Write all login attempts to syslog for integration with fail2ban.
Brute-forcing WP requires knowing a valid username. Unfortunately, WP makes this all but trivial.
Based on a suggestion from geeklol and a plugin by ROIBOT, WPf2b can now block user enumeration attempts. Just add the following to
The idea here is to list the IP addresses of the trusted proxies that will appear as the remote IP for the request. When defined:
WP_FAIL2BAN_PROXIESlist, WPf2b will log the IP address from the
WP_FAIL2BAN_PROXIESlist, WPf2b will return a 403 error
WP_FAIL2BAN_PROXIES, add something like the following to
WPf2b doesn't do anything clever with the list - beware of typos!
The bots that try to brute-force WordPress logins aren't that clever (no doubt that will change), but they may only make one request per IP every few hours in an attempt to avoid things like
fail2ban. With large botnets this can still create significant load.
Based on a suggestion from jmadea, WPf2b now allows you to specify a regex that will shortcut the login process if the requested username matches.
For example, putting the following in
will block any attempt to log in as
admin before most of the core WordPress code is run. Unless you go crazy with it, a regex is usually cheaper than a call to the database so this should help keep things running during an attack.
WPf2b doesn't do anything to the regex other than make it case-insensitive.
Depending on your
fail2ban configuration, you may need to add a line like:
port = http,https
[wordpress] section in