Using Fail2Ban to block WordPress login attacks


WordPress is a very robust content-management system (CMS) that is free and open source. Because anyone can comment, create an account, and post on WordPress, many malicious actors have created networks of bots and servers that compromise and spam WordPress sites through brute-force attacks.

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally.

Note: In this guide, we will be using version 0.9.6 of Fail2ban on an Debian 9.4 server, but most of it should apply to other distributions as well.

Install fail2ban

It doesn’t get much easier than this:

apt-get update && apt-get install fail2ban

After installing the software, you need to configure it. The default settings will make 5 failed login attempts within 600 seconds to cause an IP ban via the iptables firewall for 600 seconds.

Setting up the Filter and Jail

First we have to set up the filter.

Now, we’ll set up the jail.

Create the file /etc/fail2ban/filter.d/wordpress.conf with the following content:

failregex = ^<HOST> .* "POST .*wp-login.php
            ^<HOST> .* "POST .*xmlrpc.php
ignoreregex =

Create the file /etc/fail2ban/jail.conf

enabled = true
port = http,https
filter = wordpress
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/httpd/domains/*.log
maxretry = 3
findtime = 10800; 3 hours
bantime = 86400 ; 1 day

Restart fail2ban and you should be all set:

systemctl fail2ban restart

4 Replies to “Using Fail2Ban to block WordPress login attacks”

  1. So unfortunately I’ve found the WordPress.conf to be too general. It simple looks at logins, not necessarily logins which have failed. This locks ME out if I login more than 3 times SUCCESSFULLY in 3 hours. One would think this shouldn’t be an issue, but for some configurations and scenarios this is definitely an issue. Still, thanks for the post. It caused me to think more deeply about this and research a solution that does work.

    1. Hi, this is just an example of how to manage brute force in your own hosting. By the way you can always change find time to less find period and it will work for you. Another option to have WP plugin + Fail2ban

  2. I definitely wanted to post a simple remark to thank you for all of the pleasant items you are giving out at this site. My time intensive internet lookup has at the end of the day been paid with good facts to go over with my neighbours. I ‘d assume that many of us visitors actually are rather fortunate to dwell in a very good site with many awesome people with very helpful principles. I feel really grateful to have come across your web pages and look forward to many more entertaining times reading here. Thank you once again for a lot of things.

Leave a Reply

Your email address will not be published. Required fields are marked *