honeypot.conf

# /etc/fail2ban/filter.d/honeypot.conf
#
# Fail2Ban configuration file
#
# Author: Charles Lecklider
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = wordpress

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)sBot in the Honeypot from <HOST>$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

jail.local

# append to jail.local
[honeypot]
enabled = true
filter = honeypot
action  = iptables-multiport[name=wordpress,port="80,443"]
logpath = /var/log/auth.log
maxretry = 2
findtime = 300
bantime  = 43200

simple-honeypot.php

<?php
/**
 * Plugin Name: Simple Honeypot
 * Description: Basic honeypot for comment form with fail2ban integration. Requires: https://wordpress.org/plugins/wp-fail2ban/
 * Author: Kailey Lampert
 * Author URI: kaileylampert.com
 * Version: 0.1
 * License: GPLv2 or later
 */

function sh_comment_form_after_fields() {
	$name = 'sh';
	$field = "<span style='display: none; '><input type='text' name='$name' /></span>";
	echo apply_filters( 'honeypot_field', $field, $name );
}
add_action( 'comment_form_after_fields', 'sh_comment_form_after_fields' );


function sh_pre_comment_on_post( $comment_post_ID ) {
	if ( isset( $_POST['sh'] ) && ! empty( $_POST['sh'] ) ) {
		\org\lecklider\charles\wp_fail2ban\openlog();
		$remote_addr = \org\lecklider\charles\wp_fail2ban\remote_addr();
		syslog( LOG_NOTICE, "Bot in the Honeypot from $remote_addr" );
		\org\lecklider\charles\wp_fail2ban\bail();
	}
}
add_action( 'pre_comment_on_post', 'sh_pre_comment_on_post' );