All HowTo's Cybersecurity Redhat, Fedora and CentOS Linux Web Servers

Using Fail2Ban to Protect WordPress Logins (CentOS)

This article demonstrates how to use Fail2Ban to block IP addresses attempting to compromise a WordPress instance via the login process. In this walk-through, we’re using CentOS 7 and FirewallD. Just be aware that if you’re using a caching service like CloudFlare, you can’t use this method because you’ll block the cache and not the source of the traffic.

Install Fail2Ban:

yum install fail2ban fail2ban-firewalld

Edit the “/etc/fail2ban/jail.conf” file. Add the following chunk to the bottom of that file. Notice the log file to be monitored. You can either specify it exactly or use a wild-card:

enabled = true
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
port = http,https
filter = apache-wordpress-login
logpath = /var/log/httpd/*_log
bantime = 36000
findtime = 600
maxretry = 1

And modify the “ignoreip” line to include the IP that you’re coming from (so you don’t get kicked out):

ignoreip = ::1 my.ip.address

And set the following to ensure FirewallD is assumed:

#banaction = iptables-multiport
banaction = firewallcmd-ipset

Create the file “/etc/fail2ban/filter.d/apache-wordpress-login.conf” and enter the following content:

mode = normal
failregex = ^ .* "POST .*wp-login.php

Enable and Start Fail2Ban:

systemctl enable fail2ban
systemctl start fail2ban

Check the status of Fail2Ban blocking hosts:

fail2ban-client status apache-wordpress-login
firewall-cmd --list-all
iptables -L -n
tail -f /var/log/fail2ban.log

Leave a Reply

Your email address will not be published. Required fields are marked *