Title: WP Fail2Ban Redux
Author: Brandon Allen
Published: <strong>July 13, 2016</strong>
Last modified: May 27, 2025

---

Search plugins

![](https://ps.w.org/wp-fail2ban-redux/assets/banner-772x250.png?rev=1581720)

![](https://ps.w.org/wp-fail2ban-redux/assets/icon.svg?rev=1581730)

# WP Fail2Ban Redux

 By [Brandon Allen](https://profiles.wordpress.org/thebrandonallen/)

[Download](https://downloads.wordpress.org/plugin/wp-fail2ban-redux.0.9.2.zip)

 * [Details](https://wordpress.org/plugins/wp-fail2ban-redux/#description)
 * [Reviews](https://wordpress.org/plugins/wp-fail2ban-redux/#reviews)
 *  [Installation](https://wordpress.org/plugins/wp-fail2ban-redux/#installation)
 * [Development](https://wordpress.org/plugins/wp-fail2ban-redux/#developers)

 [Support](https://wordpress.org/support/plugin/wp-fail2ban-redux/)

## Description

WP Fail2Ban Redux records various WordPress events to your server’s system log for
integration with [Fail2Ban](http://www.fail2ban.org/).

This plugin is (_mostly_) a drop-in replacement for [WP fail2ban](https://wordpress.org/plugins/wp-fail2ban/)
by [Charles Lecklider](https://charles.lecklider.org/).

While WP fail2ban is a great plugin, there are a number of improvements that could
be made. In order to facilitate these improvements, a major refactoring of the codebase
was necessary.

The core functionality between _WP Fail2Ban Redux_ and WP fail2ban remains the same.
_WP Fail2Ban Redux_ is considered to be _mostly_ a drop-in replacement, because 
all constants have been replaced with filters, and will, possibly, require some 
upgrade work. Don’t work it’s as simple as implementing the constants.

**The following events are recorded by default:**

 * Failed XML-RPC authentication attempts.
 * Successful authentication attempts.
 * Failed authentication attempts — differentiated by a user’s existence.
 * Pingback errors.

**The following events can be enabled via filter:**

 * Pingback requests.
 * Blocked user enumeration attempts.
 * Authentication attempts for blocked usernames.
 * Spammed comments.

Extra documentation is available on the [WP Fail2Ban Redux GitHub Wiki](https://github.com/thebrandonallen/wp-fail2ban-redux/wiki).

## Installation

 1. Upload the plugin to your plugins directory.
 2. Activate the plugin through the ‘Plugins’ menu in WordPress.
 3. Copy the `config/filters/wordpress-hard.conf` and `config/filters/wordpress-soft.
    conf` files to your Fail2Ban filters directory (generally `/etc/fail2ban/filters.
    d`).
 4. Copy the `config/jail/wordpress.conf` file to your Fail2Ban jail directory (generally`/
    etc/fail2ban/jail.d`), or append it’s contents to your `jail.local` file. **_Make
    sure you read the notes in this file to aid successful setup._**
 5. Reload or restart Fail2Ban.

## FAQ

### How do I upgrade from WP fail2ban?

If you haven’t set any of the WP fail2ban constants, you don’t need to do anything.
If you have set some of the constants, [view the upgrade instructions](https://github.com/thebrandonallen/wp-fail2ban-redux/wiki/Upgrading-from-WP-fail2ban).

### Will the `wordpress-hard.conf` and `wordpress-soft.conf` filters still work?

Yes! All of the improvements made in _WP Fail2Ban Redux_ were done in a way that
would allow existing functionality to work without changes to your filters. However,
the demo filters included with the plugin do contain some recommended changes. There
are also new features not found in WP fail2ban that will require changes to your
filters to be effective. These changes are linked, by filter, below:
 [wordpress-hard.conf](https://github.com/thebrandonallen/wp-fail2ban-redux/compare/e3ec3c9...master#diff-3f035b688aa51aa342856e0efe9e5fb35628c3919dd60237c64cbbb9e337a4c7)
[wordpress-soft.conf](https://github.com/thebrandonallen/wp-fail2ban-redux/compare/e3ec3c9...master#diff-ab6c3eee8b8a798511f7315fcbc84eb594f13cf59fca287d2791dffb6e6d5e05)

_Be ye forewarned: Future changes to WP fail2ban may break backwards compatibility
with WP Fail2Ban Redux filters. No attempts will be made to fix this. So, even though
it’s not required, it is probably a good idea to update the filters anyway._

### Can I use this as a must-use plugin in the `mu-plugins` folder?

As of version 0.5.0, yes! Download the plugin, and unzip. Inside the plugin folder
will be another folder named `wp-fail2ban-redux` and `wp-fail2ban-redux.php`. Upload
this folder and file to the `mu-plugins` directory of your site.

### How do you I use this plugin if my site is behind a proxy, like Cloudflare?

You need to add some code to your `wp-config.php` file. See the below links for 
guidance.

 * https://core.trac.wordpress.org/ticket/9235#comment:39
 * https://stackoverflow.com/questions/14985518/cloudflare-and-logging-visitor-ip-
   addresses-via-in-php/14985633#14985633
 * https://support.cloudflare.com/hc/en-us/articles/200170916#12345680

## Reviews

![](https://secure.gravatar.com/avatar/9416082a88eb41484d12bd9d103033df72912da884df9312045a722e26f78645?
s=60&d=retro&r=g)

### 󠀁[working fine](https://wordpress.org/support/topic/working-fine-186/)󠁿

 [thedaysse](https://profiles.wordpress.org/thedaysse/) April 28, 2025

I really like the way it doesn’t prompt me to upgrade to a version with paid features.

![](https://secure.gravatar.com/avatar/7e8bd5d7759c758aa29f673d93446a1e435f47698622a5ec3df5abe8fffcad1d?
s=60&d=retro&r=g)

### 󠀁[nice and clean, works great!](https://wordpress.org/support/topic/nice-and-clean-works-great-2/)󠁿

 [brt](https://profiles.wordpress.org/brt/) July 26, 2024

no premium/freemium blocklist scam, just does what its supposed to do. supereasy
to install, no configuration within wordpress needed! just install the plugin and
setup fail2ban using the provided config files (filters, jail) love it. thanks!

![](https://secure.gravatar.com/avatar/cc1680cd5d21235115659af5954c6a95538736b962215f8bc372acb1d693563c?
s=60&d=retro&r=g)

### 󠀁[If you already have fail2ban, this is a must](https://wordpress.org/support/topic/if-you-already-hace-fail2ban-this-is-a-must/)󠁿

 [ABCdatos](https://profiles.wordpress.org/abcdatos/) August 5, 2022

Easy, effective, no unnecessary control panel, no premium parts, no boring messages,
it just do the work! Having fail2ban already configured in the server, I installed
it on a bunch of WP sites. Locking repetitive attackers, it saves some server resources
peaks. Really thanks for the plugin.

![](https://secure.gravatar.com/avatar/4759ed89c6e5ead5867ebcf919da3b3c78263528544bb4bac41c85b216bac4b1?
s=60&d=retro&r=g)

### 󠀁[Awesome plugin](https://wordpress.org/support/topic/awesome-plugin-6011/)󠁿

 [teeboy4real](https://profiles.wordpress.org/teeboy4real/) July 6, 2021

This plugin is underrated and is a must have for wordpress security.

![](https://secure.gravatar.com/avatar/03d2d0db1102ededbe23a9885cb65cb8e9e4639ef640769601f5eb61de6f6df1?
s=60&d=retro&r=g)

### 󠀁[Perfect!](https://wordpress.org/support/topic/perfect-8268/)󠁿

 [thnilsen](https://profiles.wordpress.org/thnilsen/) March 9, 2021

Could not be simpler to use this plugin. The original plugin that this one replaces
was just awful to set up with the free version. This on is just to install and activate,
then make sure you have the apache-auth filter active in your Fail2Ban configuration.
Thanks!!

