Syncly.it

Hi Phil (@wfphil),

> You will need to set the Wordfence setting Use the X-Forwarded-For HTTP header.

The code actually splits the HTTP_X_FORWARDED_FOR header and puts its first value into REMOTE_ADDR are you sure that with this code I should se to use HTTP_X_FORWARDED_FOR?

Also if I read it right, I should set X-REAL-IP as you suggested, is this option safe from spoofing considering my hosting and Varnish?

Addiditonal Cloudways comment:

“I’d like to inform you that there is no issue from varnish configuration’s end and the local IP should be appear due to REMOTE_ADDR header and if you are using any plugin or any application then you can change the header value from REMOTE_ADDR to HTTP_X_FORWARDED_FOR or HTTP_X_REAL_IP and you are able to see the real IP accordingly.“

Hi @wfphil,

This is their answer, I don’t know if this is something “normal” or if they should just configure the Varnish differently. I start wondering on their reliability as hosting service, probably a good moment to get some more feedback about them:

“We would like to inform you that the following in the access logs are being showed because of the reverse proxy. You can easily easily fix that by adding this real IP code in the wp-config.php file of your application. Following is the code:”

# Use X-Forwarded-For HTTP Header to Get Visitor's Real IP Address
 
if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
    $http_x_headers = explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] );

    $_SERVER['REMOTE_ADDR'] = $http_x_headers[0];
}

Hi @wfphil,

They have Varnish enabled I think by default and I also have .htaccess rewrites on SSL websites. What surprises me is that all the hack/exploit attemps were not detected, coincidence? Or do they know a way to “exploit” the detection of their IP?

Like in what cases varnish fails in detecting the IP? Is there something that I should do to keep sleeping well and not worry about this?

Hello @wfphil,

Im sending the emails right now from both the affected domains, here is a capture of the hack attemp for public view instead:

https://share.creoweb.it/7c64e108.jpg

Hi,

Do you have any update about this feature?

Hello @wfgerald,

Sure thank you! It is reasonable to consider a higher threat someone that actually know the real username rather than someone trying random/common or uernames stolen from other websites. So while I do not care if someone tries to login as admin or test or similar stuff I’d be more concerned if they try to login with my username as it means they have stolen it somehow/somewhere.

**update**: I’ve checked the e-mail functionality as described here:

https://docs.wordfence.com/en/Emails_are_no_longer_being_sent_from_Wordfence%2c_but_alerts_are_enabled.html

The e-mails are correcly being sent out. Wordfence just can’t recognize admin logins from non standard /wp-admin/ URL it seems, I wonder is this bug extends to XMLRPC aswell.

Here is the relevant setting that is turned on:

https://share.creoweb.it/47a062b3.jpg

Hi Gerroald,

I thought the same but some users were really never exposed in the frontend, users never used to post, created for just debug purposes and tests. I have already excluded common iterations such as that author, the Yoast sitemap, and REST API (done by WF) the source code and page headers have no user names exposed.

Unless WP has put some new flaw or leak I have really no idea of what other methods there could be. I’m adding 2FA starting from involved websites and in this group to users of e-commerce with “Store Manager” rights. I’m pretty sure that some customers would complain to make their life more complicated, it is hard to explain that sometimes security has a price.

Please see if this is what you need:

https://share.creoweb.it/4c9e4924.jpg

Hi Harshad,

In the plug-in settings I do not see any reference to time zones, what portion of it is of your interest?

Hi Harshad,

This is the WP settings: https://share.creoweb.it/7491396e.jpg

This is after a manual DB backup that I just run: https://share.creoweb.it/6ce8ec73.jpg

Hi Harshad,

I had just run the backup at that moment, Im confused but from your answer I get they show the same thing?

> The Ora attuale: displays the time of last successful backup when it was completed

> date/time under Database/Files displays the recent backup that was completed

Since I had just run the backup, why they doesnt match? Also how is it possible that it show 1 hour behind as current time and still work?

cool, ty