{"id":293348,"date":"2026-04-12T14:16:36","date_gmt":"2026-04-12T14:16:36","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/verified-client-ip\/"},"modified":"2026-04-13T12:27:48","modified_gmt":"2026-04-13T12:27:48","slug":"gryphon-verified-client-ip","status":"publish","type":"plugin","link":"https:\/\/test.wordpress.org\/plugins\/gryphon-verified-client-ip\/","author":7399067,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.2.1","stable_tag":"1.2.1","tested":"6.9.4","requires":"6.4","requires_php":"8.1","requires_plugins":null,"header_name":"Gryphon Verified Client IP","header_author":"Sly Gryphon","header_description":"Determines the true client IP by verifying Forwarded and similar headers, traversing only trusted proxy hops.","assets_banners_color":"","last_updated":"2026-04-13 12:27:48","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/github.com\/sgryphon\/essential-wordpress-verified-client-ip","header_author_uri":"https:\/\/github.com\/sgryphon","rating":0,"author_block_rating":0,"active_installs":0,"downloads":130,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.2.0":{"tag":"1.2.0","author":"sgryphon","date":"2026-04-12 14:17:20"},"1.2.1":{"tag":"1.2.1","author":"sgryphon","date":"2026-04-13 12:27:48"}},"upgrade_notice":{"1.2.1":"<ul>\n<li>Reformat readme.txt to display properly in WordPress plugin library.<\/li>\n<li>Add Settings and Guide links to plugins page<\/li>\n<\/ul>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3504517,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3504517,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256},"icon.svg":{"filename":"icon.svg","revision":3504517,"resolution":false,"location":"assets","locale":false}},"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.2.0","1.2.1"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3505152,"resolution":"1","location":"assets","locale":"","width":1200,"height":780},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3505152,"resolution":"2","location":"assets","locale":"","width":1200,"height":780},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3505152,"resolution":"3","location":"assets","locale":"","width":1200,"height":780},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3505152,"resolution":"4","location":"assets","locale":"","width":1200,"height":780},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3505152,"resolution":"5","location":"assets","locale":"","width":1200,"height":780},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3505152,"resolution":"6","location":"assets","locale":"","width":1200,"height":780}},"screenshots":{"1":"Main settings page \u2014 enable\/disable the plugin, set the forward limit, and configure proto\/host processing.","2":"Scheme detail \u2014 configure header name, trusted proxy CIDR ranges, and optional token for a scheme.","3":"Diagnostics page \u2014 list of recorded requests with resolved IP and whether <code>REMOTE_ADDR<\/code> was changed.","4":"Diagnostics with IPv6 \u2014 shows IPv6 addresses and protocol translation.","5":"Diagnostics detail \u2014 full step trace showing each hop evaluated by the algorithm.","6":"Comments page \u2014 WordPress comments showing the verified client IP for each commenter."},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[17988,3919,7686,177160,157620],"plugin_category":[],"plugin_contributors":[260040],"plugin_business_model":[],"class_list":["post-293348","plugin","type-plugin","status-publish","hentry","plugin_tags-client-ip","plugin_tags-ip-address","plugin_tags-proxy","plugin_tags-user-ip","plugin_tags-visitor-ip","plugin_contributors-sgryphon","plugin_committers-sgryphon"],"banners":[],"icons":{"svg":"https:\/\/ps.w.org\/gryphon-verified-client-ip\/assets\/icon.svg?rev=3504517","icon":"https:\/\/ps.w.org\/gryphon-verified-client-ip\/assets\/icon.svg?rev=3504517","icon_2x":false,"generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/gryphon-verified-client-ip\/assets\/screenshot-1.png?rev=3505152","caption":"Main settings page \u2014 enable\/disable the plugin, set the forward limit, and configure proto\/host processing."},{"src":"https:\/\/ps.w.org\/gryphon-verified-client-ip\/assets\/screenshot-2.png?rev=3505152","caption":"Scheme detail \u2014 configure header name, trusted proxy CIDR ranges, and optional token for a scheme."