WordFence gets my IP wrong

Hey @modernnovel,

How are you currently detecting your IP? Can you please try adjusting your How does Wordfence get IPs in Wordfence > All Options > General Wordfence Options to see if it helps?

https://www.wordfence.com/help/dashboard/options/#get-ips

Thanks,

Gerroald

If I change to Use PHP’s built in REMOTE_ADDR, there is no difference
If I change to Use the X-Forwarded-For HTTP header, the Detected IPs now include mine as well as his but the Your IP with this setting only includes his
If I change to Use the X-Real-IP HTTP header, there is no difference
If I change to Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP (I have Cloudfare on my site), there is no difference.

I am not sure what you mean by How are you currently detecting your IP? Do you mean how do I know what my own IP is? Google tells me, if I enter IP in the search box and there are various websites/apps that will do it. They all agree as to what my correct IP is and they all agree that his is a place about 4625 miles from me.

Following up from my previous post, WordFence now has, in both the Detected IP(s) and Your IP with this setting sections another IP but still not mine but one albeit a different one, used by the hacker. Why?

This is getting worse. It keeps switching the IP it thinks is my IP, though always selecting one of the hackers’ IPs, never mine, with the result that having blocked an IP, this suddenly becomes what WordFence erroneously thinks is my IP and locks me out. This really is a buggy product

Hey @modernnovel,

Can you please email me your Diagnostics report so I can get a better view of your environment? From the WordPress Dashboard navigate to Wordfence > Tools > Diagnostics then click SEND REPORT BY EMAIL to send it to [email protected]. Please also add your www.ads-software.com username and update this post so we’ll know what it’s in reference to.

Thanks,

Gerroald

It is now three days since I first raised this. WordFence now changes what it thinks (erroneously`) is my IP every few hours. It is never my IP, always one of the of the several IPs used by the hacker. What is going on?

Hey @modernnovel,

My apologies, I didn’t realize you had sent the Diagnostic report.

The IP ending in 85 is yours. The one ending in 116 is your CLoudflare IP. I see the X-Forwarded-For option is showing both IPs. You’ll want to use this option and add the Clouflare IP ending in 116 to the Trusted Proxies option, and remove yours from the option. Please give this a try and let me know if it helps.

You can use a site like https://whois.domaintools.com to track the IPs.

Please give this a try and let me know how it goes.

Thanks,

Gerroald

As I pointed out in other posts, the one ending in 116 is one of around a dozen different ones presumably coming from Cloudfare. WordFence changes which one it thinks is the chosen one every couple of hours or so, so while 116 may have been relevant in the diagnostic report I sent you, it is currently 238 and has been, today, 110, 24 and probably others. Do I put all of them in the Trusted Proxies?

Hey @modernnovel,

I can’t speak of the other IPs that I haven’t seen. This one is clearly from Cloudflare. I’d suggest engaging with their support about the other IPs and the proper configuration. But the idea is to identify and grab your IP. Then if you have a reverse-proxy to add these IPs to the Trusted Proxies. Cloudflare can let you know what these are.

Please let me know how it goes.

Thanks,

Gerroald

The others are all definitely from Cloudfare – all have the same initial digits and I have checked them in WhoIs. I have tried to discuss this matter with Cloudfare and they have been spectacularly less than helpful.

Hey @modernnovel,

If you’re certain they’re Cloudflare, then it’s okay to add them to the Trusted Proxies. This should resolve your issue. If it doesn’t, please let me know.

I did find this list of Cloudflare ranges, but I can’t be certain how up to date it is.

https://www.cloudflare.com/ips/

Thanks,

Gerroald