There are serious security implications, I would like highlight that this functionality should not be implemented as you have done.
REMOTE_ADDR is generated by the web server based on the connection from the client.
HTTP_X_FORWARDED_FOR is based on a HTTP header sent by the client.
You can't trust input from the client, particularly input that is easily faked, such as HTTP headers. Clients can stick anything into that
Here are is a reference blog article on the topic of spoofing IP's.
There are many plugins with generic incorrect use of
HTTP_X_FORWARDED_FOR header *sigh*.
HTTP_X_FORWARDED_FOR can contain multiple IP's.
As an alternative to this I would suggest including a section in the installation / setup instructions.
Where the admin at their choosing can modify their
wp-config.php to replace
REMOTE_ADDR with the correctly extrapolated
HTTP_X_FORWARDED_FOR and resetting
HTTP_X_FORWARDED_FOR as required.
Perhaps a whitelist of
REMOTE_ADDR enable you to trust the value of
HTTP_X_FORWARDED_FOR, again I believe this should be setup in