Easy Setup of Fail2ban to Block and Ban WordPress Login Attacks

Learn to set up the Fail2Ban on Ubuntu Cloud Server to jail and ban IP Address for invalid login attempts and also tackle brute-force attacks on WordPress.

Every software and system is vulnerable to hacking, hence it’s a primary job to secure online website or blog. As we are using WordPress CMS, thankfully we have WP fail2ban plugin improving overall security and tackle malicious parties.

In this article, I’m going to cover how to install and configure the fail2ban program. Fail2ban will help WordPress from brute-force attack and also eliminate the ban login attempts.

Just if you’re not aware, this is the fifth article and video demo of the #WordPressBlog┬áseries. We previously published about basic WordPress Plugins setup.

Let’s dive in learning more about the fail2ban program —

What is Fail2ban?

Fail2ban scans log files and ban IPs that show the malicious signs — too many password failures, seeking for exploits, etc. It protects computer servers from brute-force attacks.

The program is written in the python script and out-of-box support various software programs and servers like, Nginx, Postfix, Sendmail, etc.

In our case, we will be using Fail2ban to support WordPress malicious login attempts.

Install fail2ban on Ubuntu & WordPress

The fail2ban is not pre-installed in the Ubuntu cloud server. You can run the following command to update the APT repository and install the fail2ban program.

sudo apt-get update
sudo apt-get install fail2ban

install fail2ban on Ubuntu Cloud
Once you’ve installed the program on the server, you will also need to add the WordPress Plugin called WP fail2ban.

This plugin help to capture all the WordPress logins along with IP in a log file. This log file records will be used by Fail2ban to ban the IP address with multiple invalid attempts.

Follow the steps to install WP fail2ban on WordPress:

  1. Login to WordPress Dashboard
  2. Navigate to Add New under Plugins menu
  3. Search and Install WP fail2ban plugin
  4. Activate the Plugin and that’s all

WP fail2ban WordPress Plugin

The Plugin also has a premium version that allows configuring in UI. However, since we are using the free version, we need to set up the filter and jail condition manually on the server-side.
WP fail2ban plugin option disabled

Don’t worry, it’s quite easy!

Setting up the Filter and Jail

Now that we have installed on both server and WordPress, let’s copy the backend filter matching regexes file in the fail2ban directory.

Use the below command to copy the WordPress hard regexes conf file to filter.d directory.

sudo curl https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf > /etc/fail2ban/filter.d/wordpress.conf

[Note: there is also a soft filter configuration file, however, I strongly recommend to use the hard for better security.]

Next, we will set up the jail for invalid authentication. Create a WordPress Jail file using the below command:

sudo nano /etc/fail2ban/jail.d/wordpress.conf

WordPress Jail configuration for fail2ban

Paste the below Jail rules in the wordpress.conf the file that we created above.

enabled = true
filter = wordpress
logpath = /var/log/auth.log
port = http,https

Fail2ban WordPress JAIL configuration

Save and close the nano editor with Jail configuration.

Customizing the Jail

You can customize the Jail OR Ban configuration using the jail.conf. There are multiple settings available in this file.

However, I’d strongly suggest not to make any changes unless you know what you’re doing.

sudo nano /etc/fail2ban/jail.conf

The entries will be available under [default] code block. And I will be making only 3 changes:

  1. Maximum login attempts before the ban to 3
  2. Maximum 3 login attempts in the time span of 3 hours (i.e. findtime)
  3. Maximum jail or ban for 12 hours after 3 invalid logins attempts
maxretry = 3
findtime = 3h
bantime = 12h

Fail2ban JAIL configuration file - maxretry bantime findtime

Now that we are all set with Filter and Jail configuration, restart the fail2ban using below command:

sudo service fail2ban restart

Now finally, test the fail2ban with multiple invalid logins attempts your WordPress login screen. I’m sure after the third incorrect login attempt, the WordPress blog will be inaccessible for 12 hours of ban time.
Invalid Login Attempts WP-LOGIN

Just in case if you got your IP address banned, you need to look up for the Banned IP Address in [log]/etc/log/fail2ban.log[/code].
IP Address in fail2ban.log file

And use below command to un-ban:

fail2ban-client set wordpress unbanip YOUR.IP.ADDRESS.HERE

FAIL2BAN command for UNBAN and BAN

Watch the setup video of fail2ban

Watch this video setup of fail2ban and learn how to configure the jails and filters to block invalid login attempts.

Setup Fail2ban to Block WordPress Invalid Login & Brute Force Attack

I hope you liked the video, please subscribe to our channel for more updates.

What’s next in #WordPresCloud Series

Now that you’ve learned how to secure the WordPress installation with WP fail2ban plugin, we will next learn about how to optimize the MySQL database. We will be using a sweet plugin WP-Optimize for the same.

If you've any thoughts on Easy Setup of Fail2ban to Block and Ban WordPress Login Attacks, then feel free to drop in below comment box. If you find this article helpful, please consider sharing it with your network.

Also, please subscribe to our restoreBin YouTube channel for helpful videos.

Disclosure: This page may contain affiliate links, which means we may receive compensation for your purchases using our links; of course at no extra cost to you (indeed, you may get special discounts). This will support our effort to create more useful content, and keep it open and free forever.

1 Response

  1. Luis M says:

    Hi, i have a question about WP-fail2ban, i have my server configured on GMT-5 so almost all on the server works with this timezone including my auth.log. Also i set this timezone to the wordpress configuration.
    the problem is when fail2ban writes on the auth.log it does that with UTC time. So as result fail2ban doesnt detect the login issues and skip the ban to the user.

    Jan 28 18:44:04 user sshd[11194]: Received disconnect from 37.187.XXX.XXX port 58090:11: Bye Bye [preauth]
    Jan 28 18:44:04 user sshd[11194]: Disconnected from 37.187.XXX.XXX port 58090 [preauth]
    Jan 28 23:44:09 user wordpress(www.xxMySite.com.co)[10585]: XML-RPC authentication attempt for unknown user admin from 78.47.218.spammer
    Jan 28 23:44:12 user wordpress(www.xxMySite.com.co)[10584]: XML-RPC authentication attempt for unknown user admin from 78.47.218.spammer
    Jan 28 23:44:15 user wordpress(www.xxMySite.com.co)[10583]: XML-RPC authentication attempt for unknown user admin from 78.47.218.spammer
    Jan 28 18:44:20 user sshd[11228]: Failed password for root from 150.158.XXX.XXX port 40932 ssh2
    Jan 28 18:44:22 user sshd[11228]: Received disconnect from 150.158.XXX.XXX port 40932:11: Bye Bye [preauth]

Leave a Reply

Your email address will not be published. Required fields are marked *