WordPress.org

Forums

Login Security Solution
[resolved] Works wrong behind reverse proxy (4 posts)

  1. Dr.Bier
    Member
    Posted 1 year ago #

    Hi,

    It seems that plugin doesn't check if WordPress is running behind reverse proxy. Reverse proxy address is stored in db since plugin uses REMOTE_ADDR value.

    I think that you need to change code in get_ip() function to:

    $real_ip = isset($_SERVER['HTTP_X_REAL_IP']) ? $_SERVER['HTTP_X_REAL_IP'] : $_SERVER['REMOTE_ADDR'];
    if (empty($real_ip)) {
    ...

    Now it should correctly store real (external) ip of attacker, not proxy address.

    Best regards,
    Alexander

    http://wordpress.org/plugins/login-security-solution/

  2. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Step 2 of the installation instructions covers what to do when running behind a proxy server.

    http://wordpress.org/plugins/login-security-solution/installation/

  3. Dr.Bier
    Member
    Posted 1 year ago #

    You're completely right. Missed this step. But it's still required to check if X-Forwarded-For variable exists and non-empty.

  4. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    X-Forwarded-For can be inserted by users at will and set to any value. If LSS automatically deferred to that value, attackers could evade detection by changing the header every time.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Login Security Solution
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic