Noticed that if someone will try to log in with a non-existing account, the entire internet gets blacklisted.
Upon investigating, it looks like the reading of “X-Forwarded-For” header is done improperly. X-Forwarded-For format is supposed to be “ClientIP, ProxyIP, ..” – but the code assumes that it is always just client IP. If request passes through more than one proxy, code is unable to parse the IP address, and then blocks “.*” – (making all-in-one-wp-security the easiest DOS tool ever)
Generally, the code is unable to determine source IP in that configuration, so all logging reports IP as “.*”
- The topic ‘Improper header reading can block the world from logging in’ is closed to new replies.