Many websites these days live behind reverse proxies – servers that sit between them and the end user. There are many benefits to this kind of setup. It allows the intermediary to implement security measures, act as a Content Distribution Network or a CDN, perform optimizations on HTML, and in general speed up a website. Services such as CloudFlare and Google’s PageSpeed service are examples of reverse proxies. However, a drawback of this setup is that your site never sees the actual IP addresses of the end-users. It only sees those of the reverse proxy. This means that if you have plug-ins like “Bad Behavior” installed, everyone could end up getting locked out of your site if the reverse proxy itself gets blocked. In addition, it prevents you from conducting analysis on your visitors, finding out their geographical locations etc. since you never see the real IP. But with a few configuration tweaks, we can solve this problem. Here’s how to extract the correct reverse proxy IP address.
Server detection and WordPress Detection
There are two places where the originating IP address is detected. One is on the server side, and the other is at the application level. The techniques I’m going to demonstrate extracts the correct IP address of the original visitor and supplies it to the application – not to the server. So for example if you’re using Google’s PageSpeed service like I am and you check your server logs, you will see everything originating from Google’s IPs as shown in the screenshot below.
In order to get the server to recognize the original IP address, you have to ensure that certain modules are available but if you’re using a shared hosting service (like most of us are), you do not have control over this aspect of your server environment. So I’m only going to demonstrate how to obtain the original IP address at the application level – that is from within WordPress itself.
Open up your site using FTP and download your wp-config.php file. Open it up in a textbased editor like Notepad++ and insert the following code near the very top.
$forwarded_address = explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);
$_SERVER['REMOTE_ADDR'] = $forwarded_address;
When a reverse proxy forwards a request to your site, it sets the X-Forwarded-For header value. What we are doing in this little snippet of code is testing whether or not this value is set, and if it is, we extract it using the “explode” PHP function and set the “REMOTE_ADDR” server variable to the first item in our extracted array. This effectively replaces the original address (the one originating from our reverse proxy), with the address that was sent to us in the X-Forwarded-For field.
Using a Plugin
Another option is to download the Real IP plugin that will do the job for you. Unfortunately, it hasn’t been updated for quite a long time and so we don’t know whether or not it will break in the future in case something changes because it seems that the author has abandoned it. Moreover, when such a simple tweak like a mere modification in the wp-config.php file can do the job, why take on the extra hassle of managing an additional plug-in? So use the second option only if you do not have access to your WordPress files or are simply too uncomfortable making code changes.
This modification now allows plug-ins within WordPress like Bad Behavior to accurately obtain the real IP address of the originating client as seen in the screenshot below.
They can now work their magic by blacklisting the correct IPs if necessary without locking everyone out of your blog!