},{"src":"https:\/\/ps.w.org\/gryphon-verified-client-ip\/assets\/screenshot-3.png?rev=3505152","caption":"Diagnostics page \u2014 list of recorded requests with resolved IP and whether <code>REMOTE_ADDR<\/code> was changed."},{"src":"https:\/\/ps.w.org\/gryphon-verified-client-ip\/assets\/screenshot-4.png?rev=3505152","caption":"Diagnostics with IPv6 \u2014 shows IPv6 addresses and protocol translation."},{"src":"https:\/\/ps.w.org\/gryphon-verified-client-ip\/assets\/screenshot-5.png?rev=3505152","caption":"Diagnostics detail \u2014 full step trace showing each hop evaluated by the algorithm."},{"src":"https:\/\/ps.w.org\/gryphon-verified-client-ip\/assets\/screenshot-6.png?rev=3505152","caption":"Comments page \u2014 WordPress comments showing the verified client IP for each commenter."}],"raw_content":"<!--section=description-->\n<p>Gryphon Verified Client IP determines the client IP by walking the forwarding chain, only trusting addresses that match your configured proxy networks (by CIDR range). It stops at the first untrusted hop, which is the true client IP. The resolved address replaces <code>REMOTE_ADDR<\/code> early in the WordPress lifecycle, allowing other plugins to use it.<\/p>\n\n<p>The component is secure by default and only trusted proxies are traversed; spoofed headers are ignored. Both IPv4 and IPv6 are fully supported, including protocol translation.<\/p>\n\n<p>Multiple header formats are supported including standard RFC 7239 <code>Forwarded<\/code>, common <code>X-Forwarded-For<\/code>, Cloudflare <code>CF-Connecting-IP<\/code>, or any custom header.<\/p>\n\n<p>The component includes a diagnostics panel that can be enabled to record incoming requests with full header dumps and algorithm step traces for debugging.<\/p>\n\n<p>For more detail, see the GitHub project site <a href=\"https:\/\/github.com\/sgryphon\/essential-wordpress-verified-client-ip\">Gryphon WordPress Verified Client IP<\/a>.<\/p>\n\n<h4>Compatibility Note<\/h4>\n\n<p>If your server uses <strong>Apache <code>mod_remoteip<\/code><\/strong> or <strong>nginx <code>set_real_ip_from<\/code><\/strong>, those modules will pre-resolve <code>REMOTE_ADDR<\/code> from forwarding headers before PHP runs. Disable the web server module and let this plugin handle IP resolution instead, or let it pre-resolve and use this plugin for any additional proxies not covered by the engine.<\/p>\n\n<!--section=installation-->\n<h4>From plugin directory<\/h4>\n\n<ol>\n<li>Go to <strong>Site Admin \u2192 Plugins \u2192 Add Plugin<\/strong><\/li>\n<li>Search Plugins for \"Gryphon Verified Client IP\"<\/li>\n<li>Click <strong>Install Now<\/strong><\/li>\n<li>Click <strong>Activate<\/strong><\/li>\n<\/ol>\n\n<p>Navigate to <strong>Settings \u2192 Verified Client IP<\/strong> in the WordPress admin.<\/p>\n\n<p>Configure with your proxy setup, or accept the defaults if suitable.<\/p>\n\n<h4>Manual installation<\/h4>\n\n<ol>\n<li>Download the plugin zip file.<\/li>\n<li>In WordPress Admin, go to <strong>Plugins \u2192 Add Plugin \u2192 Upload Plugin<\/strong>.<\/li>\n<li>Upload the zip and click <strong>Install Now<\/strong>.<\/li>\n<li>Click <strong>Activate Plugin<\/strong>.<\/li>\n<\/ol>\n\n<p>Or manually upload the <code>gryphon-verified-client-ip<\/code> folder to <code>wp-content\/plugins\/<\/code> and activate via the Plugins screen.<\/p>\n\n<p>Navigate to <strong>Settings \u2192 Verified Client IP<\/strong> in the WordPress admin.<\/p>\n\n<p>Configure with your proxy setup, or accept the defaults if suitable.<\/p>\n\n<!--section=faq-->\n<dl>\n<dt id=\"the%20plugin%20has%20no%20effect.%20what%20should%20i%20check%3F\"><h3>The plugin has no effect. What should I check?<\/h3><\/dt>\n<dd><p>Check that <code>REMOTE_ADDR<\/code> matches a trusted proxy in an enabled scheme. Use the <strong>Diagnostics<\/strong> tab to record a request and inspect the step trace.<\/p><\/dd>\n<dt id=\"the%20plugin%20is%20a%20no-op%20even%20though%20my%20proxies%20are%20configured.\"><h3>The plugin is a no-op even though my proxies are configured.<\/h3><\/dt>\n<dd><p>Apache <code>mod_remoteip<\/code> or nginx <code>set_real_ip_from<\/code> may be pre-resolving the IP before PHP starts. In the Diagnostics tab, if the <strong>Remote Address<\/strong> column already shows the visitor's IP rather than the upstream proxy's IP, a web-server-level module is the cause.