Every IP detected in Live traffic is the same

I think I am having a very similar issue. An IP address is showing up as my IP, but it isn’t my IP.

This IP shows up as blocked almost 50 times in my dashboard, so I manually blocked it, believing it was an attempt at a hack. Today I sign in and I got a IP lock out message and that I needed to submit my email address to get an unlock email to access my site. The IP address that I blocked was a 74.xxxxxx. My IP address starts with a 1, so I know something strange is going on. It must be a glitch on Wordfence’s end.

My website is https://naughtyandnicelingerie.com

@naughtyandnicelinerie I was tempted to block it as well but didn’t coz I thought I’d get locked out as well.

Hi!
Can you please check on the Wordfence “All Options” page at the top in the section “General Wordfence Options” under “How does Wordfence get IPs” whether “Your IP with this setting:” matches the IP you’re currently using? That will tell you if the Wordfence option “How does Wordfence get IPs” is configured correctly or not.

Thank you for the reply wfasa. I checked the page and the setting is on the recommended first choice of let word fence use the most secure method…., but it detected the wrong IP, with the 74 number, when my IP starts with a 1. You can message me directly at [email protected] if you can. I’d appreciate fixing this issue, since it also detected I attempted bad / failed signin attempts with this IP, when that hasn’t happened.

Hi again!
We provide support for our free version of the plugin here in the www.ads-software.com forums. If you have premium you’re welcome to send in a ticket via support.wordfence.com.

If the incorrect IP is detected it means either
1. Wordfence isn’t able to detect which method to use to get IPs correctly or
2. Your server configuration doesn’t provide a means of detecting IPs correctly

You can find that out by looking at the IPs section on the Wordfence Tools > Diagnostics page. Are you able to see your actual IP in any of the fields there? If so, which one?

P.S. The logins likely did happen, but they were logged with an incorrect IP since your site currently isn’t able to detect IPs correctly.

Thanks @wfasa for responding.
I also checked the page and the setting is on the recommended first choice of let wordfence use the most secure method…., but it detected the wrong IP.

Tools > Diagnostics page. Are you able to see your actual IP in any of the fields there? If so, which one?

I can see my correct IP at REMOTE_ADDR
The one that is being logged for everyone is at X-Real-IP with a tick and ‘in use’.

Hi @mross55,
Okay, it sounds like there may be multiple proxies involved in your server infrastructure, and they’re not all behaving the exact same way. A proxy is a server that forwards traffic to your site and if that proxy doesn’t forward the visitors IP correctly, strange things can happen. (In this case, the strange thing is that Wordfence seems incapable of determining which method to best use to get visitor IPs).

I would recommend you change the “How does Wordfence get IPs ” option to REMOTE_ADDR ( Use PHP’s built in REMOTE_ADDR and don’t use anything else. Very secure if this is compatible with your site.) and see if that fixes the issue for now.

If you keep having trouble after that, you need to start digging in to why different visits to your site come with different http headers. Your host should be able to help you figure that out. If you contact your host about it you can tell them

“The Wordfence plugin for WordPress needs to be able to detect client IPs in order to function properly. It fetches client IPs from http headers, either REMOTE_ADDR, X-Forwarded-For, X-Real-IP or CF-Connecting-IP depending on which one is provided with the request. It seems like this is behaving inconsistently on my site so that some requests have the client IP in one header and other requests have the client IP in another. Can you help me figure out why that’s the case?”

Thank you @wfasa I’ll get onto it and provide an answer here in case it happens to anyone else. ??

Update:
When I changed the options to “Use PHP’s built in REMOTE_ADDR and don’t use anything else. Very secure if this is compatible with your site” I received an error message.

I sent the request through to the host who added in wp-config.php –
define(‘WORDFENCE_DISABLE_MISCONFIGURED_HOWGETIPS’, true);

as per your documentation at https://docs.wordfence.com/en/Wordfence_constants_for_advanced_configuration.html

Hi @mross55,

Thanks for the update. Do IPs show up correctly now in “How does Wordfence get IPs” in “General Options” and on the Wordfence Tools > Live Traffic page?

Hi @mross55,

We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved.

Please feel free to open another thread if you’re still having issues with Wordfence.

Thanks!