This seems to be related to a change in version 6.2.8 which altered the way that Wordfence parses the X-Forwarded-For header.
If the header contains multiple IP addresses, Wordfence will show the last IP address in the array as the client address – which, in most cases, is the IP address of a CDN or Reverse Proxy and not the actual client.
