Using Fail2Ban to block WordPress login attacks

Introduction

WordPress is a very robust content-management system (CMS) that is free and open source. Because anyone can comment, create an account, and post on WordPress, many malicious actors have created networks of bots and servers that compromise and spam WordPress sites through brute-force attacks.

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally.

Note: In this guide, we will be using version 0.9.6 of Fail2ban on an Debian 9.4 server, but most of it should apply to other distributions as well.

Install fail2ban

It doesn’t get much easier than this:

apt-get update && apt-get install fail2ban

After installing the software, you need to configure it. The default settings will make 5 failed login attempts within 600 seconds to cause an IP ban via the iptables firewall for 600 seconds.

Setting up the Filter and Jail

First we have to set up the filter.

Now, we’ll set up the jail.

Create the file /etc/fail2ban/filter.d/wordpress.conf with the following content:

[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
            ^<HOST> .* "POST .*xmlrpc.php
ignoreregex =

Create the file /etc/fail2ban/jail.conf

[wordpress]
enabled = true
port = http,https
filter = wordpress
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/httpd/domains/*.log
maxretry = 3
findtime = 10800; 3 hours
bantime = 86400 ; 1 day

Restart fail2ban and you should be all set:

systemctl fail2ban restart

Leave a Reply

Your email address will not be published. Required fields are marked *