This is the sequel to the past discussion below.
https://newcom.mainwp.com/t/when-this-plugin-was-activated-wordpress-was-updated-unintentionally-without-confirmation/7989
Last time we couldn’t identify the cause. After that I found the conditions to reproduce the problem, so I did some investigation and figured out how this happens.
Conditions:
- WordPress auto-update of the child site is disabled by
define('WP_AUTO_UPDATE_CORE', false);inwp-config.php. /wp-admin/admin-ajax.phpis blocked in the nginx configuration of the child site.
Observation:
When the child site is added to MainWP Dashboard under these conditions, MainWP sends a POST request to /wp-admin/admin-ajax.php of the child site, but the request is blocked by nginx. I found that MainWP sends the identical request again to the site (home) URL of the child site right after that, and wp_maybe_auto_update() function is to be executed because wp_doing_ajax() returns false near the end of /wp-includes/update.php.
Thus I guess that preventing or reverting add_action( 'wp_maybe_auto_update', 'wp_maybe_auto_update' ); at the second request is necessary somewhere in the site registration processes of MainWP.
This is the backtrace of PHP functions until wp_maybe_auto_update is executed.
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-includes/class-wp-hook.php: line 309
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-includes/class-wp-hook.php: line 333
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-includes/plugin.php: line 476
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-includes/update.php: line 254
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-content/plugins/mainwp-child/class/class-mainwp-system.php: line 89
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-content/plugins/mainwp-child/class/class-mainwp-child-stats.php: line 535
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-content/plugins/mainwp-child/class/class-mainwp-child-stats.php: line 223
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-content/plugins/mainwp-child/class/class-mainwp-connect.php: line 138
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-content/plugins/mainwp-child/class/class-mainwp-child.php: line 312
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-includes/class-wp-hook.php: line 309
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-includes/class-wp-hook.php: line 333
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-includes/plugin.php: line 476
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-settings.php: line 598
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-config.php: line 123
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-load.php: line 50
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/wp-blog-header.php: line 13
[14-Mar-2024 10:39:42 UTC] /var/www/wordpress/index.php: line 17
If my explanation is too brief or unclear, please let me know. I’ll be happy to add more details.