How to block multiple login attempts to Wordpress with fail2ban intrusion detector on Ubuntu 22.04

Block Repeated WordPress Login Attempts with Fail2ban in Ubuntu 22.04

Setting up Fail2ban for WordPress via command line on Ubuntu 22.04 involves a few steps. Before you begin, ensure that you have administrative privileges to execute these commands. Here’s how to do it:

SSH into Your Server:

  • Access your Ubuntu 22.04 server via SSH or open the terminal if you’re on the local machine.

Check Fail2ban Status:

  • Ensure Fail2ban is installed and running:
sudo systemctl status fail2ban

If it’s not installed, install it with:

sudo apt install fail2ban

Create a Custom Filter for WordPress:

  • You’ll create a filter to detect failed login attempts.
  • Create a new file in the /etc/fail2ban/filter.d directory. You can name it wordpress.conf:
sudo nano /etc/fail2ban/filter.d/wordpress.conf

Add the following content to the file:

[Definition]
failregex = ^<HOST> -.*"(GET|POST).*(/wp-login.php|/xmlrpc.php).*$ 
ignoreregex =

Save and exit the editor (in nano, it’s Ctrl+O, Enter, and then Ctrl+X).

Create a Jail for WordPress:

  • Edit the jail.local file (or create it if it doesn’t exist):
sudo nano /etc/fail2ban/jail.local

Add the following configuration for your WordPress jail:

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/apache2/access.log  # or /var/log/nginx/access.log, depending on your web server
port = http,https
maxretry = 5
bantime = 3600  # 1 hour; adjust as needed
findtime = 3600  # time window in which maxretry applies, adjust as needed

Adjust logpath, maxretry, bantime, and findtime as needed. Save and exit the editor.

Restart Fail2ban:

  • Apply the changes by restarting Fail2ban:
sudo systemctl restart fail2ban

Verify the Configuration:

  • Check the status of the newly created jail:
sudo fail2ban-client status wordpress

This command should show the status of your WordPress jail, including current bans.

Monitor Fail2ban Logs:

  • Regularly check Fail2ban logs to ensure it’s working correctly:
sudo tail -f /var/log/fail2ban.log

A setup similar to this can help protect your WordPress site from brute-force attacks by banning IP addresses that make too many failed login attempts. Remember to tailor the maxretry, bantime, and findtime parameters according to your security needs and traffic patterns.

Points worth noting if this doesn’t work

The path to your access logs is an essential aspect to consider. For instance, in a server environment such as Virtualmin, each domain may have a separate access log file located in a unique path. This structure is important because it allows for domain-specific monitoring and troubleshooting. The specific path to these logs can vary based on your server configuration and the hosting environment. Generally, these logs are stored in a directory like /var/log/ or a subdirectory within the domain’s folder. You will also need to have a way to monitor and flag failed logins in your server logs so that they can be captured by fail2ban.

References:

Verified with ChatGPT