Correct way to protect agains brute force with WordPress loginizer on a shared server


I am planning to switch to Cloudflare for my WP website, I am using Wordfence for security and Loginizer plugin against brute forces. By default as the method against brute force, “REMOTE_ADDR” is chosen but I guess this will not work with CloudFlare, There are 3 other options:

I dont want to rely on x forwarded for since it can be easily spoofed and not sure how HTTP_CLIENT_IP works. So my question is, with Cloudflare shall I choose HTTP_CLIENT_IP or I shall choose custom and type “CF-Connecting-IP” there?

In relation to that, If I integrate my cloudflare to Cpanel, is it same as installing mod_cloudflare? I use a shared hosting, so i cannot actually install it. If it is, then will I be able to see real IPs before they reach to WP instance?

Finally, I am also using W3 total cache and I am planning to use its Cloudflare extension rather than installing Cloudflare WP plugin. Is it going to change anything in regards to IPs of clients?



The question is why you even need to protect against brute-force login against WP. Anyway for your purpose, you can use CF-Connecting-IP header to access the client real IP address.

Cache plugins don’t change client IPs or CF headers.

1 Like

Yes. Cloudflare send visitor IP’s using the CF-Connecting-IP header, so be sure to select
“Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.” in WordFence.

1 Like

@ggunay, something you didn’t mention and sets Cloudflare apart from other services is the Firewall options. You can restrict access to WP Dashboard by IP, AS, Country etc. and other servies such as Access.


Because currently I am not using cloudflare and this is the only protection. Plus, I want to keep it for some time even after integrating with Cloudflare until ensuring that Cloudflare actually blocks everything properly.
What about integration with cPanel? Does it change it?


Integrate what with cPanel?

WP websites mostly get hacked by vulnerability in their plugins (specially when they are not updated). Breaking a good password by brute-force even without any protection needs decades theoretically. If the rate of requests are high CF will protect you. Also you can learn more about your enemies by analyzing logs periodically.

1 Like

In my cPanel there is an option for Cloudflare, probably an add-on installed by the server admin. that one.
the WP instances is hosted on top of the same server (via softlaculous)


If you install that you don’t need CF-Connecting-IP anymore. It is up to you.


Ok so you mean if I activate it right? right now it is inactive (e.g. I havent logged in with my CF account) but IS installed.


Yes, when it is activated you get client IP as used to get before using CF.

1 Like
closed #12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.