WordPress is a very robust content-management system (CMS) that is free and open source. Because anyone can comment, create an account, and post on WordPress, many malicious actors have created networks of bots and servers that compromise and spam WordPress sites through brute-force attacks.
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally.
Note: In this guide, we will be using version 0.9.6 of Fail2ban on an Debian 9.4 server, but most of it should apply to other distributions as well.
It doesn’t get much easier than this:
apt-get update && apt-get install fail2ban
After installing the software, you need to configure it. The default settings will make 5 failed login attempts within 600 seconds to cause an IP ban via the iptables firewall for 600 seconds.
Setting up the Filter and Jail
First we have to set up the filter.
Now, we’ll set up the jail.
Create the file /etc/fail2ban/filter.d/wordpress.conf with the following content:
[Definition] failregex = ^<HOST> .* "POST .*wp-login.php ^<HOST> .* "POST .*xmlrpc.php ignoreregex =
Create the file /etc/fail2ban/jail.conf
[wordpress] enabled = true port = http,https filter = wordpress action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp] logpath = /var/log/httpd/domains/*.log maxretry = 3 findtime = 10800; 3 hours bantime = 86400 ; 1 day
Restart fail2ban and you should be all set:
systemctl restart fail2ban