Replies: 1
Hi All,
I have a load balanced website that is having trouble getting the correct IP address. When WordFence tries to guess the IP, it consistently returns the load balancer’s IP, not the client’s IP. I have manually set WordFence to ” Use the X-Forwarded-For HTTP header. Only use if you have a front-end proxy or spoofing may result.” and it still doesn’t work.
I’ve configured the load balancer to send the X-Forwarded-For header, which shows up in PHP as $_SERVER['HTTP_X_FORWARDED_FOR']. However, wordfence doesn’t see the IP address, and instead incorrectly uses the load balancer’s IP.
This affects me because when someone tries to brute force the website or do username enumeration, it locks all admins out since they all appear to be coming from F5 / BigIP. We use IIS 8.5.