Skip to content

sgryphon/essential-wordpress-verified-client-ip

BranchesTags

Repository files navigation

Essential Verified Client IP

Verified Client IP

CI PHP 8.1+ WordPress 6.4+ License: GPLv2+

A WordPress plugin that determines the true client IP address by verifying Forwarded, X-Forwarded-For, and similar headers, traversing only trusted proxy hops. It replaces $_SERVER['REMOTE_ADDR'] with the verified IP early in the WordPress lifecycle, before any other plugin reads it.

Why This Plugin?

When WordPress sits behind load balancers, CDNs, or reverse proxies, $_SERVER['REMOTE_ADDR'] contains the proxy's IP — not the real visitor's. Many plugins solve this by blindly trusting forwarding headers, which is trivially spoofable.

Verified Client IP walks the forwarding chain backwards, only trusting addresses that match your configured proxy networks (by CIDR range). It stops at the first untrusted hop, which is the true client IP.

Features

  • Secure by default — only trusted proxies are traversed; spoofed headers are ignored.
  • Multiple header formats — RFC 7239 Forwarded, X-Forwarded-For, Cloudflare CF-Connecting-IP, or custom headers.
  • IPv4 & IPv6 — full support including IPv4-mapped IPv6 normalisation.
  • Configurable forward limit — control how many proxy hops to traverse.
  • Proto & Host processing — optionally set $_SERVER['HTTPS'] and HTTP_HOST from proxy headers.
  • Diagnostics — record incoming requests with full header dumps and algorithm step traces for debugging.
  • WordPress hooks — filters and actions for extensibility (vcip_resolved_ip, vcip_trusted_proxies, vcip_ip_resolved).
  • Must-use plugin support — can run as a mu-plugin for earliest execution.

Quick Start

  1. Upload the verified-client-ip folder to wp-content/plugins/.
  2. Activate via Plugins → Installed Plugins.
  3. Go to Settings → Verified Client IP.
  4. Add your proxy's IP address or CIDR range to an enabled scheme.
  5. Set the Forward Limit to the number of proxies in your chain.

Documentation

Screenshots

Main settings Verified Client IP main settings

Settings scheme detail Verified Client IP scheme settings

Diagnostics Verified Client IP diagnostics

IPv6 and protocol translation IPv6 and protocol translation diagnostics

Diagnostics detail Verified Client IP diagnostics detail

Comments with verified client IP Comments with verified client IP

Compatibility Note

If your server uses Apache mod_remoteip or nginx set_real_ip_from, those modules will pre-resolve REMOTE_ADDR from forwarding headers before PHP runs. This means the plugin will see an already-resolved IP and become a no-op. Disable the web server module and let this plugin handle IP resolution instead. See the User Guide for details.

Requirements

  • PHP 8.1 or later
  • WordPress 6.4 or later

License

GPLv2 or later. See LICENSE for details.

About

Determines the last verified remote address (the origin client IP) from the forwarding chain, trusting only configured proxies.

Resources

Readme

License

GPL-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v1.0.1 Latest
Mar 18, 2026

Packages

 
 
 

Contributors

Languages