In short, in this tutorial you will find the command lines through which you can install and configure Fail2Ban for WordPress. Secure authentication WordPress and brute force queries of xmlrpc.php.
Blogs and websites developed on the platform WordPress are often targets of cyber attacks. Most attacks are brute force and target the authentication session or XML-RPC (Remote Procedure Call using XML) exploitation. Fortunately, fail2ban is a very useful security solution for these situations. If you want to secure a site WordPress with fail2ban, follow the configuration steps in this tutorial.
First of all, make sure you have access to the web server via SSH connection and that the fail2ban application is installed.
Fail2Ban configuration for WordPress on Debian
1. First of all, you need to make sure that the fail2ban application is installed and running on the server. Run the command line below:
systemctl status fail2banIn the output you should see something like this:
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Active: active (running) since Tue 2025-03-11 00:39:32 EET; 6 days ago
Docs: man:fail2ban(1)
Main PID: 917 (fail2ban-server)
Tasks: 17 (limit: 76843)
Memory: 33.2M
CPU: 17min 1.752s
CGroup: /system.slice/fail2ban.service
└─917 /usr/bin/python3 /usr/bin/fail2ban-server -xf startIf fail2ban is not installed on your server, you will need to install it. Run the command line to install fail2ban on Debian/Ubuntu:
sudo apt install fail2ban2. The next step is to create the fail2ban filter for WordPress. Run the command line in the terminal to create and edit the filter wordpress.conf.
sudo nano /etc/fail2ban/filter.d/wordpress.confIn the file wordpress.conf sets the filters for authentication WordPress and for the file xmlrpc.php, as follows:
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*(/wp-login.php|/xmlrpc.php).*" 200
ignoreregex =This means that by any method, GET or POST, if the files wp-login.php or xmlrpc.php were accessed, a rule for fail2ban could be created. The condition is that these files exist and can be accessed by the attacker. That is, they return the code 200 (ok) when accessed.
Save the file /etc/fail2ban/filter.d/wordpress.conf.
3. The next step is to configure the “jail” for WordPress. This is where most users get confused, as the rules must be set differently depending on the hosting management system (if any) or the web server configuration.
If you use HestiaCP, VestaCP or MyVesta, create and edit the file /etc/fail2ban/jail.local.
nano /etc/fail2ban/jail.localAdd the lines below to this file:
[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/nginx/domains/*.log #or apache2.
maxretry = 5
findtime = 1800
bantime = 3600
action = hestia[name=WEB] #hestacp action.Adjust the above parameters according to your needs. In the configuration I gave, if within an interval of 1800 minutes there are 5 repeated attempts from the same IP, it will be blocked for 3600 minutes using the HestiaCP action for web. (hestia[name=WEB]). Here you will need help depending on the system you have on the server.
It is also very important to "logpath". From these logs the data is extracted on the basis of which action will be executed. Make sure the location is correct.
If you do not have a management system installed, you will need to block IPs with fail2ban for WordPress to be done directly through iptablesThe line for action will be as follows:
action = iptables-multiport[name=wordpress, port="80,443", protocol=tcp]As a parenthesis, instead of /etc/fail2ban/jail.local you can also use a separate file for configuration, like: /etc/fail2ban/jail.d/wordpress.conf.
After you have made your adjustments, apply the changes.
sudo systemctl restart fail2ban4. After restarting, check if fail2ban for WordPress works:
fail2ban-client status wordpress
Status for the jail: wordpress
|- Filter
| |- Currently failed: 355
| |- Total failed: 33873
| `- File list: (log files per domain)
- Actions
|- Currently banned: 127
|- Total banned: 680
`- Banned IP list:Once you find blocked IPs in this list, make sure they are also blocked in iptablesI encountered the situation where due to a misconfiguration, in fail2ban I could see that it was a blocked IP, but in reality it could still access wp-login.php or xmlrpc.php.
To check if everything is working properly, choose a blocked IP from the fail2ban list and look it up in iptables.
Run the command line:
iptables -L -v -n --line-numbersIf the IP that appears blocked by fail2ban is also in this list, it means you have correctly configured fail2ban for it. WordPress
Related: How to reset the admin user password in WordPress. No access to email.
At the same time, it is highly recommended to check the log with fail2ban actions:
sudo tail -f /var/log/fail2ban.logThat said, if you have any questions or need help, I can help you in the comments.
