Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Fail2Ban WordPress login failure Jail and Filter. Notes:The log path uses 'access*_log' to monitor http and https logins. This will only work if WordPress is installed the webroot. Tweaking the failregex would be required to work with installs in sub-directories.
enabled = true
filter = wp-login
action = iptables-multiport[name=wp-login, port="http,https"]
sendmail[dest="", sendername="Fail2Ban", sender="fail2ban", name="wp-login"]
logpath = /var/www/vhosts/system/*/logs/access*_log
maxretry = 5
findtime = 60
bantime = 1200
# Create a filter called 'apache-wp-login'
failregex = ^<HOST>.*] "POST /wp-login.php HTTP/.*" 200
# the above failregex will only find wp-login.php installed in the web root, use
# the following for instances where WordPress may be installed in a subdirectory
# failregex = ^<HOST>.*] "POST .*/wp-login.php HTTP/.*" 200
ignoreregex =
before = apache-common.conf
Copy link

edwardbeckett commented Sep 2, 2015

I'd recommend adding a decent findtime setting to limit the jail window. findtime = 60 seconds and maxretry = 3, etc...


Copy link

gbot commented Oct 10, 2015

@edwardbeckett Thanks for the suggestion, I was just relying on the findtime in the [default] settings (which is 600), but you're right, using a lower specific value in the jail is a good idea.


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment