We have cloudflare pro on our domain
We use Cloudflare as our main DNS
We proxy everything
We WordPress installed on that domain and several subdomains of that domain
Wordfence (free) installed on ALL WP sites
The Cloudflare Plugin is installed on every site
ALL our sites pass the cloudflare diagnostics test
Continuously see this error from wordfence:
“This site is currently using the X-Real-IP HTTP header, which should only be used when the site is behind a front-end proxy that outputs this header. This site appears to be behind Cloudflare, so using the Cloudflare “CF-Connecting-IP” HTTP header will resolve to the correct IPs”
Which does not appear to make any sense, as we proxy everything thru Cloudflare? Looking for insights on this
That makes perfect sense to me. You’ve set Wordfence to use x-real-ip, but you should be using cf-connecting-ip. Wordfence will automatically fix that for you if you click the button with that message.
One would think - but made no such setting. And when you let wordfence ‘fix it’, it says the error is still there, and we start seeing other errors in the logs about IP’s. It’s like an infinite loop. very bizarre. Wordfence claims Cloudflare setup is not a true proxy, and that is why the error appears.
I don’t think they actually know.
In addition we DO use the setting
in Apache to set the headers
So the wordfence error itself is incorrect - we do NOT use x-real-ip in headers
I found out recently that Wordfence is pretty insistent about that header if it thinks you’re using Cloudflare. I was experimenting with Transform Rules by removing cf-connecting-ip and Wordfence threw that warning. I believe I tried setting it to use x-forwarded-for and it still didn’t like it.
OK, so now we HAVE all the sites set to Use “CF-Connecting-IP”
NOW the Error is REVERSED and says:
This site is currently using the Cloudflare “CF-Connecting-IP” HTTP header, which should only be used when the site is behind Cloudflare. This site appears to be behind a front-end proxy, so using the X-Real-IP HTTP header will resolve to the correct IPs
That is just weird. Wordfence says Cloudflare is to blame. But they don’t say HOW
As I’m not clear how Wordfence determines all this, I suggest you dig up all the headers your server receives for a request and then let Wordfence know what you’re seeing. Their detection process might be producing conflicting results.
You might try to reach out to @tcan1337 on Twitter for a bit of above-and-beyond help. If you can’t get a hold of him, let me know and I’ll contact him. As I’ve broken this before, I’m also curious as to how it works.
That is a very detailed reply, thank you.
Our site(s) is setup the same way, except that Cloudflare SSL/TLS is set to Full, but not to strict,
even though we have Let’s Encrypt SSL on all domains and subdomains
(we have distinct stand-alone WP on the main domain
and distinct WP installations on some sub-domains of the main.
All are configured identically,and all use Cloudflare DNS servers & DNS)
each setting (cloudflare or X-Real) gives an error to use the OTHER setting
BOTH settings show the correct (real) IP in Wordfence test (the part that says:
Detected IP(s): **72[redacted]48
Your IP with this setting: **72[redacted]48
Which is why the server logs show and PHP show the correct IP’s
It’s a bit insane. I will set all sites to use the "Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP." setting in wordfence, and hope we have nothing that needs it to be otherwise.
Wordfence needs to add some “AI” to there test & scan