Using Fail2Ban to block WordPress login attacks

Introduction

WordPress is a very robust content-management system (CMS) that is free and open source. Because anyone can comment, create an account, and post on WordPress, many malicious actors have created networks of bots and servers that compromise and spam WordPress sites through brute-force attacks.

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally.

Note: In this guide, we will be using version 0.9.6 of Fail2ban on an Debian 9.4 server, but most of it should apply to other distributions as well.

Install fail2ban

It doesn’t get much easier than this:

apt-get update && apt-get install fail2ban

After installing the software, you need to configure it. The default settings will make 5 failed login attempts within 600 seconds to cause an IP ban via the iptables firewall for 600 seconds.

Setting up the Filter and Jail

First we have to set up the filter.

Now, we’ll set up the jail.

Create the file /etc/fail2ban/filter.d/wordpress.conf with the following content:

[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
            ^<HOST> .* "POST .*xmlrpc.php
ignoreregex =

Create the file /etc/fail2ban/jail.conf

[wordpress]
enabled = true
port = http,https
filter = wordpress
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/httpd/domains/*.log
maxretry = 3
findtime = 10800; 3 hours
bantime = 86400 ; 1 day

Restart fail2ban and you should be all set:

systemctl restart fail2ban

22 Replies to “Using Fail2Ban to block WordPress login attacks”

  1. So unfortunately I’ve found the WordPress.conf to be too general. It simple looks at logins, not necessarily logins which have failed. This locks ME out if I login more than 3 times SUCCESSFULLY in 3 hours. One would think this shouldn’t be an issue, but for some configurations and scenarios this is definitely an issue. Still, thanks for the post. It caused me to think more deeply about this and research a solution that does work.

    1. Hi, this is just an example of how to manage brute force in your own hosting. By the way you can always change find time to less find period and it will work for you. Another option to have WP plugin + Fail2ban

    2. Combine with the 200 signal:

      ” .* “POST .*wp-login.php .*200”

      Because a legitimate user will get a redirect (eg 302), not an “ok” (200), on successful log-in.

  2. I definitely wanted to post a simple remark to thank you for all of the pleasant items you are giving out at this site. My time intensive internet lookup has at the end of the day been paid with good facts to go over with my neighbours. I ‘d assume that many of us visitors actually are rather fortunate to dwell in a very good site with many awesome people with very helpful principles. I feel really grateful to have come across your web pages and look forward to many more entertaining times reading here. Thank you once again for a lot of things.

  3. Hi
    Thanks for this posting. It helped me implementing fail2ban for wordpress.
    There’s one little mistake in the article I noticed. The order of parameters in the restart command is wrong. It should be:
    systemctl restart fail2ban

    Maybe a hint, that the filter rules need to be adjusted if your webserver uses another format. I use it on an environment using ispconfig3. There the entries need to be like this:
    failregex = ^[\w.]*:[\d]{1,5} .* “POST .*wp-login.php
    ^[\w.]*:[\d]{1,5} .* “POST .*xmlrpc.php

  4. whoah this blog is great i love studying your articles.
    Stay up the great work! You know, lots of people are searching around for this info, you can help them greatly.

  5. I do not even know how I ended up here, but
    I thought this post was good. I don’t know who
    you are but definitely you are going to a famous blogger if you aren’t already 😉 Cheers!

  6. Hello, Neat post. There’s an issue along with your website in web explorer, may test this…
    IE still is the marketplace chief and a big component of other
    folks will omit your magnificent writing because of this
    problem.

Leave a Reply

Your email address will not be published. Required fields are marked *