WordPress updates / database update

For security reasons I have access to wp-admin disabled thru the use of a htaccess file. This works fine.

So far so good.

I have noticed that after the automatic update from 3.8.2 to 3.8.3 trying to log in again resulted in a message that first I needed to perform a database update. It seems to me that securing the wp-admin resulted in this.

It shouldn’t. How did you secure wp-admin?

Is there a file I need to grant access to in wp-admin, so this runs smoothly? What is going on?

Huh. Do you mind sharing how you secured wp-admin? If what you’ve done can be reproduced by others then maybe an exception can be made for the file that needs to be permitted into wp-admin. I suspect the file lives in wp-includes but I haven’t really taken a look myself (yet).

@jan
Thanks for looking into this. I have a .htaccess in wp-admin and a big one in the root. Now I have a look at it, there might be some stuff in there too. Could I mail you directly about the content of that? And when we find out what is going on we can post the result here. Is that OK with you? Or can you mail me at the address that is in my account?

Could I mail you directly about the content of that?

I’m sorry but support is not offered that way here, only via the forums not email.

If you don’t want to share that .htaccess file here I fully understand.

Try this: check your access and error log files for any lines that may pop up when that message appears. That may help you identify where the problem is. Also consider consolidating that wp-admin into the root copy. It may make it easier to troubleshoot.

@jan
OK, I understand.
I can look into my .htaccess and see if there is something there, but…

I find it strange that the WP update process asks to update the database while there is no real need for it after an automatic update (3.8.2 to 3.8.3). It might be an idea to put this in trac, as this sounds like a bug to me.

Do you (or someone else) know what files are involved?

If I know what is going on during manual and automatic updates I can have a look at my htaccess and fix things for future updates (or put it in trac, with some more info added to it). Or is this somewhere in the codex? My last resort would be to have a look at the core files myself, but maybe someone can point me in the right direction?

I find it strange that the WP update process asks to update the database while there is no real need for it after an automatic update (3.8.2 to 3.8.3). It might be an idea to put this in trac, as this sounds like a bug to me.

It is not a bug, and yes, your “securing” of the directory is causing it to be unable to perform the upgrade automatically.

A WordPress upgrade takes several steps, most of which are boring safety things that don’t apply to your problem. The last step is to upgrade the database.

However, the code to perform that database upgrade is in the just-upgraded files themselves. Because WordPress is already running, it needs to run a “fresh” instance of itself to ensure that it hits all the new code, and none of the old code that is already currently loaded into memory.

So, it makes an HTTP call back to itself to hit the new upgrade file. In so doing, a fresh process is created on the server, using all the new WordPress files which have just been previously updated.

Your “security” settings are blocking that HTTP call. So the upgrade does not get performed, so you get the prompt to do it on your next hit.

Now, there is no danger here, the upgrade process is exactly the same whether it happens automatically or if you have to click the button. It’s really just a matter of whether you want that button hit to show up or not.

Note that “securing” the wp-admin directory will also cause lots of other issues, some with plugins. Things like the admin-ajax.php and admin-post.php are in the wp-admin directory, and plugins can access those files for various purposes, even from the front-end of the site. So using a block-the-whole-directory approach isn’t the most compatible thing in the world to do anyway.

@otto
Thanks a lot for your extensive explanation. Really appreciate the time and effort. This makes things a lot clearer.

Is there a certain file I could exclude in my wp-admin htaccess so the new HTTP call is not blocked, resulting in an update that works as intended?

BTW I am aware of certain issues when “securing” wp-admin. That is why I have some access-exceptions.

Allow access to the wp-admin/upgrade.php file.

@otto
Thank you.

Another question: If I understand you correctly you would advise not to “secure” the wp-admin directory with a seperate htaccess at all?

Yes and no. I would not actually advise against it, certainly.

But I don’t necessarily think it helps in any real way to block access there. It doesn’t hurt anything as long as you allow the proper exceptions through, but it’s designed to be secure as-is. Running any file in there directly without proper credentials passed in will simply get you a white screen and no changes.

The wp-admin directory is no more special than the wp-includes directory. Securing it with http security doesn’t add any actual security, it’s just an extra layer. And too many layers of security can lead to worse security in some situations.

@otto

Thanks for your explanation. I’ll think it over again.

I’ll set this thread to resolved.
Have a good weekend!