Title: Works wrong behind reverse proxy
Last modified: August 21, 2016

---

# Works wrong behind reverse proxy

 *  Resolved [Dr.Bier](https://wordpress.org/support/users/drbier/)
 * (@drbier)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/works-wrong-behind-reverse-proxy/)
 * Hi,
 * It seems that plugin doesn’t check if WordPress is running behind reverse proxy.
   Reverse proxy address is stored in db since plugin uses REMOTE_ADDR value.
 * I think that you need to change code in get_ip() function to:
 * $real_ip = isset($_SERVER[‘HTTP_X_REAL_IP’]) ? $_SERVER[‘HTTP_X_REAL_IP’] : $
   _SERVER[‘REMOTE_ADDR’];
    if (empty($real_ip)) { …
 * Now it should correctly store real (external) ip of attacker, not proxy address.
 * Best regards,
    Alexander
 * [http://wordpress.org/plugins/login-security-solution/](http://wordpress.org/plugins/login-security-solution/)

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Plugin Author [Daniel Convissor](https://wordpress.org/support/users/convissor/)
 * (@convissor)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/works-wrong-behind-reverse-proxy/#post-4501560)
 * Step 2 of the installation instructions covers what to do when running behind
   a proxy server.
 * [http://wordpress.org/plugins/login-security-solution/installation/](http://wordpress.org/plugins/login-security-solution/installation/)
 *  Thread Starter [Dr.Bier](https://wordpress.org/support/users/drbier/)
 * (@drbier)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/works-wrong-behind-reverse-proxy/#post-4501592)
 * You’re completely right. Missed this step. But it’s still required to check if
   X-Forwarded-For variable exists and non-empty.
 *  Plugin Author [Daniel Convissor](https://wordpress.org/support/users/convissor/)
 * (@convissor)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/works-wrong-behind-reverse-proxy/#post-4501658)
 * X-Forwarded-For can be inserted by users at will and set to any value. If LSS
   automatically deferred to that value, attackers could evade detection by changing
   the header every time.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Works wrong behind reverse proxy’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/login-security-solution.svg)
 * [Login Security Solution](https://wordpress.org/plugins/login-security-solution/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/login-security-solution/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/login-security-solution/)
 * [Active Topics](https://wordpress.org/support/plugin/login-security-solution/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/login-security-solution/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/login-security-solution/reviews/)

 * 3 replies
 * 2 participants
 * Last reply from: [Daniel Convissor](https://wordpress.org/support/users/convissor/)
 * Last activity: [12 years, 4 months ago](https://wordpress.org/support/topic/works-wrong-behind-reverse-proxy/#post-4501658)
 * Status: resolved