I’m getting “A PHP session was created by a session_start() function call. This interferes with REST API and loopback requests. The session should be closed by session_write_close() before making any HTTP requests.”
With plugin deactivated I get the same error message.
After uninstalling or simply renaming the folder the error is gone.
Does anyone else get the same error message or is it a unique incident on my setup?
The session_start function is used in the optional Brute-Force Login Protection. If you have activated this protection on the Firewall Options page (found under the Anti-Malware menu in your wp-admin) then it will execute the session_start function from an include file that was added to the top line in your wp-config.php file, even if you deactivate the plugin. Deleting the plugin, or removing this line in your wp-config.php file will disable the Brute-Force Login Protection, but you can probably just ignore this warning if you want to keep the extra protection. I have yet to my session_start actually interfere with and REST API calls.
Please let me know if you have any more questions on any of this, or if you would like to report an actual conflict with your REST API usage and my session code please send me the details and I’ll look into it further.
Thank you for the quick response and this detailed explanation. I actually don’t have any real error related to the REST API.
Nevertheless, such error output during the “health check” is annoying.
You want to have a page that is as error-free as possible. Now I can decide for myself whether I want to do without the
additional “brute force protection” or not. Thanks a lot.
I am seeing the same warning. Disabling the brute force plugin makes it go away.
I think it only started happening when I upgraded to PHP 8.1 (from 7.4); session_start() appears to be deprecated in PHP8, which I guess is why we’re seeing it (in case this helps you 
)
I just wanted to post a followup here for anyone who was seeing this error on their Site Health page. In the latest release of my plugin I have fixed the Brute Force Login Protection so that the session_start call does not conflict with the REST API or any other sessions created after my own session check is complete.
Just to clarify one point on Richard’s post, session start has not been deprecated in PHP 8.1 or any other version of PHP currently available and I don’t expect it ever will be, but there are many reasons why sessions might fail on a server that does not have a properly configured temp space and the right permissions to create session cookies on the server. Therefore, I have engineered a backup technique for saving session info to temp files when the session_start fails to initialize a persistent session. Please try the new version and let me know if you have any other issues with this patch.
