Skip to content

Instantly share code, notes, and snippets.

@iamsajidjaved

iamsajidjaved/fail2ban-wordpress.md

Forked from welenofsky/fail2ban-wordpress.md
Last active June 30, 2022 12:59
Show Gist options
  • Save iamsajidjaved/5a35d678f2d8b34f958c4622e4f5e603 to your computer and use it in GitHub Desktop.
Save iamsajidjaved/5a35d678f2d8b34f958c4622e4f5e603 to your computer and use it in GitHub Desktop.
Download ZIP
Basic Wordpress Fail2Ban Filter (Debian/Ubuntu Apache2)
Raw
fail2ban-wordpress.md

Blocking WP Login brute forcing

This guide will tell you how to setup a custom fail2ban filter and jail to watch the Apache access log and ban malicious attackers who brute for wp-login.php. I am sure we have all seen it in our access logs. I would say it the most common thing I see in wordpress and non wordpress sites access logs that stands out as a blind brute force. Im tired of it. So I found out how to ban them.

Install fail2ban using "apt-get"

# sudo apt-get install fail2ban

Create wordpress filter

This will watch apache logs. For my testing I did this on Debian Buster (10.1) which at the time of writing this was using apache2.4.38. First create a file at:

/etc/fail2ban/filter.d/wordpress.conf

I created this basic filter. I may update this later after further testing. Right now I am awaiting my ban expiration from the intial test so I decided to write up a guide while I wait (even though I could unban myself with fail2ban-client set wordpress unbanip <IPADDR>). Here is the filter definition. Save this to wordpress.conf

[Definition]
failregex = <HOST>.*POST.*(wp-login\.php|xmlrpc\.php).* 200

A very simple filter that checks for login attempts on wp-login.php. A successful login will not return a 200. It actually returns a 302 redirect so the regex does not match.

Creating the "jail"

Fail2ban has the concept of "Jails" which is a fancy name for a config file to enable your filter. It seems you can really go crazy with these jails and I can't wait to explore more in the future but for now this is the filter we will use. Put this at:

/etc/fail2ban/jail.d/wordpress.conf

with these contents:

[wordpress]
enabled = true
filter = wordpress
# Feel free to customize the apache2 log file location
# nginx/fpm will need diff filter
logpath = /var/log/apache2/access.log
# How many 'strikes' or 'chances' the ip gets before ban
maxretry = 10
# Time IP banned for. Can also use seconds. Shorthand info in jail.conf(5)
bantime = 1 day

And feel free to modify the bantime or maxretry to your hearts content :)

Enable and start the "jail"

Now you can enable this "jail" with the fail2ban client (CLI). The command is:

# fail2ban-client add wordpress && fail2ban-client start wordpress

The first part enables the wordpress "jail" the second starts the jail.

Check the "jail" status

In order to check that the service is running, we can use fail2ban-client: # sudo fail2ban-client status

References

  1. https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-7
  2. https://graspingtech.com/using-fail2ban-protect-wordpress-blog-brute-force-attacks/
@iamsajidjaved
Copy link
Author

Apache Logs path for Bitnami Wordpress: /opt/bitnami/apache/logs/access_log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment