This guide will tell you how to setup a custom fail2ban filter and jail to watch the Apache access log and ban malicious attackers who brute for wp-login.php.
# apt install fail2ban
First create a file at:
nano /etc/fail2ban/filter.d/wordpress.conf
[Definition]
failregex = ^<HOST> .* "POST /wp-login.php .* 200 \d* "https?://.*"$
ignoreregex =
nano /etc/fail2ban/jail.d/wordpress.conf
Add these:
[wordpress]
enabled = true
port = http,https
filter = wordpress
#add to iptabels
#action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
maxretry = 10
# bantime 1 day = 86400
bantime = 86400
And feel free to modify the bantime or maxretry to your hearts content :)
Now you can enable this "jail" with the fail2ban client (CLI). The command is:
# fail2ban-client add wordpress && fail2ban-client start wordpress
service fail2ban restart && fail2ban-server restart
fail2ban-client status wordpress
tail -f /var/log/fail2ban.log
fail2ban-client set wordpress banip 1.2.3.4
fail2ban-client set wordpress unbanip 1.2.3.4
If you want or need to customize the filter you might google for a resource on filters. The website linked me to https://docs.python.org/2/library/re.html as a resource for the regex format used. To test the regex you can use the command:
# fail2ban-regex /var/log/apache2/access.log wordpress
which should tell you the number of matches found for the regex. Change the log location or filter as needed.