How to use Fail2Ban to protect WordPress

Fail2Ban is a popular security tool that adds a very effective protection layer to many web services. It works by analyzing server log files for suspect behavior and subsequently blocking any offenders by their IP address. It has default configuration files (filters and jails) for many web services including SSH, Apache, Nginx and most popular mail services.

Why would you use Fail2Ban when there are many good security plugins for WordPress out there?

Most security plugins are running from “within” WordPress, meaning that the application will still load before a user request gets blocked. Fail2Ban works on the server level and requests will get blocked before reaching WordPress. And although it does use server resources to analyze log files regularly, this is still much lighter on your web server than loading WordPress on each “bad” request.

A good security plugin is stil recommended! While Fail2Ban helps to fend off brute force attacks, it will not help in case of security holes in abandoned or poorly coded plugins or themes!

Note: This how-to was written for a Debian linux based VPS (e.g. Ubuntu LTS) but your setup may be different.

Prerequisites :

  1. A functional web server with at least one WordPress single- or multi-site/network installation.
  2. SSH to access your server command line.
  3. Fail2Ban with iptables installed.

If you do not have Fail2Ban installed yet, there are many good how-to’s out there, including how to activate the built-in protection for most services. Here are short instructions for installing the service on a Debian based Linux server.

Install:

sudo apt update
sudo apt install fail2ban

Enable the service:

sudo systemctl enable fail2ban

And restart for good measure 🙂

Once you have Fail2Ban up and running, protecting your common web services — I recommend at least SSH — let’s add some extra protection for your WordPress sites:

  • WordPress Auth: bans “brute force” authentication attempts.
  • 4xx Response: bans “shot gun” file scanners that cause many 404 responses.
  • Recidive: bans multi-offenders (recidivists) for an extended period.

I’ll start with the WordPress Auth jail in this post. The other two will follow in later posts…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts