Plugins such as Wordfence and Defender Pro include a web application firewall (WAF) that is known to cause multiple issues when running a push migration. These plugins can rate-limit or block requests from WP Migrate, resulting in failed migrations. Problems caused by firewalls include:
- cURL timeouts
500 Internal Servererrors
- Slower migrations
How Firewalls Work
Firewall plugins protect the WordPress web application and anything else installed in WordPress subdirectories. Many firewalls do this by including a directive in the .htaccess file called ‘auto_prepend_file’. This directive points to the firewall code and ensures that the firewall runs before anything else. Each request first runs through the firewall which determines if it should be allowed or blocked. As a result, when WP Migrate sends push requests from a remote site, those requests can be blocked by the firewall, resulting in a failed migration.
During push and pull migrations, WP Migrate generates a large number of requests containing the site files that are being migrated. If there are rate limits in place, a cURL timeout may occur. WP Migrate will attempt to retry the file transfer. While the migration may still succeed, it will take longer to complete.
Recommendations for Sites Running Firewall Plugins
The best way to migrate to a site running a firewall is to avoid the firewall altogether. The following recommendations will improve the chances of success when a firewall plugin is present.
Pull Instead of Push
The easiest solution for migrating to a site with an active firewall plugin is to pull into the destination site. The firewall will not block outgoing pull requests from the destination site to the source site. For this method to work, the source site must be publicly accessible, which means pulling from a local site is not an option. Please refer to one of the other methods when migrating from a local site.
Disable the Plugin
Another way to ensure that a firewall plugin does not block requests from WP Migrate is to temporarily disable the plugin on the destination site that is receiving the push requests. Just remember to reactivate the plugin once the migration is complete.
Add to the IP Address Allowlist
Many firewall plugins include an IP address allowlist so that specific IPs can access the destination website without being blocked by the firewall. Be aware that if the source hosting provider does not provide a static IP option, then the IP address used on the outbound request could change during the migration, and the new IP would not be in the allowlist.
Wordfence documentation mentions a few caveats related to IP allowlists:
Your broadband IP address is not a permanent IP address because it is dynamically assigned and will change after several weeks or months, or sometimes over a shorter period. So we do not recommend that you add your home Internet connection’s IP address if you are using ADSL or cable modem to the IP allowlist because your IP will inevitably change after a time, making this addition ineffective and potentially causing whoever is assigned the IP address after you lose it to have unlimited access to your website. Only use this feature if you are sure you have a permanent IP address. Most people do not.