WAF rule bypassed

I set up a WAF rule for a domain “guidecomo.it” like fallows : if (ip.geoip.country ne “IT” and http.request.full_uri eq (https://guidecomo.it/wp-login.php)) the block; that should block the login path to any IP not originating from Italy.
Actually, this rule works fine with the exception of someone using Cloudflare’s AS13335 IPs, such as or or (as you can see from the
screenshot taken from my site’s Wordfence plugin) who always by passes it.

Could anyone explain why this may be possible?
Many thanks


That sure looks like you don’t have your site configured to Restore Visitor IP addresses.

Wordfence has this option built in. Please read their instructions on How Wordfence Gets IPs:

Here’s how to do it in general with mod_remoteip:

My additional comments on top of what @sdayman mentioned: since you have the firewall rule in place and it works for you, then very likely those login attempts that you noticed in Wordfence were actually the requests that were not blocked by your firewall rule. It’s just that the “Restore Visitor IP addresses” option was not configured hence you see those Cloudflare IP addresses appear in your Wordfence logs.

1 Like

Hi Eric and @sdayman, thanks for your replay
I figured out it’s a problem with the real IP not being listed correctly in Wordfence longs. I can’t find any option that allows me to “Restore IP addresses of visitors”, at least this is not available in my free version. However, even if I find a way to see the real IP, that doesn’t solve the problem of the WAF rule being bypassed by this IP. So I have to focus on a better rule, if I can configure it right
Thanks again for your help.

You don’t know the WAF rule isn’t functioning as expected without knowing what the actual visitor IP address is.

Restarting the visitor IP address:


It’s available in the free version. The instructions I linked to show where it is. It’s near the very top of the Options page: https://guidecomo.it/wp-admin/admin.php?page=WordfenceOptions

I found it and this is the list of options that I can use in the Wordfence Panel: at the moment I’m using the 1st one.

[How does Wordfence get IPs options]

  1. Let Wordfence use the most secure method to get visitor IP addresses. Prevents spoofing and works with most sites. (Recommended)
  2. Use PHP’s built in REMOTE_ADDR and don’t use anything else. Very secure if this is compatible with your site.
  3. Use the X-Forwarded-For HTTP header. Only use if you have a front-end proxy or spoofing may result.
  4. Use the X-Real-IP HTTP header. Only use if you have a front-end proxy or spoofing may result.
  5. Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.

Which one should I use then ?


This is what I use:

Thanks, I will try the same.

------ Messaggio originale ------

1 Like