Fixing Incorrect IP Detection and Lockouts in Limit Login Attempts Reloaded

26 threads Sep 7, 2025 Plugin → Limit login attempts reloaded

Content

If you're using the Limit Login Attempts Reloaded plugin and finding that it's locking out the wrong IP addresses—like your server's IP (e.g., 127.0.0.1) or a CDN's IP—you're not alone. This is a common issue for sites behind proxies, firewalls, or services like Cloudflare, Sucuri, or Flywheel. This guide will explain why it happens and how to fix it.

Why Does This Happen?

By default, the plugin uses the REMOTE_ADDR server variable to detect the IP address of a login attempt. This is the most secure method, as it's the only variable that cannot be easily faked by a malicious user. However, on many hosting setups, this variable does not contain the visitor's real IP address.

When your site sits behind a reverse proxy, firewall, or CDN, the web server often only sees the IP address of that intermediary service in REMOTE_ADDR. The user's original IP address is typically passed along in a separate HTTP header, such as:

HTTP_X_FORWARDED_FOR (Common with proxies and CDNs)
HTTP_CF_CONNECTING_IP (Specific to Cloudflare)
HTTP_X_SUCURI_CLIENTIP (Specific to Sucuri)
HTTP_X_REAL_IP
HTTP_CLIENT_IP

If the plugin is not configured to look at the correct header, it will see every login attempt as coming from the same IP (like 127.0.0.1 or a server IP), leading to mass lockouts for all users when that single IP is blocked.

How to Fix Incorrect IP Detection

The primary solution is to use the plugin's Trusted IP Origins setting. This tells the plugin which server variable to use instead of or in addition to REMOTE_ADDR to find the real user IP.

Step 1: Find the Correct Header

First, you need to identify which header on your server contains the correct, original user IP address.

In your WordPress admin dashboard, navigate to Settings > Limit Login Attempts.
Click on the Debug tab.
This tab displays a list of server variables and their detected values. Look for the variable that shows your actual public IP address, not your server's IP.
Common examples include HTTP_CF_CONNECTING_IP for Cloudflare users or HTTP_X_SUCURI_CLIENTIP for Sucuri users.

Step 2: Configure the Trusted IP Origins Setting

Go to the Settings tab of the Limit Login Attempts Reloaded plugin.
Locate the Trusted IP Origins field.
Enter the name of the server variable you identified in Step 1 (e.g., HTTP_CF_CONNECTING_IP).
Save the changes.

Important Security Note: Headers like HTTP_X_FORWARDED_FOR can be forged by clients. The plugin team recommends using this feature only if your server is behind a trusted proxy or service that you control. If you are on a shared host, it's best to confirm the correct configuration with their support team to ensure you are using a secure header.

Alternative Solution: Server Configuration

For a more permanent and secure solution, you can configure your web server to automatically fix the REMOTE_ADDR variable itself.

Apache: Use the mod_remoteip module. You can add a directive like RemoteIPHeader X-Forwarded-For to your Apache configuration or .htaccess file.
Nginx: Use the ngx_http_realip_module module. You can add directives like set_real_ip_from and real_ip_header to your Nginx configuration file.

With the server correctly configured, REMOTE_ADDR will contain the user's real IP, and the plugin will work without any special settings. This is generally the most robust method, but it requires access to change server configuration files.

What If I'm Still Having Issues?

If you continue to experience problems after trying these steps, consider the following:

Check for Comma-Separated Lists: Some headers, like X-Forwarded-For, can contain a list of IP addresses (e.g., client_ip, proxy1_ip, proxy2_ip). The plugin should handle this by using the first IP in the list, but server misconfigurations can sometimes cause issues.
Clear Old Lockouts: After changing the Trusted IP Origins setting, go to the plugin's Log tab and clear any existing lockouts on the incorrect IP addresses (e.g., 127.0.0.1).
Consult Your Host: If you are using a managed hosting provider like Flywheel, Cloudways, or GoDaddy, contact their support. They can confirm the specific headers their infrastructure uses and may be able to implement the server-level fix for you.

By correctly identifying the source of your IP detection issue and applying the right configuration, you can ensure Limit Login Attempts Reloaded effectively protects your site without locking out legitimate users.

Related Support Threads Support

Compatibility with Varnish
https://wordpress.org/support/topic/compatibility-with-varnish-3/
Getting proxy address when using Sucuri WAF
https://wordpress.org/support/topic/getting-proxy-address-when-using-sucuri-waf/
Handling IP addresses with CDN
https://wordpress.org/support/topic/handling-ip-addresses-with-cdn/
Documentation for Trusted IP Origins
https://wordpress.org/support/topic/documentation-for-trusted-ip-origins/
Locking out 127.0.0.1 on Woocommerce Login Page Only
https://wordpress.org/support/topic/locking-out-127-0-0-1/
IP 127.0.0.1 problem
https://wordpress.org/support/topic/ip-127-0-0-1-problem/
Erroneous lockouts
https://wordpress.org/support/topic/erroneous-lockouts/
Unable to login: REMOTE_ADDR = IP0
https://wordpress.org/support/topic/unable-to-login-remote_addr-ip0/
Locked Out of Own Site
https://wordpress.org/support/topic/locked-out-of-own-site-2/
Thank you for your updating.
https://wordpress.org/support/topic/thank-you-for-your-updating/
Wrong IP addresses in log
https://wordpress.org/support/topic/wrong-ip-addresses-in-log/
All my ips are from cloudflare
https://wordpress.org/support/topic/all-my-ips-are-from-cloudflare/
Add option for trusted proxy
https://wordpress.org/support/topic/add-option-for-trusted-proxy/
Add Support to Nginx Reverse Proxy Website
https://wordpress.org/support/topic/add-support-to-nginx-reverse-proxy-website/
127.0.0.1 getting locked out
https://wordpress.org/support/topic/127-0-0-1-getting-locked-out/
Problem with Reverse-Proxy and PHP 7.1
https://wordpress.org/support/topic/problem-with-reverse-proxy-and-php-7-1/
strange IP value entry “privacylocationforloc”
https://wordpress.org/support/topic/strange-ip-value-entry-privacylocationforloc/
Attempts block/lockout 127.0.0.1, all logins are locked out (Flywheel hosting)
https://wordpress.org/support/topic/attempts-block-lockout-127-0-0-1-all-logins-are-locked-out-flywheel-hosting/
Same IP, different PORT.
https://wordpress.org/support/topic/same-ip-different-port/
X-Forwarded-For is defined as a comma separated list, and not just one IP
https://wordpress.org/support/topic/x-forwarded-for-is-defined-as-a-comma-separated-list-and-not-just-one-ip/
IP address from header: X-Forwareded-For
https://wordpress.org/support/topic/ip-address-from-header-x-forwareded-for/
Logging wrong IP address?
https://wordpress.org/support/topic/logging-wrong-ip-address/
Can I change how it get’s the ip?
https://wordpress.org/support/topic/can-i-change-how-it-gets-the-ip/
REMOTE_ADDR isn’t correct
https://wordpress.org/support/topic/remote_addr-isnt-correct/
Logging and check contains only server IP
https://wordpress.org/support/topic/logging-and-check-contains-only-server-ip/
Brute force behind a reverse proxy
https://wordpress.org/support/topic/brute-force-behind-a-reverse-proxy/

Details

Activity

Active Discussion
26 support threads

Last Updated
3 months ago