How to prevent Cloudflare from masking logged-in users IP address on WordPress?

I am using All-in-one WP security plugin on my WordPress website that shows a list of logged-in users along with their IP addresses. So, I copied my IP address from that list to look it up on “”, and found that this IP address belongs to Cloudflare, not my ISP provider.

So, I guess Cloudflare is masking my original IP address.

Now, there’s a hacker who is trying to log into my website. Every time he enters an incorrect password, I receive a notification from All-in-one security - that “someone has tried to log into my website and failed”.

But I can’t block that hacker by his IP address, because Cloudflare is masking his original IP address too.

So, how to turn off this feature of Cloudflare, so that I can see the hacker’s original IP address and block it?

Due to the nature of a reverse proxy, you need to get their IP from a request header, not remote_addr. CF isn’t hiding their IP.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.