<\/p>\n\n<p>Disable the relevant module or accept that addresses are already partially resolved.<\/p><\/dd>\n<dt id=\"i%27m%20resolving%20the%20wrong%20ip.\"><h3>I'm resolving the wrong IP.<\/h3><\/dt>\n<dd><p>Check that your <strong>Forward Limit<\/strong> matches the exact number of proxies in your chain. Use the step trace in <strong>Diagnostics<\/strong> to see each hop the algorithm evaluated.<\/p><\/dd>\n<dt id=\"cloudflare%20is%20not%20working.\"><h3>Cloudflare is not working.<\/h3><\/dt>\n<dd><p>Enable the Cloudflare scheme and add <a href=\"https:\/\/www.cloudflare.com\/ips\/\">Cloudflare's published IP ranges<\/a> to the trusted proxies list.<\/p><\/dd>\n<dt id=\"can%20i%20extend%20the%20plugin%20with%20my%20own%20code%3F\"><h3>Can I extend the plugin with my own code?<\/h3><\/dt>\n<dd><p>Yes. Three hooks are available:<\/p>\n\n<ul>\n<li><strong>Filter <code>vcip_resolved_ip<\/code><\/strong> <code>(string $ip, array $steps): string<\/code> \u2014 modify the resolved IP before it replaces <code>REMOTE_ADDR<\/code>.<\/li>\n<li><strong>Filter <code>vcip_trusted_proxies<\/code><\/strong> <code>(array $schemes): array<\/code> \u2014 dynamically add or modify proxy schemes before matching.<\/li>\n<li><strong>Action <code>vcip_ip_resolved<\/code><\/strong> <code>(string $newIp, string $originalIp, array $steps)<\/code> \u2014 fired after <code>REMOTE_ADDR<\/code> has been replaced.<\/li>\n<\/ul><\/dd>\n<dt id=\"what%20happens%20when%20the%20plugin%20is%20deactivated%3F\"><h3>What happens when the plugin is deactivated?<\/h3><\/dt>\n<dd><p>Deactivation only flushes object caches \u2014 no settings or data are removed. Uninstalling the plugin removes all <code>vcip_*<\/code> options and diagnostic transients.<\/p><\/dd>\n<dt id=\"is%20diagnostic%20data%20stored%20permanently%3F\"><h3>Is diagnostic data stored permanently?<\/h3><\/dt>\n<dd><p>No. Diagnostic records are stored as WordPress transients with a 24-hour expiry and are automatically removed when you uninstall the plugin. Because the data includes IP addresses and HTTP headers, only record what you need for debugging and clear the data when you are done.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.2.1<\/h4>\n\n<ul>\n<li>Reformat readme.txt to display properly in WordPress plugin library.<\/li>\n<li>Add Settings and Guide links to plugins page<\/li>\n<\/ul>\n\n<h4>1.2.0<\/h4>\n\n<ul>\n<li>Update plugin display name and slug, again, to Gryphon Verified Client IP.<\/li>\n<li>Update namespace and package names to Gryphon Verified Client IP.<\/li>\n<\/ul>\n\n<h4>1.1.0<\/h4>\n\n<ul>\n<li>Update plugin display name and slug, for WordPress plugin naming requirements, to Essential Verified Client IP.<\/li>\n<li>Update namespace and package names to Essential Verified Client IP.<\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Minor fixes for initial release.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release of Verified Client IP plugin.<\/li>\n<li>RFC 7239 <code>Forwarded<\/code>, <code>X-Forwarded-For<\/code>, and Cloudflare <code>CF-Connecting-IP<\/code> schemes.<\/li>\n<li>Configurable forward limit and trusted proxy CIDR ranges.<\/li>\n<li>Proto and Host processing.<\/li>\n<li>Diagnostics with request recording and step traces.<\/li>\n<li>Must-use plugin support.<\/li>\n<li>WordPress hooks: <code>vcip_resolved_ip<\/code>, <code>vcip_trusted_proxies<\/code>, <code>vcip_ip_resolved<\/code>.<\/li>\n<\/ul>","raw_excerpt":"Determines the true client IP by verifying Forwarded and similar headers, traversing only trusted proxy hops.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/293348","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=293348"}],"author":[{"embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/sgryphon"}],"wp:attachment":[{"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=293348"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=293348"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=293348"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=293348"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=293348"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/test.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=293348"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}