If you are using WordPress with CloudFront and WordFence then some extra configuration is required. WordFence does blocking based on IP address but it will fail to determine the correct IP address when you have CloudFront and an Elastic Load Balancer in front of the site. The work around is to setup a cronjob that updates the list of trusted proxies in WordFence.
- Login to WordPress admin and to to WordFence -> All Options. Under “How does Wordfence get IPs” select “Use the X-Forwarded-For HTTP header”. Click “Save Changes”
- Add a cronjob using the script shown below to update the list of trusted proxies.
Here’s a simple script for the cronjob:
# get the list of proxies from AWS
IPS=`curl -s http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips | jq -r '.'`
# use wp-cli to update WordFence config in database
wp db query "UPDATE wp_wfconfig SET val = '$IPS' WHERE name = 'howGetIPs_trusted_proxies';"
# remove the WordFence config cache so the new IPs will be read on next page load