Skip to content

Instantly share code, notes, and snippets.

@gbot
Last active October 10, 2015 21:00
Show Gist options
  • Save gbot/3e10ef0655d191436907 to your computer and use it in GitHub Desktop.
Save gbot/3e10ef0655d191436907 to your computer and use it in GitHub Desktop.
Fail2Ban WordPress login failure Jail and Filter. Notes:The log path uses 'access*_log' to monitor http and https logins. This will only work if WordPress is installed the webroot. Tweaking the failregex would be required to work with installs in sub-directories.
[wp-login]
enabled = true
filter = wp-login
action = iptables-multiport[name=wp-login, port="http,https"]
sendmail[dest="[email protected]", sendername="Fail2Ban", sender="fail2ban", name="wp-login"]
logpath = /var/www/vhosts/system/*/logs/access*_log
maxretry = 5
findtime = 60
bantime = 1200
# Create a filter called 'apache-wp-login'
[Definition]
failregex = ^<HOST>.*] "POST /wp-login.php HTTP/.*" 200
# the above failregex will only find wp-login.php installed in the web root, use
# the following for instances where WordPress may be installed in a subdirectory
# failregex = ^<HOST>.*] "POST .*/wp-login.php HTTP/.*" 200
ignoreregex =
[INCLUDES]
before = apache-common.conf
@edwardbeckett
Copy link

I'd recommend adding a decent findtime setting to limit the jail window. findtime = 60 seconds and maxretry = 3, etc...

@gbot
Copy link
Author

gbot commented Oct 10, 2015

@edwardbeckett Thanks for the suggestion, I was just relying on the findtime in the [default] settings (which is 600), but you're right, using a lower specific value in the jail is a good idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment