If you use WordPress there are a lot of nice small plugins. The Login LockDown is one of them. It is not the newest, but its has a nice feature. If it determines some wrong login tries, it blocks the IP address for a certain time. This plugin is configurable and still works, nearly …
It will not work correct behind a proxy like nginx or haproxy, because it dermines the wrong client IP address. It then get the address from the proxy and not of the original client. And this causes problems, because then all request are coming from one IP.
So, if you have a wordpress behind a proxy, you should configure the proxy in a way to forward the client IP address in the corresponding HTTP header. In haproxy you would use option forwardfor in the default section.
The problem now is that the Login LockDown plugin still uses the wrong address. The missing feature is located in the code, because it resolves the IP address using this call:
$subnet = calc_subnet($_SERVER['REMOTE_ADDR']);
Changing the “REMOTE_ADDR” into “HTTP_X_FORWARDED_FOR” would solve the problem, but only for this use case.
This stackoverflow post could improve the whole mechanism:
by Ilenia Salvadori, Mark Hoffmann, Jürgen Albert