Hi,
First, while going through Wordfence options you have to select “CF-Connecting-IP” option in “How does Wordfence get IPs“, this will help in setting up Wordfence easily without any problem in revealing your visitors IP addresses. We have some reports saying that installing Cloudflare’s WP plugin helped in revealing visitors’ IPs as well.
There shouldn’t be any problem running Wordfence on a website that was configured to use Cloudflare services, no specific optimizations or tips I could mention specifically for this setup, however, I must clarify that Wordfence takes the endpoint security approach, to know more about that I recommend reading this blog post.
Thanks.
Thanks for the insights and tips. I am somewhat confused, where can I find the “CF-Connecting-IP” option in the Wordfence plugin? I’ve search for it but do not seem to see it anywhere in the options area.
Sorry for the confusion, please check (Wordfence > Options > “How does Wordfence get IPs“) then choose “Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.”, please check this screenshot.
Thanks.
Great thanks a lot for the clarity. Is this change only needed if the Cloudflare WAF is enabled? Or is this necessary if I am using their service period?
It’s needed if you are using their service (your website’s DNS is hosted on cloudflare).
Thanks.
Thanks. My DNS is with Siteground. I am currently just using Cloudflare for CDN. Does this mean I do not have to apply the Cloudflare “CF-Connecting-IP” option in Wordfence?
As far as I know there is no way to do that unless your website is hosted on one of “Cloudflare Hosting Partners” or you followed the CNAME setup, anyway, there is an easy way to check if “CF-Connecting-IP” is being used on your website or not, simply go to (Wordfence > Tools > Diagnostics) and check the IPs section to see which header is in use.
Thanks.
I’m using Cloudflare and Wordfence with the option “Let Wordfence use the most secure method…”. Everything seems to be working fine. Should I switch to other option “Use the Cloudflare “CF-Connecting-IP” HTTP Header” or should I continue with my current settings that seems to be working?
Hi @niska
You can just continue with “Let Wordfence use the most secure method…” option selected, it should use the “CF-Connecting-IP” header automatically.
Thanks.
wp_remote_post() test back to this server failed! Response was: cURL error 60: SSL certificate problem: unable to get local issuer certificate
Cloudflare SSL. Any solution?
I reviewed this documentation link https://docs.wordfence.com/en/Wordfence_options#How_does_Wordfence_get_IPs
and your documentation page has a warning on the top that says “This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our new documentation.” (it doesn’t say anything about how you get IPs). FYI, I too am looking at this setup issue with cloudflare. I indeed am using cloudflare though a hosting partner (dreamhost). I presently am using the automatic setting and want to use site24x7 uptime monitoring service (they check the server to see if it is online, maybe a separate issue from this thread, but thought I would throw that in there). Thanks!
