SafeGuard

Cloud Relay

Automatic relay for migrating WordPress sites behind firewalls, NAT, or Cloudflare.

Overview

When your destination site can't receive direct connections — whether it's behind a firewall, NAT, Cloudflare, or on shared hosting that blocks incoming requests — SafeGuard's cloud relay automatically kicks in. No configuration needed.

The relay ensures migrations work regardless of your destination's network setup, so you never have to worry about port forwarding, firewall rules, or DNS configuration.

How It Works

Inspired by Tailscale's DERP (Designated Encrypted Relay for Packets) protocol, SafeGuard uses a lightweight relay server to bridge connections when direct communication isn't possible.

  1. Direct probe — The source site attempts to reach the destination directly with a 5-second connectivity probe.
  2. Relay registration — If the probe fails, the source registers a relay session at safeguard.verdelic.com.
  3. Data flows through relay — All migration data is routed: Source → Relay → Destination.
  4. Dumb pipe — The relay never decrypts your data. It simply forwards encrypted bytes between the two sites.
  5. End-to-end encryption preserved — SafeLink's ECDH key exchange with ChaCha20/AES-256-GCM encryption is maintained throughout. The relay only sees ciphertext.

When Does It Activate?

The relay activates automatically when:

  • Destination is behind a firewall — Inbound connections are blocked by server or hosting firewall rules.
  • Destination is behind NAT — Home routers, corporate networks, or any environment without a public IP.
  • Destination is behind Cloudflare — Cloudflare's reverse proxy blocks direct POST requests from the source plugin.
  • Shared hosting blocks incoming connections — Many shared hosts restrict inbound traffic to standard HTTP only.

You don't need to configure anything. The relay activates automatically when the destination can't be reached directly. If direct connectivity is available, it's always preferred.

Security

The cloud relay is designed with a zero-trust architecture. Even if the relay server were compromised, your migration data remains protected.

  • End-to-end encryption — All data is encrypted before it leaves the source site. The relay never sees plaintext.
  • Valid license required — Only active SafeGuard licenses can establish relay sessions, preventing abuse.
  • SSRF protection — The relay validates destination URLs and cannot be used to reach internal services or private networks.
  • Auto-expiring sessions — Relay sessions automatically expire after 1 hour to prevent stale connections.

Troubleshooting

  • "Destination unreachable and relay unavailable" — Verify your SafeGuard license is active. The relay requires a valid license to establish a session.
  • Migration seems slower than expected — The relay adds slight latency since data routes through safeguard.verdelic.com instead of traveling directly between sites. This is normal and expected for firewalled destinations.

Multisite Migration

Migrate WordPress Multisite networks — full network, sub-site extraction, standalone import, and more.

WooCommerce Backups

Backup strategies, restore considerations, and best practices specifically for WooCommerce stores.

On this page

OverviewHow It WorksWhen Does It Activate?SecurityTroubleshooting