Title: Cloudflare
Last modified: September 25, 2017

---

# Cloudflare

 *  Resolved [luxinterior](https://wordpress.org/support/users/luxinterior/)
 * (@luxinterior)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/cloudflare-23/)
 * This isn’t really an issue but I just wanted to mention it. I used cloudflare
   and also wordfence. I just put your plugin on to test it and because I got a 
   free key from you.
 * I’m only seeing my own admin logins and the ip being logged is actually cloudflare’s
   ip and not my own. I’ve coded a few plugins myself and know it’s possible to 
   get the real ip so was wondering why you don’t capture the real ip?
 * Lux

Viewing 8 replies - 1 through 8 (of 8 total)

 *  [SergeM](https://wordpress.org/support/users/serge00/)
 * (@serge00)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/cloudflare-23/#post-9526616)
 * Hello, Lux.
 * Thank you for your suggestion.
 * We will improve our code of the Security plugin to get the real user IP when 
   using CloudFlare.
 * We will inform you when we do it.
 * Your CleanTalk Control Panel: [ [https://cleantalk.org/my/](https://cleantalk.org/my/)].
 * Best regards.
 *  [Safronik](https://wordpress.org/support/users/safronik/)
 * (@safronik)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/cloudflare-23/#post-9527473)
 * Hello,
 * The deal is that headers with IPs can be spoofied (HTTP_X_FORWARDED_FOR) except
   REMOTE_ADDR, so we can not trust it. So we output only guaranteed existing IP.
 * Contact us.
 *  Thread Starter [luxinterior](https://wordpress.org/support/users/luxinterior/)
 * (@luxinterior)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/cloudflare-23/#post-9527510)
 * Why can’t you use the solution presented here…
 * [https://stackoverflow.com/questions/14985518/cloudflare-and-logging-visitor-ip-addresses-via-in-php](https://stackoverflow.com/questions/14985518/cloudflare-and-logging-visitor-ip-addresses-via-in-php)
 * HTTP_CF_CONNECTING_IP and then REMOTE_ADDR to check it’s a valid cloudflare server.
 * Lux
 *  [Safronik](https://wordpress.org/support/users/safronik/)
 * (@safronik)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/cloudflare-23/#post-9527817)
 * Thank you for the interesting link!
 * However, as you can understand from the header’s name HTTP_CF_CONNECTING_IP this
   is a connecting IP (and it’s can be spoofed). We can not be sure that this IP
   isn’t some proxy or vpn IP. One thing is certain – REMOTE_ADDR!
 * We’ll think about the this situation and suggest a solution for you.
 *  Thread Starter [luxinterior](https://wordpress.org/support/users/luxinterior/)
 * (@luxinterior)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/cloudflare-23/#post-9527859)
 * The solution is in the thread I posted. It’s a two step process… grab the real
   ip and then confirm that REMOTE_ADDR is an acctual CF ip. CF publish all their
   IPs so its easy to check.
 * Lux
 *  [SergeM](https://wordpress.org/support/users/serge00/)
 * (@serge00)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/cloudflare-23/#post-9528879)
 * Thank you for the details, Lux.
 * We are working on this task and we will contact you on the results.
 * Please, wait.
 *  [Safronik](https://wordpress.org/support/users/safronik/)
 * (@safronik)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/cloudflare-23/#post-9534440)
 * Hello,
 * It’s isn’t’. And that’s why:
    We cannot trust non-standard headers, it can be
   spoofed. So we need to sure that the REMOTE_ADDR similar to Cloudflare’s IPs.
   If it’s so, we can use HTTP_CF_CONNECTING_IP. So we need to store these Cloudflare’s
   IPs. And these IPs aren’t constant, so we need to periodically renew it.
 * We’re working under the issue.
 *  [Safronik](https://wordpress.org/support/users/safronik/)
 * (@safronik)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/cloudflare-23/#post-9535045)
 * Hello,
 * You can install the updated plugin from here: [https://downloads.wordpress.org/plugin/security-malware-firewall.zip](https://downloads.wordpress.org/plugin/security-malware-firewall.zip)
 * Let us know the results. Mark topic as resolved if everything is fine.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Cloudflare’ is closed to new replies.

 * ![](https://ps.w.org/security-malware-firewall/assets/icon-256x256.gif?rev=3518712)
 * [Security Plugin, Firewall & Malware Scanner with Auto Removal](https://wordpress.org/plugins/security-malware-firewall/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/security-malware-firewall/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/security-malware-firewall/)
 * [Active Topics](https://wordpress.org/support/plugin/security-malware-firewall/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/security-malware-firewall/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/security-malware-firewall/reviews/)

## Tags

 * [action](https://wordpress.org/support/topic-tag/action/)
 * [IP](https://wordpress.org/support/topic-tag/ip/)
 * [log](https://wordpress.org/support/topic-tag/log/)

 * 8 replies
 * 3 participants
 * Last reply from: [Safronik](https://wordpress.org/support/users/safronik/)
 * Last activity: [8 years, 7 months ago](https://wordpress.org/support/topic/cloudflare-23/#post-9535045)
 * Status: resolved