Wrong IP addresses in Security Log

I am also getting this, I have only had iThemes on for 2 days now so did not know it was a recent event until I read this post. I thought I was just reading the logs incorrectly or had something set up wrong.

The 404 errors are coming from the IP address that resolves to my site (I am hosted on Bluehost); the odd thing about them is that most seem to be very specific to my site of last year while I was with another hosting company and had not started using wordpress/woocommerce at all. example: /gamerules.php is not a page most sites would have so it does not appear to be common or high-value-target url’s.

I would also appreciate any thoughts on this issue.

This can only be a problem with iThemes, and it is definitely not a “feature.” The current version is 7.3.1 and mine was updated about two weeks ago.

I’m seeing the same thing as the OP, also hosted on hostgator. It started about 2 weeks ago and I’m now running 7.3.2 but getting the same issue. Running WP 4.9.10 with SSL.

If I show the raw details, in the top header it shows my hosting address in

Hide Raw Details

id => 220128
module => four_oh_four
type => notice
code => found_404
timestamp => 2019-03-21 10:09:09
init_timestamp => 2019-03-21 10:09:08
remote_ip => myhostagtoraddress

But below it has

HTTP_X_FORWARDED_FOR => myhostgatoraddress

and then

REMOTE_ADDR => 66.249.75.155

SO I’m completely guessing here, but is it something to do with an original https://something request being redirected locally to HTTPS::something and then getting a 404, but Ithemes Security is recording the IP address of the redirector (i.e. hostgator) rather than the original source IP address.

For what it’s worth I am using Really Simple SSL to manage SSL and “Redirection” to manage redirection. I recall updating both of those recently, but can’t remember exactly when.

Ignore my speculation about HTTP/HTTPS above. I just tested it with both, and they both report the hostgator address. And both report the REMOTE_ADDR as being correctly the IP adress of the sending system. So I think it must be a bug introduced a couple of weeks ago that hasn’t been corrected in 7.3.2

My solution was to deactivate iThemes and begin using All-In-On WP Security. It does pretty much the same things and I found the interface far nicer. And the 404 reports are accurate.

I have been testing for hours because I am seeing those same IP addresses in my log files, however the IP are being shown wrong for other plugins, not just iThemes. “Redirection” and “IP by Country” also show the hosting IP, in my case Hostgator as well.

I have seen that around 02/21/19 Hostgator upgraded from EasyApache3 to EasyApache4, which is the timeframe this seemed to start for me.

Hostgator support Answers

“This is something that should warrant the publisher/author of the plugin to provide an updated version of the plugin.
We did update to a newer version of Apache to stay up to date with security for our servers. This is not just a factor on this particular plugin. I have read several security plugins are also having similar issues.

Unfortunately, we do not have a permanent fix for this issue.
Now that the publisher is well aware of the conflict dealing with their plugin, they will push out an updated version soon”