403 Forbidden since I updated to WP 5.3

[lostfocus]

Right now I'm getting a 403 Forbidden with all clients that I'm testing:

HTTP/1.1 403 Forbidden
Date: Fri, 22 Nov 2019 17:57:12 GMT
Server: Apache/2.4.29 (Ubuntu)
X-Robots-Tag: noindex
Link: <https://lostfocus.de/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
Access-Control-Allow-Headers: Authorization, Content-Type
Content-Length: 56
Content-Type: application/json; charset=UTF-8

{"error":"forbidden","error_description":"Unauthorized"}

This one is from Quill. I do use https://indieauth.com/ to get a token, maybe it's something there? I'll investigate.

[lostfocus]

At the moment it seems like the determine_current_user filter isn't being used. This is very peculiar.

[lostfocus]

Okay, so it seems to be related to WP Core issues 46586 and 43869. For some reason (my) WordPress calls the hook before plugins_loaded which leads to the Micropub/Indieauth hook being ignored.

[dshanske]

@lostfocus What plugins do you have installed?

[lostfocus]

Listing and sorting through all 20+ of them might take a while. I have the well-known one, ActivityPub, Akismet, Comment Meta Display, Enable Media Replace, Exploit Scanner, Google XML Sitemaps, Health Check, JSON Feed, Micropub, Open Graph, Open Search, Purge Transients, Regenerate Thumbnails, Twitter Cards, Webfinger, Webmention, Websub, WP Advent, WP Crontrol and Years Ago Today.

[lostfocus]

So, the way I understand this filter now is that the very moment anyone (plugin, theme) uses wp_get_current_user() any plugin that uses the determine_current_user filter is basically rendered useless? I guess it is not something that can be mitigated in a plugin's code at all. 😒