Code: Incomplete/inconsistent fix. Only rest_handle_doing_it_wrong() gains debug-log output. The sibling handlers rest_handle_deprecated_function() and rest_handle_deprecated_argument() are registered identically in rest_api_default_filters() (lines 243–246) with the same __return_false suppression, but still drop their notices from debug.log entirely.

With WP_DEBUG_LOG on, a deprecated function/argument used during a REST request logs nothing, while a _doing_it_wrong() call in the same request now logs — an asymmetry that will confuse debugging and invites copy-pasting this same backtrace/format block into two more places.

[westonruter]

🤖 Claude Code (altitude): Consider whether this is the right depth for the fix. The reason these notices never reach the log during REST is line 248's add_filter( 'doing_it_wrong_trigger_error', '__return_false' ), which short-circuits the native wp_trigger_error() logging path. Re-implementing logging here bypasses the canonical message format, sanitization, and hooks of _doing_it_wrong().

Note that display_errors is already forced to 0 for REST requests in wp_debug_mode() (load.php ~642–647), so the suppression filter may be relaxable instead of bolting on a parallel logger. As written, future changes to how core formats/logs _doing_it_wrong won't apply to REST.

[westonruter]

🤖 Claude Code: This logging runs on the doing_it_wrong_run action and does not consult the doing_it_wrong_trigger_error filter, so it can't be silenced and may double-log. A site that adds its own doing_it_wrong_trigger_error filter to quiet a known-noisy third-party notice will still get it written to the log on every REST request. Conversely, if any code restores triggering during a REST request, the same incident is recorded twice (native + this entry).

[westonruter]

🤖 Claude Code (reuse): The bespoke debug_backtrace() + "first frame under WP_CONTENT_DIR" loop reinvents caller-location logic that core already provides via wp_debug_backtrace_summary(). Reusing the existing helper (or at least factoring this out) avoids a one-off heuristic that no other part of core relies on and must be re-audited whenever PHP backtrace semantics or path constants change.

[westonruter]

🤖 Claude Code: str_starts_with( $frame['file'], WP_CONTENT_DIR ) silently drops the caller location in two real cases:

1. Windows — backtrace file paths often use backslashes (C:\\site\\wp-content\\plugins\\foo.php) while WP_CONTENT_DIR may be forward-slash normalized, so the match fails and $caller stays empty.
2. Custom layouts — plugins/themes outside wp-content (custom WP_PLUGIN_DIR, symlinks) won't match either.

In both cases the log omits the offending file/line, which is exactly the information this feature exists to surface. Also note there's no path-separator boundary on the prefix match, so a sibling dir like /srv/site/wp-content-backup/... would be misattributed as a plugin/theme caller.

[westonruter]

🤖 Claude Code: error_log() with a single argument writes to PHP's configured error_log ini setting. That setting is only applied by wp_debug_mode() (load.php ~630–633) when debug-mode checks run. If a mu-plugin returns false on the enable_wp_debug_mode_checks filter, wp_debug_mode() returns early (lines 609–611) before ini_set( 'error_log', $log_path ), yet WP_DEBUG_LOG is still truthy here — so the notice goes to the SAPI default error log (e.g. stderr / the web-server log), not the admin's configured debug.log.

(For what it's worth, I verified the 'PHP Notice: ' prefix is correct: wp_trigger_error() defaults to E_USER_NOTICE, so this matches native severity.)

[westonruter]

🤖 Claude Code — one more issue (raised by @westonruter): this logging does not honor error_reporting().

[westonruter]

🤖 Claude Code: error_log() is not filtered by error_reporting() — it writes unconditionally. The native logging path (_doing_it_wrong() → wp_trigger_error() → trigger_error( $message, E_USER_NOTICE )) does respect error_reporting(), so a site that masks out notices (e.g. error_reporting( E_ALL & ~E_USER_NOTICE ), or a php.ini that excludes notices combined with an enable_wp_debug_mode_checks filter that stops WP from forcing E_ALL) would normally see nothing logged.

With this direct error_log() call, the notice is written to the log even when the operator has explicitly configured error reporting to exclude notices — i.e. logging output that wasn't requested. If the logging stays hand-rolled, it should gate on error_reporting() & E_USER_NOTICE (and arguably on ! headers_sent()-independent state) to match the behavior callers expect; routing through wp_trigger_error() instead would get this for free.

[westonruter]

This should ensure the notices only get logged out if such logs are desired.

Suggested change

	if ( WP_DEBUG_LOG ) {
	if ( WP_DEBUG_LOG && ( error_reporting() & E_USER_NOTICE ) ) {