Using Fail2Ban for WordPress on Ubuntu

In this post I show how to set up Fail2Ban to protect your wordpress blog or site from brute force attacks. This is written specifically for Ubuntu but will work (in a general sense) on any linux distribution.

Brute forcing your way into a WordPress blog’s administration account is not difficult unless the system admin has implemented measures to protect against this.

One of the best ways to protect your WordPress site/blog from brute force attacks, in my opinion, is to use Fail2Ban. This tool monitors failed login attempts to practically anything that uses a password (ssh, ftp, mail, etc). When someone (or a script) fails to use the correct password a set number of times, Fail2Ban can their IP address to a block list for a specified amount of time.

The first thing we are going to do is install Syslogd.

sudo apt-get install rsyslog

Then you need to access your themes funtions.php file. Edit this file and at the top, but within the php tags place the following:


const SYSLOG_FACILITY = LOG_LOCAL1;

add_action('wp_login_failed', 'log_failed_attempt');

function log_failed_attempt( $username ) {
openlog( 'wordpress('.$_SERVER['HTTP_HOST'].')', LOG_NDELAY|LOG_PID, SYSLOG_FACILITY);
syslog( LOG_NOTICE, "Wordpress authentication failure for $username from {$_SERVER['REMOTE_ADDR']}" );
}

Now we need to add a config file for Fail2Ban and make it watch failed wordpress logins:

sudo nano /etc/rsyslog.d/wordpress.conf

Add this line: (If you don’t have nano, apt-get install nano)

local1.* /var/log/wp_f2b.log

Restart syslogd:

/etc/init.d/rsyslog restart

Make sure that wordpress is logging failed attempts (CTRL-C to exit):

tail -f /var/log/wp_f2b.log

Try to log into wordpress with an incorrect password, you should see it reflected in the terminal.

Now we need to create the filter in fail2ban:

nano /etc/fail2ban/jail.local

Add:

[wordpress]

enabled = true
filter = wordpress
action = iptables-multiport[name=WordPress, port="http,https"]
sendmail-whois[name=WordPress, dest=email@domain.tld, sender=fail2ban@domain.tld]
logpath = /var/log/wp_f2b.log
maxretry = 5
findtime = 600
bantime = 600

Change your email, retry, and bantime to whatever you like.

Now add a filter:

sudo nano /etc/fail2ban/filter.d/wordpress.conf

Add:

[INCLUDES]
before = common.conf
[Definition]
_daemon = wordpress
failregex = ^%(__prefix_line)sWordpress authentication failure for .* from $
ignoreregex =

Restart fail2ban:

/etc/init.d/fail2ban restart

Also rotate the log file so it doesn’t get too large.

sudo nano /etc/logrotate.conf
Add:

/var/log/wp_f2b.log {
size 100k
create 0600 root root
rotate 6
}

Leave a Reply