Support » Plugin: Limit Login Attempts » [Plugin: Limit Login Attempts] Bugfix for Multiple Proxies

  • I happen to be running WP on Heroku with Cloudflare as the CDN. Given Heroku’s architecture, you end up with what appears to be two proxies and not just one.

    I noticed that Limit Login Attempts didn’t recognize the format for multiple IPs in the HTTP_X_FORWARDED_FOR header: you get a comma-delimited list rather than just a single IP.

    That obviously won’t work, so I’ve put in a small function to make sure that the first IP in that HTTP_X_FORWARDED_FOR list is used as the actual client IP (because it is). See below.

    function first_ip_address($address_list) {
            $addresses = explode(',', $address_list);
            return $addresses[0];
    /* Get correct remote address */
    function limit_login_get_address($type_name = '') {
            $type = $type_name;
            if (empty($type)) {
                    $type = limit_login_option('client_type');
            if (isset($_SERVER[$type])) {
                    return first_ip_address($_SERVER[$type]);
             * Not found. Did we get proxy type from option?
             * If so, try to fall back to direct address.
            if ( empty($type_name) && $type == LIMIT_LOGIN_PROXY_ADDR
                     && isset($_SERVER[LIMIT_LOGIN_DIRECT_ADDR])) {
                     * NOTE: Even though we fall back to direct address -- meaning you
                     * can get a mostly working plugin when set to PROXY mode while in
                     * fact directly connected to Internet it is not safe!
                     * Client can itself send HTTP_X_FORWARDED_FOR header fooling us
                     * regarding which IP should be banned.
                    return first_ip_address($_SERVER[LIMIT_LOGIN_DIRECT_ADDR]);
            return '';

  • The topic ‘[Plugin: Limit Login Attempts] Bugfix for Multiple Proxies’ is closed to new replies.