Cloudflare Location Check

Recently I had a client come to me with a very interesting problem. They have multiple web servers running behind a Cloudflare load balancer and the majority of those requests flow through the load balancer and are directed properly. However, there were still a number of requests that would make it through straight to the origin IP’s. The majority of those requests were often attempts at common WordPress exploits or simply plugin scanning looking for vulnerable plugins. If those requests were properly going through Cloudflare they would be dealt with by the Cloudflare firewall but by using the IP address these bad actors were able to bypass that layer of security.

Thankfully Cloudflare has a way to check to see if the request actually passed through Cloudflare if the website has turned on the Cloudflare IP Geolocation. That service automatically adds the country code value passed along in the CF-IPCountry request header to the origin web server. If you want to know more about the Cloudflare IP Geolocation check out their support document.

The logic is pretty simple, if the request does not have the CF-IPCountry request header then the request did not pass through Cloudflare (and the Cloudflare Firewall) so redirect the request back to the fully qualified domain name.

/**
* Cloudflare Location Check
*
* Checks for the Cloudflare location header. This is only there if the visitor has come through Cloudflare.
* If the request does not have this it is direct access and should be redirected to the host name
*
*/
function lgr_cflocation_check () {
//the country header is added by Cloudflare. If it is not there then this is direct IP access and needs to be redirected.
if( !$_SERVER["HTTP_CF_IPCOUNTRY"] ) {
//send them to the full URL which should add it.
header("Location: ".home_url().$_SERVER['REQUEST_URI']);
die();
}

}
add_action( 'init', 'lgr_cflocation_check' );

If you are having problems with direct access to your website through the IP address this might help you.

ClassicPress Compatible with Cloudflare Automatic Platform Optimization

I am a big fan of Cloudflare, if you had not known that by my previous posts on them. In Friday October 10 2020, during their Birthday week celebration announcements they released a new feature called Automatic Platform Optimization. This new feature is targeted specifically at WordPress users, which is understandable, WordPress websites account for… Continue Reading

WordPress GDPR Plugins

For the record I am not a lawyer and I will not guarantee that any of the content below will help you in being GDPR compliant. Normally I don’t pay a lot of attention to laws coming out of the European Union, because frankly I live in Canada and for the most part their laws… Continue Reading

7 Essential WordPress Plugins in 2017

If you are just starting out with WordPress it can be daunting. The huge amount of themes and plugins to choose from is huge, not to mention the learning curve of purchasing a domain name, setting up your hosting, installing WordPress and eventually getting to writing and publishing your website. Adding in more things like… Continue Reading

CloudGuard

It was not long ago that I was looking for a way to block visitors from some countries on some of my clients websites. The sites really only needed to be accessible from North America and did not need to be exposed to the extra visitors, bandwidth and possible hackers that might just want to… Continue Reading

Kaltura Community Edition

TL;DR version: Don’t waste your time. Kaltura server is prone to problems and the player simply doesn’t work reliably on a number of platforms. Video has become an important part of many websites, and for some YouTube simply does not cut it any more. Not using YouTube for video though can be expensive, in fact… Continue Reading

Your Website Sucks!

I am very sorry to be the bearer of bad news but I need to be honest with you about your website. IT SUCKS! I know you have spent hours, well at least 30 minutes, working on your website, and I know you are very proud of it but the reality is it sucks and… Continue Reading

UTF8 Sanitize

There are times when little problems pop up using WordPress that you just might not expect. Most users don’t know or care about what character encoding their computer and browser are using but when that character encoding is different from what WordPress uses it can lead to some odd problems. Usually the tell tale sign… Continue Reading