How 2 disconnect cloned site from Wordfence Central

Hi @josklever, thanks for your query.

I think that Site B as a ‘clone’ is reporting back as Site A because the Site A’s domain will still be set as admin_url in /wp-json/wordfence/v1/authenticate.

If you alter Site B’s domain here, it should then stop reporting back as Site A to Central and Site B can either be left disconnected or added to Central as its own site as you see fit.

Thanks,

Peter.

Hi Peter,

Thanks for your reply. That might indeed be the case, but what if site B is not under my control? The clone is created by a third party developer on it’s own server.

It’s also not quite clear how I could the setting even if I did have access to the site. Can you please give me the steps to take?

In the end I think some check needs to be added in the code of Wordfence.

Thanks
Jos

Hi @josklever,

I’ve had a word with my colleagues working on Wordfence Central. The best way to remedy this setting is to contact the third-party developers and instruct them to log in to Site B as an administrator and select Wordfence > Dashboard, then click “Disconnect This Site” under “Wordfence Central Status”.

Thanks again,

Peter.

That’s not gonna work, like I described in my original post, because it removes site A from Central and that’s not what we want.

Hi @josklever,

I have spoken to the Central team again, and they think that disconnecting one (or both) of the sites using the method we described above, then connecting Site A freshly again should keep Site B disconnected rather than recreate the same problem.

The reason we’re currently not treating the different domains as separate sites in this case is that some sites have multiple domains pointing to a single WordPress installation, and that’s how this is seeing the clone with no further action taken.

The disconnection and re-connection process should help Wordfence Central see these as the separate sites that they are.

Thanks again,

Peter.

Hi Peter,

I know that workaround, but I hope Wordfence can create a more reliable solution, so we don’t have to search for copies of the site, ask the developer to disconnect the copy, so I can disconnect and reconnect the correct site again. It’s too much work and in fact a security issue.

Not only I receive notifications from site B that I try to solve on site A, because I don’t know they are coming from site B. If the developer disconnects site B without telling me, site A is removed from Central without any notification to me. So I keep thinking that all my sites are in Central, while some may have disappeared and I can’t monitor the security anymore.

So I’m not looking for a workaround I already know. I’m looking for a solution.

Thanks,
Jos

Hi again @josklever, I have sought some more information for you around this.

In short, there isn’t currently a way that will “just work” without intervention of some kind. However, there is a way that your developer can disconnect Site B without telling Wordfence Central, therefore not disconnecting Site A in the process.

After cloning a site, your developer could run the following query as part of their checklist:

DELETE FROM wp_wfConfig WHERE name LIKE 'wordfenceCentral%'

The reason Wordfence Central can’t use the domain alone to determine if the site is different is because some of our customers’ sites are configured to serve multiple domains from a single WordPress installation. We may be able to develop a solution/option at our end in future so that a cloned site can be forced to specify that it does not serve multiple domains. However, with all development requests, we can ensure they are discussed and scheduled, but cannot commit to a confirmed release date at this stage.

Thanks,

Peter.

This might a solution in some cases, but only if I know that the site has been cloned and by who. I’m managing many sites for clients, so I don’t always have the ability to contact these developers directly and their technical skills might also differ.

And if such a developer deactivates the Wordfence Central connection, I don’t get notified.

I understand that there is no solution at this moment, but I hope these issues will be addressed in the near future. If the team wants to discuss this any further, please let me know.