IP Spoofing

Resolved Anonymous User 14978628
(@anonymized-14978628)

8 years, 8 months ago

Hi Paul,

Just read this article (https://blog.nintechnet.com/many-popular-wordpress-security-plugins-vulnerable-to-ip-spoofing/) which claims your plugin is vulnerable to ip spoofing. It’s an old article, but just wanted to check if this has been fixed? Thanks

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Author Paul
(@paultgoodchild)

8 years, 8 months ago
This article has a point, but it fails to recognise that the so-called “safe” variable REMOTE_ADDR isn’t consistently reliable on many web hosting platforms.

When developing a widely distributed WordPress plugin, part of the trick is ensuring that it’s as compatible with well-built, configured, and maintained systems, as much as all those systems that are a shambles in more ways than one. Ultimately, the plugin developer usually gets the blame, not the client’s choice of cheap web hosting. So we must adapt our plugins accordingly.

And this is one such adaptation. It’s no coincidence that all these security plugins are doing this.

In a recent release we offered a new option inside the plugin for the admin to select the source of the IP address, so this situation with spoofing can be avoided entirely if you select REMOTE_ADDR, and your server is properly configured.

With the next release (due out tomorrow), we have also automated some of this so it will default to REMOTE_ADDR if we can detect that it appears to be a valid IP address: remote, unreserved, public, not-your-server-ip (this is common). You can of course override this if your server isn’t properly configured.

Hope this helps.
- This reply was modified 8 years, 8 months ago by Paul.
Thread Starter Anonymous User 14978628
(@anonymized-14978628)

8 years, 8 months ago

The article gave the impression that you would need the X-Forwarded-For header if you were using a cdn, so i’m guessing this header would be quite useful to a lot of people anyway. I just wasn’t aware of the potential risk it posed.

You mention REMOTE_ADDR. How does that fit it with a cdn? Does enabling it affect the functionality of anything cdn related?
Plugin Author Paul
(@paultgoodchild)

8 years, 8 months ago
This article is confusing if you mix it up with too many other factors, scenarios and such like. It isn’t entirely clear, but then this can be a complex topic.

To be sure we’re not crossing wires, you’re not “enabling” REMOTE_ADDR, but rather you’re selecting this as the source of the visitor IP address of each request to the site, solely for the purposes of processing that request by the Shield plugin.

Since Shield isn’t working with your CDN at all, this setting will have no impact on your CDN configuration or anything related to it.

Look within Shield’s Dashboard section and review the list of variables and you’ll see REMOTE_ADDR listed there and the value that it has. You can use a service like https://www.whatismyip.com/ to compare and if REMOTE_ADDR is correct, you can select REMOTE_ADDR from the list (and save).
- This reply was modified 8 years, 8 months ago by Paul.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘IP Spoofing’ is closed to new replies.