Support » Fixing WordPress » IP detection problem

  • Hi everyone

    I am building an ecommerce website on Godaddy hosting.

    It is behing a reverse proxy so I can not get the real ip of the users. I added [HTTP_X_REAL_IP] code to the wpconfig.file and got users’ real ips.

    Unfortunately, the ip starts with :ffff: prefix and Payfort does not accept it. I tried many plugins including WP Cerber but none of them give an ip without :ffff: prefix.

    Do you know how to solve it?

    https://www.bynicolas.com/code/x-forwarded-for-http-user-real-ip-wordpress-config/

    I used this method and many codes but not solving it.

    // Code for showing correct client IP address
    if ( isset( $_SERVER[‘HTTP_X_FORWARDED_FOR’] ) ) {
    $mte_xffaddrs = explode( ‘,’, $_SERVER[‘HTTP_X_FORWARDED_FOR’] );
    $_SERVER[‘REMOTE_ADDR’] = $mte_xffaddrs[0];
    }

    Thanks in advance
    Raskolt

Viewing 4 replies - 1 through 4 (of 4 total)
  • Upload a php file to your website with the following code:

    <?php print_r( $_SERVER ); ?>

    Go the the page in your browser then View Page Source and see if you can see your own IP address appear there under any of the variables.

    Also the main thing to remember is that REMOTE_ADDR is the only IP header you can trust. All other IP headers can be spoofed by an attacker.

    Hi

    I uploaded that file and I could see my ip there.

    It is still ::ffff:176.xxx.xxx.xxx format.

    There is ffff in the prefix.

    te_taipo

    (@te_taipo)

    Part of the IPv4 / IPv6 overlap unfortunately.

    What was the $_SERVER variable that was reporting your correct browsers IP?

    te_taipo

    (@te_taipo)

    Try something like this: (still hit and miss until we know which _SERVER variable is reporting the right IP address)

    # warning, most of these IP header variables can be spoofed by an attacker
    $ip_vars = array(
                'HTTP_FORWARDED_FOR',
                'HTTP_CLIENT_IP',
                'HTTP_X_CLUSTER_CLIENT_IP',
                'HTTP_X_ORIGINATING_IP',
                'HTTP_X_REMOTE_IP',
                'HTTP_FORWARDED',
                'HTTP_CF_CONNECTING_IP',
                'HTTP_X_FORWARDED_FOR',
                'REMOTE_ADDR'
    );
    $x = 0;
    $alt_ip = "";
    while ( $x < count( $ip_vars ) ) {
        if ( array_key_exists( $ip_vars[ $x ], $_SERVER ) ) {
                $ip_header = $_SERVER[ $ip_vars[ $x ] ];
                $mte_xffaddrs = ( false !== strpos( $ip_header, ',' ) ) ? str_replace( ' ', '', $ip_header ) : str_replace( ' ', ',', $ip_header );
                $mte_xffaddrs = explode( ',', $ip_header );
                for( $x = 0; $x < count( $mte_xffaddrs ); $x++ ) {
                    if ( false !== ( false !== @inet_pton( $mte_xffaddrs[ $x ] ) ) ) {
                        $alt_ip = $mte_xffaddrs[ $x ];
                        break 2;
                    }
                }
            }
    $x++;
    }
    // do what you wish with $alt_ip;
    echo "alt_ip = " . $alt_ip;
Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.