Login Email Alert-IP Address

Hi @idealynx

I see that you haven’t configured Wordfence to detect correct IP addresses yet. Wordfence is seeing all visits to your site as coming from Imperva (Incapsula) CDN IP addresses instead of the IP addresses of site visitors.

This needs to be fixed because if a hacker generates a block from one of the CDN IP address or addresses and you then visit your site then Wordfence can see you as coming from the same IP address as the hacker and you will be blocked because Wordfence sees you as both coming from the same CDN IP addresss.

For Wordfence to be able to detect the correct IP address of site visitors then Imperva (Incapsula) uses the X-FORWARED-FOR HTTP header to pass along the correct IP address – see item #6 in the Site Checklist After The Onboarding section on this page below:

https://docs.imperva.com/bundle/cloud-application-security/page/onboarding/setup-checklist.htm

In the How does Wordfence get IPs subsection of the General Wordfence Options section on the All Options page you will need to set and save the option Use the X-Forwarded-For HTTP header. Only use if you have a front-end proxy or spoofing may result.

You can then find your IP address here (note that this detection is not 100% accurate on cellular phone network connections):

https://www.whatsmyip.org/

You should then see your IP address on the line Your IP with this setting.

If you don’t see your IP address on that line but instead an Imperva (Incapsula) IP address then you will have to add all of Imperva’s (Incapsula) IP address ranges as trusted proxies.

Click on the link + Edit trusted proxies

Now you will need to enter all of these Imperva (Incapsula) CIDR IP address ranges shown in the page below:

https://support.incapsula.com/hc/en-us/articles/200627570-Restricting-direct-access-to-your-website-Incapsula-s-IP-addresses-

199.83.128.0/21
198.143.32.0/19
149.126.72.0/21
103.28.248.0/22
45.64.64.0/22
185.11.124.0/22
192.230.64.0/18
107.154.0.0/16
45.60.0.0/16
45.223.0.0/16
2a02:e980::/29

Each IP address range must be manually copied and pasted on a separate line in the Trusted Proxies text area in Wordfence.

Make sure you copy this list that you have created in the Trusted Proxies text area in case you get accidentally blocked when you press the SAVE CHANGES button otherwise you will have to go through that lengthy process again.

Once saved you should then see your IP address on the line Your IP with this setting.

Hi Phil,

Thanks for your very thorough response. I have never had to make any adjustments in Wordfence in any of my other installs, so it’s weird that it’s happening with this one website. I just checked and Wordfence is now reporting my IP address correctly. I checked General Wordfence Options and this is the option I have selected:

Let Wordfence use the most secure method to get visitor IP addresses. Prevents spoofing and works with most sites. (Recommended)

Not sure why it wasn’t working before. You can still see the Imperva (Incapsula) IP addresses for my previous login attempts, but some of those have even switched back to the correct IP address. Weird.

BTW, I’m using Wordfence 7.4.6 so you may want to run this by your development team to make sure it’s not a bug. Thanks again for your help.

• This reply was modified 4 years, 11 months ago by idealynx.
• This reply was modified 4 years, 11 months ago by t-p.

Hi @idealynx

Thank you for the update.

You will need to follow my instructions precisely because it may be necessary to add all of Imperva’s IP address ranges as trusted proxies so that Wordfence always detects IP addresses correctly.

Phil, I don’t understand the logic behind this. My hosting provider is NOT Imperva, so why is this necessary?

Hi @idealynx

If Wordfence is detecting your IP address as 198.143.37.7 then this tells me that this is an Imperva CDN IP address:

https://whois.domaintools.com/198.143.37.7

Visits to your site are being seen by Wordfence like this:

Your IP address >> Imperva CDN >> Your hosting web server >> Wordfence sees the Imperva CDN IP address instead of your IP address.

I’m not so sure about that. Ever since I upgraded to Wordfence v7.4.7 the problem has gone away and my IP address, which is 70.106.##.###, is now being reported correctly. Coincidence?

• This reply was modified 4 years, 11 months ago by idealynx.

Hi @idealynx

The latest update would not be involved. I strongly recommend that you run through my previous instructions because if at any point Wordfence detects hackers and normal site visitors as coming from the same Imperva CDN IP address then when a hacker is blocked then everyone else will be blocked too.

Hi Phil,

I should have known NOT to second-guess you. You were absolutely right and your instructions were spot on. I discovered that this particular website is indeed being hosted on an Imperva CDN, so thank you for being persistent.

Thanks to your help, WordFence is now reporting my IP Address correctly.

Kelly

Hi @idealynx

Thank you for the update that it is working now.

I have followed your instructions but Your Ip for this setting is showing 146.66.xxx.xxx which is not my IP address.Have I missed something?

• This reply was modified 4 years, 9 months ago by claireoliver1967.

Hi @claireoliver1967

The IP address is missing the last tow octets, what is the full IP address please?