Sudden change of lockout behavior: uses server IP, not the “real” IP
-
Using AIOWP Security 2.5 years – thanks for a great plugin!
Something changed last night in configuration on host or our server which changed security behavior. Starting at about 7 pm PDT, continuing until this moment, we see this change. Staff admins did nothing on our side; behavior started after office hours PDT.Instead of showing the “real” IP for traffic, AIOWP is convinced that traffic is coming from our actual server IP, located in another state. If we look in logs in other plugins on the site (like Simple History), the correct information is being received. However, AIOWP sees this traffic all on the server IP. Since that traffic includes fraudulent logins from bots, which get locked out, all traffic into WP Admin generates a login lockout/locked IP.
We can’t log into an IP (from, say, a cell phone, or wifi point elsewhere) more than once and then it gets redirected to the server IP, which is blocked for 30 minutes or more.
The server has been scanned for malware by Bluehost, twice today, without any red flags.
What could be causing this failure in AIOWP to direct to the correct IP?
Admittedly, we have had problems with Bluehost OWP hosting, and have placed a specific piece of code in our wp-config to help this along, and that has worked for 2 years. Why would it change all of a sudden, without a plugin update? I’ll post details in the next message. Thanks for your thoughts.
The page I need help with: [log in to see the link]
-
What AIOWP says in a login lockout log:
user: abcd ip address: thi.sis.our.ser.verWhat Simple History plugin says happened is:
_server_http_x_forwarded_for_0 = thi.sis.our.ser.ver
_server_http_referer = https://our.website.com/wp-login.php
_server_remote_addr = our.rea.ldd.ressWhat kind of server problem at the host could cause this?
The specific piece of code we added to wp-config.php back 2 years ago is this:
/** INSERTED Sept 2015 per James at Bluehost – Forwards Visitors’ True IP address to WordPress on Optimized Hosting for WordPress */
if($_SERVER[‘HTTP_X_REAL_IP’]){
$_SERVER[‘REMOTE_ADDR’] = $_SERVER[‘HTTP_X_REAL_IP’];
}Um, yah. Interesting times. Any thoughts about what is going on? FYI: Bluehost has blocked access to the Varnish function for our storage and server, saying it’s offline. Could it be something with the server issue we’re having? Should I be looking to delete this hack of code from because perhaps it’s not necessary anymore? (who knows what’s going on in behind the curtain at Bluehost with our OWPH servers).
Hi,
Yeah the question of how to get a client’s “real” IP is not easy to answer because of the spoofable nature of such a thing like an IP address.
As a matter of fact I think I will change our helper function which tries to obtain the IP address because it currently checks for the following $_SERVER variables in the order listed and returns the first valid address:
‘HTTP_CF_CONNECTING_IP’, ‘HTTP_CLIENT_IP’, ‘HTTP_X_FORWARDED_FOR’, ‘HTTP_X_FORWARDED’, ‘HTTP_X_CLUSTER_CLIENT_IP’, ‘HTTP_FORWARDED_FOR’, ‘HTTP_FORWARDED’, ‘REMOTE_ADDR’But the problem with this is that the “HTTP_” variables can be more easily spoofed and “REMOTE_ADDR” is probably most reliable.
Also even if the various “HTTP_” variables are not spoofed, in some cases some may simply be populated with internal network IP addresses.
Having said that REMOTE_ADDR will not be accurate for visitors coming behind a proxy but that might be a small inconvenience considering the points made above.So I’m not sure why you are seeing a sudden change in the IP address values returned but if you are so inclined you could play around and modify our “get_user_ip_address” function. (just ensure to make a copy of the original file in case you need to restore it)
Hi @wpsolutions – I heard back from our hosting service. This is what they say… I wonder what they mean by “dual proxy” arrangement? I find it surprising that your well-regarded plugin can’t work with Bluehost OWPH service, since it seems like that someone else would have mentioned it before.
“Looking into this it appears that the reason why the plugin is only picking up the servers IP is because of the proxied webserver setup unique to our OWHP platform, while I apologize for any inconvenience this may cause, this is not something that can be changed by the package. If you wish to view your traffic statistics you should be able to see them by using awstats in your cpanel. Alternatively you could contact the developer of that plugin to see if there is anyway to configure it to work with a dual webserver proxy setup. “
@wpsolutions: I tried what you suggested, by looking to edit the order of the “get_user_ip_address” function. I put remote_addr ahead of _http_x_forwarded_for in the order, and the IPs worked correctly (I was able to log in, and AIOWP posted the correct IP address for my User Login log entry, matching what Simple History shows.)
If I wait for an hour or so, i should see another bot failed login on this site which might give us more data to see if that traffic handled correctly as well.
Do you have advice about whether this is a stable hack? Thanks for your advice.
— UPDATED 5:10pm pdt —- IP logging is working correctly for bot logins as well. Look forward to your advice on this subject. Thanks much!
- The topic ‘Sudden change of lockout behavior: uses server IP, not the “real” IP’ is closed to new replies.
