Support » Plugin: Wordfence Security - Firewall & Malware Scan » WordFence gets my IP wrong

  • Resolved ModernNovel

    (@modernnovel)


    There is a user some 4625 miles away (according to Google) from me trying to hack into my site. He is using a range (not consecutive) of IPs to do so, e.g. guessing the login or trying to access specific files. I went to Live Traffic and clicked on Block IP. This worked for most of the IPs he used but with one, WordFence would not let me do so because it claimed it was my IP. As said, this user is some 4625 miles away and his IP does not look anything like mine. In addition, in the How does Wordfence get IPs section, it says Detected IP(s): and quotes this IP and then says Your IP with this setting: giving the same IP which, I repeat, is not even vaguely my IP. Why is it doing this? And yes I have put my real IP and only my real IP in the Trusted Proxies.

Viewing 11 replies - 1 through 11 (of 11 total)
  • Hey @modernnovel,

    How are you currently detecting your IP? Can you please try adjusting your How does Wordfence get IPs in Wordfence > All Options > General Wordfence Options to see if it helps?

    https://www.wordfence.com/help/dashboard/options/#get-ips

    Thanks,

    Gerroald

    Thread Starter ModernNovel

    (@modernnovel)

    If I change to Use PHP’s built in REMOTE_ADDR, there is no difference
    If I change to Use the X-Forwarded-For HTTP header, the Detected IPs now include mine as well as his but the Your IP with this setting only includes his
    If I change to Use the X-Real-IP HTTP header, there is no difference
    If I change to Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP (I have Cloudfare on my site), there is no difference.

    I am not sure what you mean by How are you currently detecting your IP? Do you mean how do I know what my own IP is? Google tells me, if I enter IP in the search box and there are various websites/apps that will do it. They all agree as to what my correct IP is and they all agree that his is a place about 4625 miles from me.

    Thread Starter ModernNovel

    (@modernnovel)

    Following up from my previous post, WordFence now has, in both the Detected IP(s) and Your IP with this setting sections another IP but still not mine but one albeit a different one, used by the hacker. Why?

    Thread Starter ModernNovel

    (@modernnovel)

    This is getting worse. It keeps switching the IP it thinks is my IP, though always selecting one of the hackers’ IPs, never mine, with the result that having blocked an IP, this suddenly becomes what WordFence erroneously thinks is my IP and locks me out. This really is a buggy product

    Hey @modernnovel,

    Can you please email me your Diagnostics report so I can get a better view of your environment? From the WordPress Dashboard navigate to Wordfence > Tools > Diagnostics then click SEND REPORT BY EMAIL to send it to wftest@wordfence.com. Please also add your WordPress.org username and update this post so we’ll know what it’s in reference to.

    Thanks,

    Gerroald

    Thread Starter ModernNovel

    (@modernnovel)

    It is now three days since I first raised this. WordFence now changes what it thinks (erroneously`) is my IP every few hours. It is never my IP, always one of the of the several IPs used by the hacker. What is going on?

    Hey @modernnovel,

    My apologies, I didn’t realize you had sent the Diagnostic report.

    The IP ending in 85 is yours. The one ending in 116 is your CLoudflare IP. I see the X-Forwarded-For option is showing both IPs. You’ll want to use this option and add the Clouflare IP ending in 116 to the Trusted Proxies option, and remove yours from the option. Please give this a try and let me know if it helps.

    You can use a site like http://whois.domaintools.com to track the IPs.

    Please give this a try and let me know how it goes.

    Thanks,

    Gerroald

    Thread Starter ModernNovel

    (@modernnovel)

    As I pointed out in other posts, the one ending in 116 is one of around a dozen different ones presumably coming from Cloudfare. WordFence changes which one it thinks is the chosen one every couple of hours or so, so while 116 may have been relevant in the diagnostic report I sent you, it is currently 238 and has been, today, 110, 24 and probably others. Do I put all of them in the Trusted Proxies?

    Hey @modernnovel,

    I can’t speak of the other IPs that I haven’t seen. This one is clearly from Cloudflare. I’d suggest engaging with their support about the other IPs and the proper configuration. But the idea is to identify and grab your IP. Then if you have a reverse-proxy to add these IPs to the Trusted Proxies. Cloudflare can let you know what these are.

    Please let me know how it goes.

    Thanks,

    Gerroald

    Thread Starter ModernNovel

    (@modernnovel)

    The others are all definitely from Cloudfare – all have the same initial digits and I have checked them in WhoIs. I have tried to discuss this matter with Cloudfare and they have been spectacularly less than helpful.

    Hey @modernnovel,

    If you’re certain they’re Cloudflare, then it’s okay to add them to the Trusted Proxies. This should resolve your issue. If it doesn’t, please let me know.

    I did find this list of Cloudflare ranges, but I can’t be certain how up to date it is.

    https://www.cloudflare.com/ips/

    Thanks,

    Gerroald

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘WordFence gets my IP wrong’ is closed to new replies.