Database upgrade without login

  • Resolved hansaplasts

    (@hansaplasts)


    8 years, 11 months ago

    Hi,

    I try to login to wp-admin but the page says

    Database Update Required…

    Is this normal behavior? I would expect that only after login this tasks may be executed. Else anyone can update my DB without me knowing or making a backup beforehand.

    I’m not updating for now because I cannot verify this is legit. Maybe someone knows?

Viewing 6 replies - 1 through 6 (of 6 total)

  • Perhaps your previous session is being remembered by the site? Unless you specifically logged out, you may actually still be logged in.

    Thread Starter hansaplasts

    (@hansaplasts)

    Just cleared the browsercache and history. Closed IE.
    Then reopened IE and went to wp-admin. Same result.

    See: https://i.imgur.com/5pcCuwX.png

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.remarpro.com Admin

    This is normal behavior after an upgrade. The database upgrade is a single button press and fully automated. There is no user input to be performed here, and so it is not a security issue.

    If you do the upgrade using the one-click process in WordPress, then you usually do not see this screen because WordPress performs the database upgrade in the same one-click step.

    You will see this button when you perform a manual update of the WordPress files, because WordPress has not run the upgrade routines yet. All you have to do is to click the button and let it work. It only takes a few seconds, usually.

    Thread Starter hansaplasts

    (@hansaplasts)

    There is no user input to be performed here, and so it is not a security issue.

    You will see this button when you perform a manual update of the WordPress files

    1) I have not done a manual update. I’m doing it automatically.
    define( ‘WP_AUTO_UPDATE_CORE’, true );
    2) It’s a good thing database updates aren’t updated automatically.
    It gives the admin an opportunity to backup beforehand.
    3) It’s not a security issue? If anyone can execute the DB update without the admin knowing. There is a chance that it may fail. Leaving the DB in an inconsistent state. This may be exploited by an attacker to get access either to data or unprotected area’s of the site due to the inconsistent DB. I’m not a security expert, but I rather be wrong on this…. Am I?

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.remarpro.com Admin

    There is a chance that it may fail.

    This depends on the nature of the update.

    For 4.4, the database upgrade consists of:

    ALTER TABLE wp_options MODIFY option_name VARCHAR(191)

    That’s pretty much it. One statement. Success or fail. Just resizing the option_name column from the previous limit of 64 characters.

    The 4.4 upgrade process also removes the add_users capability from roles which have it, which is mainly cleanup since that capability is not actually used anymore. Doesn’t matter if the cap is there or not, realistically.

    As for “consistency”, the WordPress tables are not relational. Not really. They do interconnect somewhat, but those connections are not strongly enforced. Consistency is not much of an issue.

    Thread Starter hansaplasts

    (@hansaplasts)

    IMHO it looked very suspicious since I wasn’t logged in as admin.
    Thanks for clearing it up.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Database upgrade without login’ is closed to new replies.