Support » Plugin: Limit Login Attempts Reloaded » Handling IP addresses with CDN

  • Resolved tedmsuperstar


    I’ve installed the plugin on a site that’s behind a CDN. The CDN is passing an X-Forwarded-for header, and I see that there is code to handle that in the plugin as an option. However, it’s not working correctly — it’s blocking attempts from the CDN ie, for all users, during a lockout. Is handling of CDNs/proxies via X-Forwarded-for implemented? In stepping through the code I don’t see how the option gets activated (it does look like the header is read when the login happens).

Viewing 5 replies - 1 through 5 (of 5 total)
  • Update: I added some logging to the plugin, and I think I found a bug in the Limit Login Attempts Reloaded plugin code.

    The function get_address() does a sanity check on the X-Fowarded-For header, verifying that it’s a valid IP address, like this:


    However, the spec for that header is that it can be a comma-separated list, indicating the proxies the request has passed through. This comma-separated format will not pass the FILTER_VALIDATE_IP test. My CDN (fastly) adds the header in the comma-seperated format, so the address blacklisted ends up being the address of the CDN.

    • This reply was modified 8 months, 3 weeks ago by tedmsuperstar.
    Plugin Author WPChef


    Hello tedmsuperstar,

    We have uploaded a new version of the plugin.

    The plugin doesn’t trust any IP addresses other than _SERVER[“REMOTE_ADDR”] anymore. Trusting other IP origins make protection useless b/c they can be easily faked. This new version provides a way of secure IP unlocking for those sites that use a reverse proxy coupled with misconfigurated servers that populate _SERVER[“REMOTE_ADDR”] with wrong IPs which leads to mass blocking of users.

    Please try it out.

    Sweet! I’ll take a look. I *just finished writing an extension of your plugin that does the same thing, but I’d rather use the core plugin as-is if it works for me. Thanks for getting back to me.

    Plugin Author WPChef


    You are welcome tedmsuperstar!

    HI again,

    I tried this out with today. I’m seeing that $_SERVER[“REMOTE_ADDR”] is a camma-sep list, like this:,

    The first is my actual IP address, and the second is the address of the CDN node. This means that by clearing cookies, a user can try several times for each CDN node. My lockout log looks like this:

    May 01, 2019 17:43, fred (1 lockouts)
    May 01, 2019 17:41, fred (1 lockouts)
    May 01, 2019 17:40, fred (1 lockouts)

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Handling IP addresses with CDN’ is closed to new replies.