Use Fail2Ban to block WordPress login botnets

Fail2Ban is great at being able to parse logfiles and generate IP Filter Firewall rules (usually “DROP”) against patterns that are unwanted.

The common use of Fail2Ban is to firewall SSH login dictionary scans, but here’s how you add to just 2 files in your Fail2Ban config to block > 3 wp-login.php attempts from an IP Address.

Please note this is for GNU/Linux (Debian/Ubuntu etc) and please feel free to contact us for RHEL based equivalent commands/setup.

Add the following lines to /etc/fail2ban/jail.local

enabled = true
filter = wp-auth
action = iptables-multiport[name=NoAuthFailures, port=”http,https”]
maxretry = 3
logpath = /var/log/apache2/access.log

Add the following lines to /etc/fail2ban/filter.d/wp-auth.conf
failregex = ^ .* “POST /wp-login.php
ignoreregex =

Then run as the root user:

service fail2ban reload


This entry was posted in Network Presence and tagged . Bookmark the permalink.