Block bad login attempts to WordPress /wp-admin using Fail2Ban

To add on to my previous post (Block SMTP Relays with Fail2Ban), this is a write up to use Fail2Ban to block bad WordPress Admin login attempts by looking at your Apache access log for 500 and 403 HTTP responses.

You may want to use a maxretry of 3 so you don’t lock yourself out, or set a minimal ban time

Edit /etc/fail2ban/jail.local

Add a section for [wordpress]

[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/apache2/access.log
maxretry = 3
findtime = 60
bantime = 720

Now create /etc/fail2ban/filter.d/wordpress.conf

[Definition]
failregex = ^.*:(80|443) <HOST> .*(GET|POST) .*/wp-login.php.* (500|403) .*$
 ^.*:(80|443) <HOST> .*(GET|POST) .*/xmlrpc.* (500|403|200) .*$
ignoreregex =

Save the config file and run from the shell prompt:

sudo service fail2ban restart

If you use Munin, you should see at least a couple entries within a day or so.

 

That’s it! If this helped you, please comment below.

If this little writeup helped you, please consider making a donation to help cover operating expenses.

Amount