Akismet False Positives when Behind a Load Balancer

WordPress, WordPress Plugins
Example Prefix WhoIs query
Image via Wikipedia

Here’s the problem: Akismet is marking valid posts as spam when behind a load balancer.  Because of marking comments as spam when Aksimet sees the IP address as coming from your load balancer, and then any comment that comes through gets marked as spam.

There are plugins that do this, to some degree, like Real IP.  But really it’s a simple thing; just put this in your wp-config.php file:

if ( isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ) {
    $ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
    $_SERVER['REMOTE_ADDR'] = trim($ips[0]);
} elseif ( isset($_SERVER['HTTP_X_REAL_IP']) && !empty($_SERVER['HTTP_X_REAL_IP']) ) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];
} elseif ( isset($_SERVER['HTTP_CLIENT_IP']) && !empty($_SERVER['HTTP_CLIENT_IP']) ) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CLIENT_IP'];
}

Alternatively, download this file, unzip it, and put it in wp-content/mu-plugins/.

Here’s what’s going on:

// Check and see if the X-Forwarded-For header exists. Check this one first because it's the most common.
if ( isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ) {
    // Typically load balancers and proxies will take each IP address and add it to the end with a comma.
    // For example, if your IP address is 127.0.0.1 then:
    // $_SERVER['HTTP_X_FORWARDED_FOR'] = '127.0.0.1';
    // Then you pass through a proxy, whose IP address is 192.168.1.1:
    // $_SERVER['HTTP_X_FORWARDED_FOR'] = '127.0.0.1, 192.168.1.1';
    // Last, you pass through the server's load balancer which has the IP address 123.45.6.7:
    // $_SERVER['HTTP_X_FORWARDED_FOR'] = '127.0.0.1, 192.168.1.1, 123.45.6.7';
    // What does this mean? It means that in most configurations, the user's real IP address will be the first in the string, comma-separated. So you want explode by comma, get the first value, and trim away whitespace.
    $ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
    $_SERVER['REMOTE_ADDR'] = trim($ips[0]);
    // If that check fails, then look for the next most common header: X-Real-IP.
} elseif ( isset($_SERVER['HTTP_X_REAL_IP']) && !empty($_SERVER['HTTP_X_REAL_IP']) ) {
    // This is just a straight-up IP address.
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];

    // Lastly, look for the Client-IP header.
} elseif ( isset($_SERVER['HTTP_CLIENT_IP']) && !empty($_SERVER['HTTP_CLIENT_IP']) ) {
    // This is also just a straight-up IP address.
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CLIENT_IP'];
}
Related articles:

4 thoughts on “Akismet False Positives when Behind a Load Balancer

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s