OK I think that's a bug in your wp-config.php because you're not validating the IP address passed by X-Forwarded-For before setting REMOTE_ADDR. So if it's garbage because someone sent a bogus header then it'll overwrite the REMOTE_ADDR header.
Try this. I haven't tested it, just typing this out and maybe it'll work for you:
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$xffaddrs = explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);
for($i = sizeof($xffaddrs) - 1; $i >= 0; $i--){
$addr = trim($xffaddrs[$i]);
if(preg_match('/\d+\.\d+\.\d+\.\d+/', $addr) && (! preg_match('/^(?:192\.168|10\.)/', $addr))){
$_SERVER['REMOTE_ADDR'] = $addr;
break;
}
}
}Anyway, something like that, it probably has syntax errors in it. But the idea is that you actually start looking at addresses on the right side of the list in X-Forwarded-for because those are closer to the client if they're behind multiple proxies, but you want to ignore private addresses. I've only filtered out 192.168 and 10. prefixes. There's also the 172.16.0.0 to 172.31.255.255 address along with a whole bunch of invalid IP ranges and if you're interested in how to efficiently filter those out look at Wordfence's code in the lib/wfUtils.php module where we do this kind of parsing but more more complex and efficient.
Regards,
Mark.