Title: [Plugin: Login Security Solution] Server behind proxy or load balancer
Last modified: August 20, 2016

---

# [Plugin: Login Security Solution] Server behind proxy or load balancer

 *  Resolved [josediogenes](https://wordpress.org/support/users/josediogenes/)
 * (@josediogenes)
 * [13 years, 10 months ago](https://wordpress.org/support/topic/plugin-login-security-solution-server-behind-proxy-or-load-balancer/)
 * Hello,
 * You got a very userful plugin here, but I’m wondering if your site or blog is
   behind a load balancer ou a proxy how can it track the various IPs attemps to
   login if basically the proxy has the same IP?
 * Is that any changes or options to tune it in case of wordpress installed on servers
   with proxy?
 * ThankYou
 * [http://wordpress.org/extend/plugins/login-security-solution/](http://wordpress.org/extend/plugins/login-security-solution/)

Viewing 8 replies - 1 through 8 (of 8 total)

 *  Plugin Author [Daniel Convissor](https://wordpress.org/support/users/convissor/)
 * (@convissor)
 * [13 years, 10 months ago](https://wordpress.org/support/topic/plugin-login-security-solution-server-behind-proxy-or-load-balancer/#post-2961570)
 * Hi Jose:
 * Are you asking in general, or is this a situation you actually have?
 * I could populate the plugin’s IP data with HTTP_X_FORWARDED_FOR if it’s provided.
   Sound good?
 * –Dan
 *  Thread Starter [josediogenes](https://wordpress.org/support/users/josediogenes/)
 * (@josediogenes)
 * [13 years, 10 months ago](https://wordpress.org/support/topic/plugin-login-security-solution-server-behind-proxy-or-load-balancer/#post-2961571)
 * Yes, this is my case, we’re using a proxy and every access to the site has the
   same ip. Because the plugin analysis login attempts by user and not only by ip,
   it still is effective, but we miss the ip block/slowdown feature.
 * ThankYou for your response.
 *  Thread Starter [josediogenes](https://wordpress.org/support/users/josediogenes/)
 * (@josediogenes)
 * [13 years, 10 months ago](https://wordpress.org/support/topic/plugin-login-security-solution-server-behind-proxy-or-load-balancer/#post-2961582)
 * Hello again,
 * After some research I changed a bit of code within the plugin file and now it
   seams to be using the “real” IP and not the proxy one.
 * I changed the get_IP method of your plugin’s class
 *     ```
       protected function get_ip() {
       		if (empty($_SERVER['REMOTE_ADDR'])) {
       			return '';
       		}
       		if (empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
       			return '';
       		}
   
       		//return $this->normalize_ip($_SERVER['REMOTE_ADDR']);
       		return $this->normalize_ip($_SERVER['HTTP_X_FORWARDED_FOR']);
       	}
       ```
   
 *  Plugin Author [Daniel Convissor](https://wordpress.org/support/users/convissor/)
 * (@convissor)
 * [13 years, 10 months ago](https://wordpress.org/support/topic/plugin-login-security-solution-server-behind-proxy-or-load-balancer/#post-2961616)
 * Hi Jose:
 * I committed some changes for this into the SVN repository. It will be in release
   0.22.0, whenever that comes out. For now, you can use the latest “development
   version” via [http://downloads.wordpress.org/plugin/login-security-solution.zip](http://downloads.wordpress.org/plugin/login-security-solution.zip).
   Please try it and let me know how it goes.
 * –Dan
 *  [Dean Taylor](https://wordpress.org/support/users/deanmarktaylor/)
 * (@deanmarktaylor)
 * [13 years, 10 months ago](https://wordpress.org/support/topic/plugin-login-security-solution-server-behind-proxy-or-load-balancer/#post-2961618)
 * Hi Daniel,
 * There are serious security implications, I would like highlight that this functionality
   should not be implemented as you have done.
 * `REMOTE_ADDR` is generated by the web server based on the connection from the
   client. `HTTP_X_FORWARDED_FOR` is based on a HTTP header sent by the client.
 * You can’t trust input from the client, particularly input that is easily faked,
   such as HTTP headers. Clients can stick anything into that `HTTP_X_FORWARDED_FOR`
   header.
 * Here are is a reference blog article on the topic of [spoofing IP’s](http://www.thespanner.co.uk/2007/12/02/faking-the-unexpected/).
 * There are many plugins with generic incorrect use of `HTTP_X_FORWARDED_FOR` header*
   sigh*.
    Remember `HTTP_X_FORWARDED_FOR` can contain [multiple IP’s](http://en.wikipedia.org/wiki/X-Forwarded-For).
 * As an alternative to this I would suggest including a section in the installation/
   setup instructions.
    Where the admin at their choosing can modify their `wp-config.
   php` to replace `REMOTE_ADDR` with the correctly extrapolated `HTTP_X_FORWARDED_FOR`
   and resetting `HTTP_X_FORWARDED_FOR` as required.
 * Perhaps a **whitelist** of `REMOTE_ADDR` enable you to trust the value of `HTTP_X_FORWARDED_FOR`,
   again I believe this should be setup in `wp-config.php`.
 * Cheers,
    Dean.
 *  Thread Starter [josediogenes](https://wordpress.org/support/users/josediogenes/)
 * (@josediogenes)
 * [13 years, 10 months ago](https://wordpress.org/support/topic/plugin-login-security-solution-server-behind-proxy-or-load-balancer/#post-2961620)
 * Dean,
 * Thank you for the enlightenment, sure it’ll help the plugin maker to adjust the
   code to suit both security and practical needs. Maybe he’ll change the sanitize
   method as well to avoid such XSS vulnerabilities.
 * josediogenes
 *  Plugin Author [Daniel Convissor](https://wordpress.org/support/users/convissor/)
 * (@convissor)
 * [13 years, 10 months ago](https://wordpress.org/support/topic/plugin-login-security-solution-server-behind-proxy-or-load-balancer/#post-2961627)
 * Dean:
 * Once again, thank you for paying close attention.
 * My initial thinking was “Yeah, the HTTP_X_FORWARDED_FOR can be forged, but so
   can the REMOTE_ADDR.” But the underlying point of your statement is that forging
   an HTTP header is WAY simpler than forging an IP packet or attacking via proxies.
 * I’ll revert the change and advise users to take appropriate measures.
 * josediogenes, for the record, my plugin carefully validates all input in order
   to prevent XSS and SQL vulnerabilities, etc.
 * Thanks,
 * –Dan
 *  Plugin Author [Daniel Convissor](https://wordpress.org/support/users/convissor/)
 * (@convissor)
 * [13 years, 10 months ago](https://wordpress.org/support/topic/plugin-login-security-solution-server-behind-proxy-or-load-balancer/#post-2961628)
 * The installation instructions now include a step for administrators running behind
   load balancers and proxies. This will show up on the website when the next release
   is made. Until then, folks can view the readme file in SVN.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘[Plugin: Login Security Solution] Server behind proxy or load balancer’
is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/login-security-solution.svg)
 * [Login Security Solution](https://wordpress.org/plugins/login-security-solution/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/login-security-solution/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/login-security-solution/)
 * [Active Topics](https://wordpress.org/support/plugin/login-security-solution/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/login-security-solution/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/login-security-solution/reviews/)

 * 8 replies
 * 3 participants
 * Last reply from: [Daniel Convissor](https://wordpress.org/support/users/convissor/)
 * Last activity: [13 years, 10 months ago](https://wordpress.org/support/topic/plugin-login-security-solution-server-behind-proxy-or-load-balancer/#post-2961628)
 * Status: resolved