I think I'm being attacked by Cloudflare IP addresses...?


#1

I just set up Cloudflare for my site a few days ago. Today, I’ve had several complex and hundreds of brute force attacks on my site. Wordfence keeps blocking the IP addresses or I am doing it manually. I looked them up on Whois and they are all Cloudflare IP addresses. Everytime one gets blocked, a new IP address pops up trying to hack my site. I’m a little confused by this. If Wordfence blocks all these IP addresses from Cloudflare, will it still work on my site properly? Is it just coincidental that the attacks are coming from Cloudflare IPs?


#2

Not a coincidence:


#3

@sdaysman That makes sense. Thank you for sharing this with me!


#5

In WordFence, go to All Options, scroll down to “How does Wordfence get IPs” and select "Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare."


#6

@Withheld when I saved that setting, I got this notification; " Your ‘How does Wordfence get IPs’ setting is misconfigured. This site is currently using the Cloudflare “CF-Connecting-IP” HTTP header, which should only be used when the site is behind Cloudflare. This site appears to be behind a front-end proxy, so using the X-Real-IP HTTP header will resolve to the correct IPs."


#7

Just under the Cloudflare option, there is “Detected IP(s)” do either Cloudflare or Default options show your current IP?


#8

Yes, both options show a detected IP address but it’s two different IPs.


#9

Go to https://www.bing.com/search?q=what's+my+ip to determine your actual IP.
Then go back to WordFence and check Detected IP(s): again to see which option resolves your IP properly.


#10

My IP matches the “Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.” detected IP(s).


#11

That’s what it should be and moving forward, you should see the proper visitor IP’s in those logs.


#12

Does it matter that I’m getting the notification that my site appears to be behind a front-end proxy?


#13

:orange: Cloudflare is a proxy. Be sure to follow the guide posted by @sdayman if you encounter the same problem with AWStats or Webalizer.


#14

Okay, great. Thank you for your time and help! I truly appreciate it!