WordPress.org

Ready to get started?Download WordPress

Plugin Directory

WP fail2ban

Write all login attempts to syslog for integration with fail2ban.

WP_FAIL2BAN_BLOCK_USER_ENUMERATION - what's it all about?

Brute-forcing WP requires knowing a valid username. Unfortunately, WP makes this all but trivial.

Based on a suggestion from geeklol and a plugin by ROIBOT, WPf2b can now block user enumeration attempts. Just add the following to wp-config.php:

define('WP_FAIL2BAN_BLOCK_USER_ENUMERATION',true);

WP_FAIL2BAN_PROXIES - what's it all about?

The idea here is to list the IP addresses of the trusted proxies that will appear as the remote IP for the request. When defined:

  • If the remote address appears in the WP_FAIL2BAN_PROXIES list, WPf2b will log the IP address from the X-Forwarded-For header
  • If the remote address does not appear in the WP_FAIL2BAN_PROXIES list, WPf2b will return a 403 error
  • If there's no X-Forwarded-For header, WPf2b will behave as if WP_FAIL2BAN_PROXIES isn't defined

To set WP_FAIL2BAN_PROXIES, add something like the following to wp-config.php:

define('WP_FAIL2BAN_PROXIES','192.168.0.42,192.168.42.0/24');

WPf2b doesn't do anything clever with the list - beware of typos!

WP_FAIL2BAN_BLOCKED_USERS - what's it all about?

The bots that try to brute-force WordPress logins aren't that clever (no doubt that will change), but they may only make one request per IP every few hours in an attempt to avoid things like fail2ban. With large botnets this can still create significant load.

Based on a suggestion from jmadea, WPf2b now allows you to specify a regex that will shortcut the login process if the requested username matches.

For example, putting the following in wp-config.php:

define('WP_FAIL2BAN_BLOCKED_USERS','^admin$');

will block any attempt to log in as admin before most of the core WordPress code is run. Unless you go crazy with it, a regex is usually cheaper than a call to the database so this should help keep things running during an attack.

WPf2b doesn't do anything to the regex other than make it case-insensitive.

Why is fail2ban complaining on my flavour of Linux?

Depending on your fail2ban configuration, you may need to add a line like:

port = http,https

to the [wordpress] section in jail.local.

Requires: 3.4.0 or higher
Compatible up to: 3.6.1
Last Updated: 2013-8-28
Downloads: 7,154

Ratings

5 stars
5 out of 5 stars

Support

2 of 3 support threads in the last two months have been resolved.

Got something to say? Need help?

Compatibility

+
=
Not enough data

0 people say it works.
0 people say it's broken.

100,1,1
100,1,1 100,2,2
100,2,2
100,2,2 100,2,2
50,2,1