![](https://secure.gravatar.com/avatar/dfbadcda40b14ee4def2d3ed65d940a15eb3fc5fa23c18bef5b21d7a2d9747a9?
s=60&d=retro&r=g)

### 󠀁[Works perfect!](https://wordpress.org/support/topic/works-perfect-793/)󠁿

 [galactica333](https://profiles.wordpress.org/galactica333/) May 28, 2020

I use this plugin on my wordpress installations and all failed logins are reliably
logged to the auth.log of the server. Even though the plugin has not yet been tested
with WordPress 5.4.1, it is working good for me.

 [ Read all 15 reviews ](https://wordpress.org/support/plugin/wp-fail2ban-redux/reviews/)

## Contributors & Developers

“WP Fail2Ban Redux” is open source software. The following people have contributed
to this plugin.

Contributors

 *   [ Brandon Allen ](https://profiles.wordpress.org/thebrandonallen/)

“WP Fail2Ban Redux” has been translated into 3 locales. Thank you to [the translators](https://translate.wordpress.org/projects/wp-plugins/wp-fail2ban-redux/contributors)
for their contributions.

[Translate “WP Fail2Ban Redux” into your language.](https://translate.wordpress.org/projects/wp-plugins/wp-fail2ban-redux)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/wp-fail2ban-redux/),
check out the [SVN repository](https://plugins.svn.wordpress.org/wp-fail2ban-redux/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/wp-fail2ban-redux/)
by [RSS](https://plugins.trac.wordpress.org/log/wp-fail2ban-redux/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 0.9.2

 * Release date: 2025-05-27
 * Bumps “Tested up to” version to 6.8
 * Bumps minimum required PHP version to 7.4
 * Bumps minimum required WP version to 5.8
 * Add a new regex rule for XMLRPC authentication failure to both filters (soft 
   and hard)
 * Update dependency package versions

#### 0.9.1

 * Release date: 2023-10-17
 * Bumps “Tested up to” version to 6.4
 * Bumps minimum required PHP version to 7.0
 * Bumps minimum required WP version to 5.5
 * Update dependency package versions
 * No changes to jail or filters in the release.

#### 0.8.3

 * Release date: 2023-10-17
 * Bumps “Tested up to” version to 5.9
 * No changes to jail or filters in the release.

#### 0.8.2

 * Release date: 2021-08-08
 * Bumps “Tested up to” version to 5.8
 * No changes to jail or filters in the release.

#### 0.8.1

 * Release date: 2021-06-01
 * Actually bumps “Tested up to” version to 5.7

#### 0.8.0

 * Release date: 2021-05-31
 * Bumps “Tested up to” version to 5.7
 * Fix issue where logging out of WordPress could cause a blocked user log to be
   recorded

#### 0.7.0

 * Release date: 2021-01-05
 * Bumps “Tested up to” version to 5.6
 * Move Composer dependencies to `require-dev` to reduce the number of packages 
   installed when WP Fail2Ban Redux is installed via composer. See https://github.
   com/thebrandonallen/wp-fail2ban-redux/pull/17

#### 0.6.0

 * Release date: 2020-06-07
 * Bumps the minimum required version to WordPress 4.9.
 * Bumps “Tested up to” version to 5.4.1

#### 0.5.1

 * Release date: 2019-09-05
 * **This release requires and update to the `wordpress-hard.conf` file, in order
   to fix an issue with matches failing for XML-RPC multicall authentication failures.
   See https://github.com/thebrandonallen/wp-fail2ban-redux/pull/13/commits/2e3a3867749be7839edfae5707b62921c36ecd85**
 * Fix issue where XML-RPC multicall authentication failures weren’t correctly matched
   by Fail2Ban with the `wordpress-hard.conf` filter.

#### 0.5.0

 * Release date: 2018-10-27
 * Add better support for use as a must-use plugin in the `mu-plugins` directory.

