WordPress Behind Cloudflare: How to Correctly Detect Visitor IP Addresses

When your WordPress site is behind Cloudflare, your server sees Cloudflare's IP addresses instead of your actual visitors' IPs. This breaks IP-based security features like login limiting, country blocking, and IP blacklisting. Configuring correct IP detection is essential for security to work properly.

This guide explains why IP detection breaks behind Cloudflare and how to fix it while maintaining security against spoofing attacks.

Understanding the IP Detection Problem

Normally when a visitor accesses your site, your server's REMOTE_ADDR variable contains their IP address. With Cloudflare in the path, the connection to your server comes from Cloudflare, so REMOTE_ADDR shows a Cloudflare IP address.

Cloudflare passes the original visitor IP in HTTP headers, specifically CF-Connecting-IP. Your WordPress site needs to read this header to get the real IP. However, blindly trusting this header creates a security vulnerability where attackers could spoof the header to bypass IP-based security.

The Header Spoofing Risk

If your site trusts the CF-Connecting-IP header without verification, attackers can send requests directly to your origin server with a fake header. They could set CF-Connecting-IP to a whitelisted IP and bypass your blacklist. They could pretend to be from a different country to bypass country blocking. They could evade rate limiting by rotating the header value.

The solution is to only trust the header when requests actually come from Cloudflare IP ranges, and reject or ignore the header from direct connections.

How WP Folder Shield Handles IP Detection

WP Folder Shield implements secure Cloudflare IP detection. When Cloudflare mode is enabled, the plugin verifies that incoming requests originate from Cloudflare's published IP ranges before trusting the CF-Connecting-IP header. Requests from non-Cloudflare IPs fall back to standard REMOTE_ADDR detection.

The plugin automatically updates Cloudflare IP ranges daily, ensuring new Cloudflare IPs are trusted and old ones removed. This maintenance happens automatically without manual intervention.

Cloudflare IP Ranges

Cloudflare publishes their IP ranges at cloudflare.com/ips which include both IPv4 and IPv6 ranges. These ranges change periodically as Cloudflare expands their network. Any IP detection solution must keep these ranges current.

WP Folder Shield checks for IP range updates daily and caches the results. If Cloudflare's IP list is unavailable, the plugin falls back to a known-good cached list rather than failing open or closed.

Server-Level vs Plugin-Level Detection

IP detection can be handled at the server level with Apache or Nginx modules or at the plugin level within WordPress. Both approaches have tradeoffs.

Server-level detection with mod_cloudflare or ngx_http_realip_module handles IP rewriting before WordPress loads, ensuring all WordPress code sees correct IPs. However, this requires server access and configuration, may not validate Cloudflare IP ranges, and needs manual updates when ranges change.

Plugin-level detection with WP Folder Shield requires no server configuration and can validate Cloudflare IPs with automatic range updates. However, it only affects WordPress applications and code running before WordPress loads sees Cloudflare IPs.

For most WordPress users, plugin-level detection is simpler and more maintainable while providing proper security through IP range validation.

Testing IP Detection

After configuring Cloudflare mode, verify that IP detection works correctly. View your security logs and confirm blocked IPs are real visitor IPs rather than Cloudflare addresses. Check your analytics to ensure visitor locations look correct. Test by attempting to access your site while on your IP blacklist to verify you are actually blocked. Confirm that rate limiting triggers based on your real IP.

WP Folder Shield includes diagnostic tools that show what IP the plugin detects and how it determined that IP.

Handling Direct-to-Origin Requests

Even with Cloudflare, some requests may reach your origin directly. These could be legitimate like health checks from your hosting provider or malicious like attackers who discovered your origin IP. Configure your server firewall to only accept web traffic from Cloudflare IPs. Allow specific non-Cloudflare IPs that legitimately need access. Monitor logs for direct access attempts.

WP Folder Shield can warn you when it detects requests that bypass Cloudflare, helping identify potential security issues or configuration problems.

Multiple CDN and Proxy Scenarios

Some configurations involve multiple proxies such as Cloudflare plus a load balancer or Cloudflare plus another CDN. In these cases, IP detection becomes more complex because multiple headers may contain IP information.

WP Folder Shield supports configuring trusted proxy headers in priority order, allowing correct IP detection even in complex proxy scenarios.

Conclusion

Correct IP detection is fundamental to WordPress security when using Cloudflare. Without it, all your IP-based security features are effectively broken. However, simply trusting proxy headers without validation creates spoofing vulnerabilities.

WP Folder Shield solves this with secure Cloudflare integration that validates requests actually come from Cloudflare before trusting their headers. With automatic IP range updates and support for complex proxy scenarios, you get reliable IP detection without security compromises.