Hi @sonnycool,
Thank you for reaching out! This is likely related to the firewall optimization (Extended Protection) on your main site. When Extended Protection is enabled, it uses a PHP setting called auto_prepend_file that applies to all PHP requests under that directory, including your subdirectory WordPress installation. Since the firewall wasn’t set up for that second site, it doesn’t recognize its normal activity and can end up blocking things like plugin uploads.
You shouldn’t need to completely remove Wordfence to work around this. There are two approaches depending on whether you want firewall protection on the subdirectory site:
If you want to protect both sites, install Wordfence on your subdirectory WordPress site as well and optimize the firewall there, too. When you do, you’ll see a prompt saying the PHP setting is already in use. Choose the “OVERRIDE” option. That will give the subdirectory site its own firewall context so it handles requests properly instead of relying on the main site’s configuration.
If you don’t need Wordfence on the subdirectory site, you can exclude that directory from the main site’s firewall monitoring instead. There’s a guide on how to do that here: https://www.wordfence.com/help/firewall/optimizing-the-firewall/#how-to-exclude-directories-from-firewall-monitoring-in-extended-protection-mode
Either way, you can also add a wildcard pattern for the subdirectory folder in Wordfence > All Options > Advanced Scan Options > Exclude files from scan that match these wildcard patterns to keep the main site’s scan from including the subdirectory’s files.
Let me know how it goes!
Thanks,
Margaret
