How to find the IP address of a website behind Cloudflare


WARNING: The content of this article are for testing purposes or it can be used to investigate fraudulent websites. Any actions taken based on the information provided here are at the reader's own risk.

Reverse proxy services like Cloudflare can improve a website's speed and security by adding an additional layer of protection. This also provides a level of anonymity, as the hosting provider and other information about the website are concealed.

With a reverse proxy service in place, it becomes challenging, or even impossible, for external parties to determine the website's hosting provider. This anonymity allows content owners to conceal the source IP address of their server and safeguard it from potential attacks.

How to find the actual hosting provider of a website protected by Cloudflare

Finding the actual hosting provider of a website using a reverse proxy service like Cloudflare requires searching for evidence of past or current misconfigurations. It is crucial to understand the ways a website owner might leave behind a trail and, if you are the site owner, to take measures to maintain anonymity. For instance, the original web server's IP may have remained unchanged or unsecured, which could indicate that the hosting provider has not been altered. In the case that the IP was changed, it's possible that the hosting provider's IP neighborhood remained the same before transitioning to use Cloudflare as a front end.

1. Check DNS records

Check the website’s DNS records: The first step is to look at the domain name system (DNS) records of the website in question. These records contain information about the website’s IP address, and you can use online tools like Whois or Dig to look them up. If you see multiple IP addresses listed, it’s likely that one of them belongs to the real website host, while the others are Cloudflare’s IP addresses.


or try to lookup for MX records:

dig mx

2. Investigate subdomains

First you need to locate all subdomains which can be achieved by brute-forcing subdomain names. You can use Nmap with script:

nmap --script dns-brute

or you can simply use any tool available to enumerate subdomains:


A highly effective method of obtaining subdomains is through enumeration using the Certificate Transparency logs stored by Censys. Remember to check for SANs - Subject Alternative Name.

3. Find web applications that may expose IP address

Finding the real IP behind a web application involves determining the actual network location of a server hosting the website, as opposed to the domain name or URL used to access it. This can be accomplished through fuzzing method. try on port 2083

Anything that works on different port can expose IP address, search for any third party application that is listening on different port.

4. Use online service

Examining the domain history can also be beneficial, as sometimes the NS records are redirected to Cloudflare without altering the hosting provider.

Another possibility is to use something like Securitytrails to check a domain's DNS history.

5. Discover IP through API calls on WordPress websites

Discovering an IP address can be done by using pingback XMLRPC calls. The pingback feature in WordPress allows a website to notify another website that it has linked to it. The notification is sent via an XMLRPC call to the target website, which can reveal its IP address.

Copy and paste the following template into the XML content text area of this website or save it as a file ping.xml.

<?xml version="1.0" ?>

Execute the following command: Replace '' with the pingback URL from the beginning of this section, and use 'ping.xml' as the relative path to the file you just created.

curl -X POST -d @ping.xml

In an empty terminal window, execute the following command. It will wait for a connection from the target WordPress server. The 'sudo' command is required because the port being listened on is <= to 1024, which are reserved for root/admin access only.

sudo netcat -v -l -p 80

Once the command (curl) has been executed, wait for a short period for the data to appear in your netcat session. You should see something like this:

GET /hello/world HTTP/1.1
User-Agent: WordPress/6.1.1;
Accept: */*
Accept-Encoding: deflate, gzip, br
Connection: close

There are other methods for revealing the IP address hidden by Cloudflare, but they will be explained in a different article.

Join our team

If you're interested in joining our team to assist in researching modern threats across web3, please don't hesitate to reach out to us.

Contact Us

Ready for Action?

Don’t hesitate to contact us if you need more information.
Let's Go!
BTC: bc1qnn4zfqqtexl4fkjk2vz6tk74sn92x326wwn0ph

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram