Incorrect Geolocation When Using Cloudflare Proxy

(@moataz-mohammady)

When using this plugin with Cloudflare proxy enabled (orange cloud), the geolocation is incorrectly detected. Instead of showing the visitor’s actual location, it shows the location of Cloudflare’s data center.

Example:

Real visitor location: Egypt
Plugin shows: France, Marseille
IPStack receives Cloudflare’s data center IP instead of the visitor’s real IP

Root Cause

The cfgeo_get_ip() function in inc/lib/class.tglcf.lib.php checks HTTP_X_REAL_IP header first. When Cloudflare is used, this header contains Cloudflare’s data center IP, not the visitor’s actual IP.

Cloudflare provides the real visitor IP in the HTTP_CF_CONNECTING_IP header, which should be prioritized. The Fix

File to modify: inc/lib/class.tglcf.lib.php

Function: cfgeo_get_ip()

Add check for HTTP_CF_CONNECTING_IP before HTTP_X_REAL_IP:

function cfgeo_get_ip() {
    $ip = false;

    // Prioritize Cloudflare's connecting IP (the REAL visitor IP)
    if ( ! empty( $_SERVER['HTTP_CF_CONNECTING_IP'] ) ) {
        $ip = filter_var( $_SERVER['HTTP_CF_CONNECTING_IP'], FILTER_VALIDATE_IP );
    } elseif ( ! empty( $_SERVER['HTTP_X_REAL_IP'] ) ) {
        $ip = filter_var( $_SERVER['HTTP_X_REAL_IP'], FILTER_VALIDATE_IP );
    } elseif ( ! empty( $_SERVER['HTTP_CLIENT_IP'] ) ) {
        // Check ip from share internet.
        $ip = filter_var( $_SERVER['HTTP_CLIENT_IP'], FILTER_VALIDATE_IP );
    } elseif ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
        $ips = explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] );
        if ( is_array( $ips ) ) {
            $ip = filter_var( $ips[0], FILTER_VALIDATE_IP );
        }
    } elseif ( ! empty( $_SERVER['REMOTE_ADDR'] ) ) {
        $ip = filter_var( $_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP );
    }

    $ip       = false !== $ip ? $ip : '127.0.0.1';
    $ip_array = explode( ',', $ip );
    $ip_array = array_map( 'trim', $ip_array );
    if($ip_array[0] == '::1' || $ip_array[0] == '127.0.0.1'){
        $ipser = array('http://ipv4.icanhazip.com','http://v4.ident.me','http://bot.whatismyipaddress.com');
        shuffle($ipser);
        $ipservices = array_slice($ipser, 0,1);
        $ret = wp_remote_get($ipservices[0]);
        if(!is_wp_error($ret)){
            if (isset($ret['body'])) {
                return sanitize_text_field( $ret['body'] );
            }
        }
    }

    return sanitize_text_field( apply_filters( 'cfgeo_get_ip', $ip_array[0] ) );
}

Testing Results

Before fix:

IPStack receives: Cloudflare data center IP
Response: France, Marseille (incorrect - Cloudflare data center location)

After fix:

IPStack receives: Actual visitor IP
Response: Egypt, Al Jizah (correct - visitor's real location)

Why This Matters

This bug affects all Cloudflare users (millions of WordPress sites use Cloudflare for CDN, security, and performance). Backward Compatibility

✅ 100% backward compatible

Sites without Cloudflare: No change in behavior
Sites with Cloudflare: Gets correct visitor IP
All fallback chains remain intact

Reference

Cloudflare documentation: https://developers.cloudflare.com/fundamentals/reference/http-request-headers/#cf-connecting-ip

I’ve tested this fix on my site and it works perfectly. Happy to provide additional information or testing if needed. Thank you for maintaining this useful plugin!

This topic was modified 3 months, 3 weeks ago by Moataz Mohammady.

The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)

Cristopher
(@cristopherzwt)

2 months, 1 week ago

Hello @moataz-mohammady

Thank you very much for providing this information regarding the bug.

We plan to resolve this issue in the next version of the plugin.

Thank you,
Zealousweb

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.