Using fail2ban to Secure WordPress by Automatically Blocking Repeated Login Attempts

There have been a lot of high-profile hacks on WordPress websites lately, with the latest of these targeting over 1.5 Million websites. One of the methods that criminals and hacker use to gain access to WordPress websites include Brute-force attacks.

Conventionally, a brute-force attack is a repeated trial and error method used to obtain information such as a usernames, passwords, and login details. In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. The inputs are either based on a file input or a set of dictionary words.

In this post, we will be discussing how to use fail2ban to secure your WordPress site, this way multiple login attempts are blocked automatically. fail2ban is a tool that monitor requests to your web-server recorded by using logfiles to monitor certain events, failtoban then blocks any requests that are repeated after a certain number times. most malicious request are repeated over multiple times.

1. Installing fail2ban

If you don’t have fail2ban already installed, you can do it from the package manager, in the example below we will be using Ubuntu, for CentOS you would use yum.

sudo apt-get install fail2ban

2. Creating a fail2ban rule

Before fail2ban can help us block malicious WordPress login attacks, we have to setup a fail2ban rule. Once this rule is set up, fail2ban is essentially taught to recognize the paths to look out for in logfiles. For the purpose of login on WordPress, all WordPress login go to the wp-login.php file, with that being the name of the path.

Create the file /etc/fail2ban/filter.d/wp-auth.conf and add the code below to it. This essentially adds the WordPress login path to the fail2ban auth config.

# WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf:
# Block IPs trying to auth wp wordpress
# Sample login Matches e.g.
# - [07/Jun/2016:11:15:29] "POST /wp/wp-login.php HTTP/1.0" 200 4523
failregex = ^ .* "POST /wp/wp-login.php  
ignoreregex =  

After this, add the rule to jail.local. We could add the rule to the list of other fail2ban rules, in jail.conf, however, the jail.local file is used for custom rules, and it should survive upgrades.

Create /etc/fail2ban/jail.local if it does not already exist. Restart fail2ban using the command below.

service fail2ban restart

3. Conclusion

With the fail2ban blocking rule fully setup, login attempts to wp-login.php should now get blocked in the iptables firewall. You will be able check the list of blocked ip addresses in iptables with this command:

iptables -vnL

or to see the resulting urls of the ip adresses:

iptables -L

Now all login attempts should be block.