Got the same problem here, since my WP install is behind a Varnish caching proxy which sends $_SERVER[‘HTTP_X_FORWARDED_FOR’].
The script logs the $_SERVER[‘REMOTE_ADDR’] in the wp_lockdowns table. In my setup only the IP 127.0.0.1 was registered – no matter who accessed (or tried to hack) the site. Needless to say, that at times I got locked out because of some failed access attempts by others. Frustrating.
Found the solution here:
https://www.chriswiegman.com/2014/05/getting-correct-ip-address-php/
I basically added the function get_ip() (from above link) to the script login-lockdown.php (in the plugin directory). Then, I replaced 4 occurences of the line: “$ip = $_SERVER[‘REMOTE_ADDR’]” with the following:
$ip = get_ip(); // $_SERVER[‘REMOTE_ADDR’]
This now records the correct IP address in the wp_lockdowns table.
