[Plugin: Limit Login Attempts] Bugfix for Multiple Proxies

I happen to be running WP on Heroku with Cloudflare as the CDN. Given Heroku’s architecture, you end up with what appears to be two proxies and not just one.

I noticed that Limit Login Attempts didn’t recognize the format for multiple IPs in the HTTP_X_FORWARDED_FOR header: you get a comma-delimited list rather than just a single IP.

That obviously won’t work, so I’ve put in a small function to make sure that the first IP in that HTTP_X_FORWARDED_FOR list is used as the actual client IP (because it is). See below.

function first_ip_address($address_list) {
        $addresses = explode(',', $address_list);
        return $addresses[0];
}

/* Get correct remote address */
function limit_login_get_address($type_name = '') {
        $type = $type_name;
        if (empty($type)) {
                $type = limit_login_option('client_type');
        }

        if (isset($_SERVER[$type])) {
                return first_ip_address($_SERVER[$type]);
        }

        /*
         * Not found. Did we get proxy type from option?
         * If so, try to fall back to direct address.
         */
        if ( empty($type_name) && $type == LIMIT_LOGIN_PROXY_ADDR
                 && isset($_SERVER[LIMIT_LOGIN_DIRECT_ADDR])) {

                /*
                 * NOTE: Even though we fall back to direct address -- meaning you
                 * can get a mostly working plugin when set to PROXY mode while in
                 * fact directly connected to Internet it is not safe!
                 *
                 * Client can itself send HTTP_X_FORWARDED_FOR header fooling us
                 * regarding which IP should be banned.
                 */

                return first_ip_address($_SERVER[LIMIT_LOGIN_DIRECT_ADDR]);
        }

        return '';
}

http://ww.wp.xz.cn/extend/plugins/limit-login-attempts/