Many WordPress blogs suffer because of attackers using brute force attacks to try and guess the password of the admin user. With a strong password, your account is safe, however the attack will use a lot of server resources and bandwidth, so it’s best to limit the login attempts.
In this guide, you’ll learn how to use Fail2Ban to protect your WordPress blog from brute force attacks. And since we’re using Fail2Ban instead of plugins you will save bandwidth and server resources.
What is Fail2Ban?
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, for example, iptables or TCP Wrapper. – Wikipedia
The following guide has been tested on Ubuntu 16.04 with WordPress hosted on NGINX. You may be able to adapt the instructions to work with different distributions or Apache.
To learn how to configure NGINX read, How to Host WordPress on NGINX and Ubuntu 16.04. With WordPress installed we can now begin the tutorial.
Step 1: Install Fail2Ban
First make sure Ubuntu is updated by running the following command:
sudo apt-get update && sudo apt-get upgrade -y
Now run the following command to install Fail2Ban:
sudo apt-get install fail2ban -y
Fail2Ban should now be installed and ready to configure.
Step 2: Configure Fail2Ban
Create a new file called
sudo vim /etc/fail2ban/filter.d/wordpress.conf
Add the following config to the file and then save it:
failregex = <HOST>.*POST.*(wp-login\.php|xmlrpc\.php).* 200
The regular expression in the config above will search the access log for any POST requests to
xmlrpc.php with a status code of 200. The reason this will work, is because a successful login will return a redirect status code instead of 200. If an attacker does multiple posts they will get blocked.
Now we will configure the rules by modifying the file
/etc/fail2ban/jail.d/defaults-debian.conf and add the following to the bottom:
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/nginx/access.log
maxretry = 10
bantime = 3600
In the config above we are telling Fail2Ban to use the
wordpress filter we created in the previous step and to analyse the
access.log file for entries matching the regex in the filter. The
maxretry option is set to 10 failed login attempts before banning the IP address for 3600 milliseconds.
To learn more about Fail2Ban and what options are available, visit, http://www.fail2ban.org/wiki/index.php/Manual.
Step 3: Text Fail2Ban
Navigate the the WordPress login page by browsing to http://wpexample.com/wp-login.php. Then press the login button lots of times until you get blocked.
After more than 10 login attempts you should see a connection refused message like the one in the image above. Fail2Ban is now protecting your WordPress site from brute force attacks and no WordPress plugins where necessary. Change the
bantime settings to suite your needs.
This tutorial showed the basics of Fail2Ban and how to configure it to block brute force attacks on your WordPress site. You can do a lot more with Fail2Ban, like blocking failed SSH or FTP logon attempts, sending email alerts and more.
If you don’t want to block the IP addresses of attackers you can use rate limiting instead. Read, How to Limit Connections to the Login Page of WordPress sites Hosted on NGINX to learn how to do this with NGINX.