WP_Community_Events::get_unsafe_client_ip(): string|false

In this article

Determines the user’s actual IP address and attempts to partially anonymize an IP address by converting it to a network ID.


Geolocating the network ID usually returns a similar location as the actual IP, but provides some privacy for the user.

$_SERVER[‘REMOTE_ADDR’] cannot be used in all cases, such as when the user is making their request through a proxy, or when the web server is behind a proxy. In those cases, $_SERVER[‘REMOTE_ADDR’] is set to the proxy address rather than the user’s actual address.

Modified from https://stackoverflow.com/a/2031935/450127, MIT license.
Modified from https://github.com/geertw/php-ip-anonymizer, MIT license.

SECURITY WARNING: This function is NOT intended to be used in circumstances where the authenticity of the IP address matters. This does NOT guarantee that the returned address is valid or accurate, and it can be easily spoofed.


string|false The anonymized address on success; the given address or false on failure.


public static function get_unsafe_client_ip() {
	$client_ip = false;

	// In order of preference, with the best ones for this purpose first.
	$address_headers = array(

	foreach ( $address_headers as $header ) {
		if ( array_key_exists( $header, $_SERVER ) ) {
			 * HTTP_X_FORWARDED_FOR can contain a chain of comma-separated
			 * addresses. The first one is the original client. It can't be
			 * trusted for authenticity, but we don't need to for this purpose.
			$address_chain = explode( ',', $_SERVER[ $header ] );
			$client_ip     = trim( $address_chain[0] );


	if ( ! $client_ip ) {
		return false;

	$anon_ip = wp_privacy_anonymize_ip( $client_ip, true );

	if ( '' === $anon_ip || '::' === $anon_ip ) {
		return false;

	return $anon_ip;



User Contributed Notes

You must log in before being able to contribute a note or feedback.