Rate Your Experience

Using the X-Forwarded-For (XFF) Header

Modified on: Wed, 1 May, 2024

Jump to:

What Is The X-Forwarded-For Header?

When Is The X-Forwarded-For Header Used?

Why Would The Original IP Of The User Not Get Passed Along When Using Ezoic?

X-Forwarded-For Example

How to add the X-Forwarded-For (XFF) header in .PHP and .NET?

How to Add the X-Forwarded-For (XFF) Header on WordPress?

Where to add the X-Forwarded-For code in the wp-config.php file?

Anything else?

What is the X-Forwarded-For Header?

The X-Forwarded-For (XFF) Header identifies the originating IP address of a user in server access logs, through an HTTP proxy or load balancer.

When is the X-Forwarded-For Header used? 

Many web applications use the origin IP address of the user. An example of when the X-Forwarded-For Header would be needed might be if a site identifies users by their IP address when logging into a member area. In this case, the origin IP needs to be passed along.

Why would the original IP of the user not get passed along when using Ezoic?

When using Ezoic's platform, requests from your website visitors will be routed through Ezoic's Amazon Cloud Servers (AWS). Therefore, your access logs will show Ezoic IP addresses rather than the original IP address of the user.

Occasionally, your hosting company misinterprets requests going via Ezoic as a bot attack, because all the requests are coming from a single or a few IPs rather than a wide assortment. 

Errors you might see in relation to this issue include origin errors, 520 errors, or your host's Robot Captcha.

This issue can be fixed by using the XFF header. 

By implementing the XFF header, Ezoic will send the IP address of the original web visitor through to your server in the X-Forwarded-For header.

X-Forwarded-For example

  • In PHP it is available in: $_SERVER['HTTP_X_FORWARDED_FOR']
  • In .NET it's available in:  HttpContext.Current.Request.Headers["X-Forwarded-For"]

How to add the X-Forwarded-For (XFF) header in .PHP and .NET? 

  1. It's worth creating a back up of your site. You can use tools like PHPmyadmin to do this.
  2. Next, you need to put the XFF code in a file that all of your pages access (e.g. header.php, init.php or config.php)
  3. In your header.php, init.php, or config.php file, you should already see $_SERVER['REMOTE_ADDR'] which you can replace with $_SERVER['HTTP_X_FORWARDED_FOR']


How to Add the X-Forwarded-For (XFF) Header on WordPress? 

For Wordpress sites this process is a little different.

To implement XFF for WordPress sites, simply copy and paste the code below to your  wp-config.php file:

// Use X-Forwarded-For HTTP Header to Get Visitor's Real IP Address


if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {

$http_x_headers = explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] );


$_SERVER['REMOTE_ADDR'] = $http_x_headers[0];



Where to add the X-Forwarded-For code in the wp-config.php file?

This will differ depending upon your theme. If you are unsure, please contact your theme's owners.

Alternatively, the Proxy Real IP Wordpress plugin can add the code for you: 


*Please note it depends upon how the origin server is configured as to whether this plugin will be effective. We have some publishers for whom this has been effective, and some who have needed to take alternative measures to fix requests being blocked. You can read more about those here.

Anything else?

Yes! Please let your host know when you have implemented a X-Forwarded-For header. They will need to perform additional configuration on their end to allow the requests to pass through as expected.

Loading ...