Recently we had an odd thing happen, all inbound WordPress logins appeared to be coming from the same IP address. Because a large percentage of our WordPress login attempts are from botnet zombies this caused the site security system to mark legitimate login attempts as bad.
Having installed the CloudFlare WordPress plugin was supposed to feed in the true IP address of each visitor but that seems to only work for comments and not for everything else. Here is one line of code that will get the original IP address of visitors coming through CloudFlare.
The file that needs to be edited is wp-config.php. This file is in the root folder of the WordPress installation. Make a copy of the file before modifying it since an errant change to this file will break WordPress.
Open the file and append this line to the end of the file:
$_SERVER['REMOTE_ADDR'] = $_SERVER["HTTP_CF_CONNECTING_IP"] ?
$_SERVER["HTTP_CF_CONNECTING_IP"] : $_SERVER["REMOTE_ADDR"];
Here the code is shown with a line break
for formatting reasons but inserting it as one line is preferred. Save the file and for good measure restart Apache (service httpd restart).
Now all inbound traffic has their IP address pulled from source instead of the reverse-proxy. Login failures will now be reported from their original IP address instead of the proxy’s IP address reducing false positives and giving the ability to track logins.