Gryphon Verified Client IP determines the client IP by walking the forwarding chain, only trusting addresses that match your configured proxy networks (by CIDR range). It stops at the first untrusted hop, which is the true client IP. The resolved address replaces REMOTE_ADDR early in the WordPress lifecycle, allowing other plugins to use it.

The component is secure by default and only trusted proxies are traversed; spoofed headers are ignored. Both IPv4 and IPv6 are fully supported, including protocol translation.

Multiple header formats are supported including standard RFC 7239 Forwarded, common X-Forwarded-For, Cloudflare CF-Connecting-IP, or any custom header.

The component includes a diagnostics panel that can be enabled to record incoming requests with full header dumps and algorithm step traces for debugging.

For more detail, see the GitHub project site Gryphon WordPress Verified Client IP.

Compatibility Note

If your server uses Apache mod_remoteip or nginx set_real_ip_from, those modules will pre-resolve REMOTE_ADDR from forwarding headers before PHP runs. Disable the web server module and let this plugin handle IP resolution instead, or let it pre-resolve and use this plugin for any additional proxies not covered by the engine.