WordPress/Servage spam IP filtering

I have Akismet set up to keep spam out as well as keeping all comments for moderation, I initially decided to do some IP blocks seeming as there would be a few that would constantly send spam.

The only problem was that as WordPress only use

$_SERVER['REMOTE_ADDR']

to determine a user’s IP address which as most people who know PHP know it is a bad idea because it doesn’t take into account proxies etc. In my case it was actually giving Servage’s own IP for every result which wasn’t of much use unless I wanted to block comments/trackbacks altogether.

As there’s no documentation that I could find about where WordPress actually contains the code to find the IP and Google wasn’t much help I had to look manually.

I eventually found it in comments.php in the wp-includes directory.

$commentdata['comment_author_IP'] = preg_replace( '/[^0-9a-fA-F:., ]/', '', $_SERVER['REMOTE_ADDR'] );

First to add in the neccessary code a variable must be created, change the above code to this:

$commentdata['comment_author_IP'] = preg_replace( '/[^0-9a-fA-F:., ]/', '',$bp_IP );

Then add the required code above that stating:

$bp_IP = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

This allows the correct IP to be shown in most cases, most of the thanks must go to Jason for this.

Update: This piece of code also works in WordPress 2.6x.