In short, in this tutorial you will find the command lines through which you can install and configure Fail2ban for WordPress. Secure WordPress authentication and XMLRPC.Php gross ass.
Blogs and sites developed on the WordPress platform are often cyber attack targets. Most attacks are of gross force type and are targeting the authentication session or exploitation of XML-RPC (Remote Procedure Call Using XML). Fortunately, Fail2ban is a very useful security solution for these situations. If you want to secure a WordPress site with Fail2ban, follow the configuration steps in this tutorial.
First of all, make sure you have access to the web server by SSH connection and that the Fail2ban application is installed.
Fail2ban configuration for WordPress on Debian
1. First of all you have to make sure that the Fail2ban application is installed and that it is running on the server. Execute the command line below:
systemctl status fail2banIn Output you should see something of the form:
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Active: active (running) since Tue 2025-03-11 00:39:32 EET; 6 days ago
Docs: man:fail2ban(1)
Main PID: 917 (fail2ban-server)
Tasks: 17 (limit: 76843)
Memory: 33.2M
CPU: 17min 1.752s
CGroup: /system.slice/fail2ban.service
└─917 /usr/bin/python3 /usr/bin/fail2ban-server -xf startIf Fail2ban is not installed on the server, you will need to install it. Perform the order line for installation fail2ban on Debian / Ubuntu:
sudo apt install fail2ban2. The next step is to create the Fail2ban filter for WordPress. Execute in the terminal the command line to create and edit the filter wordpress.conf.
sudo nano /etc/fail2ban/filter.d/wordpress.confIn the file wordpress.conf sets WordPress authentication filters and file authentication xmlrpc.php, as follows:
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*(/wp-login.php|/xmlrpc.php).*" 200
ignoreregex =This means that by any method, GET or POST, would be accessed the WP-Login.php or XMLRPC.PHP files, a rule for Fail2ban can be created. The condition is that these files exist and can be accessed by the attacker. That is to return code 200 (OK) to access.
Saves the file /etc/fail2ban/filter.d/wordpress.conf.
3. The next step is to configure “jail” for WordPress. At this step most users are confused, because the rules must be established differently depending on the hosting management system (if it exists) or the web server configuration.
If you use Hestiacp, Vestacp or Myvesta, create and edit the file /etc/fail2ban/jail.local.
nano /etc/fail2ban/jail.localAdd in this file the lines below:
[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/nginx/domains/*.log #or apache2.
maxretry = 5
findtime = 1800
bantime = 3600
action = hestia[name=WEB] #hestacp action.Adjust the above parameters according to your needs. In the configuration given by me, if within 1800 minutes there are 5 repeated attempts from the same IP, it will be blocked for 3600 minutes with the help of the web Hestiacp. (hestia[name=WEB]). Here you will need to help according to the system you have on the server.
It is also very important and “logpath“. From these logs are extracted the data on the basis of which action will be performed. Make sure the location is correct.
If you do not have an installed management system, you will need the action of blocking IPs with fail2ban for WordPress to be done directly by iptables. The line for action will be as follows:
action = iptables-multiport[name=wordpress, port="80,443", protocol=tcp]As a bracket, instead of /etc/fail2ban/jail.local You can also use a separate configuration file, such as: /etc/fail2ban/jail.d/wordpress.conf.
After you have made the adjustments, apply the changes.
sudo systemctl restart fail2ban4. After Restart, check that Fail2ban for WordPress works:
fail2ban-client status wordpress
Status for the jail: wordpress
|- Filter
| |- Currently failed: 355
| |- Total failed: 33873
| `- File list: (log files per domain)
- Actions
|- Currently banned: 127
|- Total banned: 680
`- Banned IP list:After finding in this list blocked IPs, make sure they are blocked and in iptables. I met the situation that due to the wrong configuration, in Fail2ban to see that it is a blocked IP, but in reality it could still access wp-login.php or xmlrpc.php.
To check if everything works properly, choose an IP blocked from the Fail2ban list and look for it in iptables.
Execute the command line:
iptables -L -v -n --line-numbersIf the IP that appears blocked by Fail2ban is also found in this list, it means that you have configured correct Fail2ban for WordPress.
Related: How to reset the ADMIN user password in WordPress. Without access to email.
At the same time, it is very advisable to check the log with the Fail2ban actions:
sudo tail -f /var/log/fail2ban.logThat being said, if you have any concerns or need help, they can help you in the comments.