#### 0.4.0

 * Release date: 2018-01-15
 * Bumped the minimum required WordPress version to 4.5.
 * Bumped the minimum required PHP version to 5.3. This is a soft bump, meaning,
   nothing changed that will break PHP 5.2 compatability. However, this could easily
   change in the future, and PHP 5.2 is no longer actively tested.
 * Renamed the `wp_fail2ban_redux_openlog_indent` filter to `wp_fail2ban_redux_openlog_ident`,
   because… it was misspelled.

#### 0.3.1

 * Release date: 2017-05-18
 * Bump minimum required WordPress version to 4.4.
 * Performance improvements when not blocking user enumeration.
 * Use `wp_die` to exit, to allow for greater customization of exit messages.
 * Exit messages are now escaped using `esc_html`.
 * Refactored plugin loading.
 * You can now create your own, custom, logging class, in case you don’t want to
   use the standard `syslog()` output.

#### 0.3.0

 * Superseded by 0.3.1

#### 0.2.1

 * Release date: 2017-02-15
 * Fix a stupid syntax error in the comment spam filter 🙁 Thanks to @ichtarzan 
   for reporting!

#### 0.2.0

 * Release date: 2016-09-27
 * Fixed PHP notices where `WP_Fail2Ban_Redux::comment_spam` expects two parameters.
   Decided it was probably a good idea to oblige.
 * User enumeration blocking now checks for both the `author` and `author_name` 
   parameters. The `author_name` parameter could be used to validate the existence
   of a particular username, so blocking on this parameter as well will further 
   reduce the attack surface.
 * Fixes an issue where user enumeration blocking was overzealous and would prevent
   actions in the admin area. Props [pjv](https://github.com/pjv). [#2](https://github.com/thebrandonallen/wp-fail2ban-redux/issues/2)
 * `WP_Fail2Ban_Redux::redirect_canonical` is now deprecated. If you were doing 
   anything with this function, or the hook that initialized it, you should look
   at `WP_Fail2Ban_Redux::user_enumeration` instead.
 * Added a note to `wordpress.conf` about the `logpath` parameter, and common auth
   log locations. _There is no need to changed existing configurations._ This is
   merely to aid setup for future users.

#### 0.1.1

 * Release date: 2016-07-23
 * In PHP < 7.0, `exit` isn’t allowed as a method name. `WP_Fail2Ban_Redux_Log::
   exit` is now `WP_Fail2Ban_Redux_Log::_exit`.

#### 0.1.0

 * Release date: 2016-07-13
 * Initial release.

## Meta

 *  Version **0.9.2**
 *  Last updated **1 year ago**
 *  Active installations **7,000+**
 *  WordPress version ** 5.8 or higher **
 *  Tested up to **6.8.5**
 *  PHP version ** 7.4 or higher **
 *  Languages
 * [English (US)](https://wordpress.org/plugins/wp-fail2ban-redux/), [Greek](https://el.wordpress.org/plugins/wp-fail2ban-redux/),
   [Spanish (Chile)](https://cl.wordpress.org/plugins/wp-fail2ban-redux/), and [Spanish (Spain)](https://es.wordpress.org/plugins/wp-fail2ban-redux/).
 *  [Translate into your language](https://translate.wordpress.org/projects/wp-plugins/wp-fail2ban-redux)
 * Tags
 * [fail2ban](https://wordpress.org/plugins/tags/fail2ban/)[login](https://wordpress.org/plugins/tags/login/)
   [security](https://wordpress.org/plugins/tags/security/)[syslog](https://wordpress.org/plugins/tags/syslog/)
 *  [Advanced View](https://wordpress.org/plugins/wp-fail2ban-redux/advanced/)

## Ratings

 5 out of 5 stars.

 *  [  15 5-star reviews     ](https://wordpress.org/support/plugin/wp-fail2ban-redux/reviews/?filter=5)
 *  [  0 4-star reviews     ](https://wordpress.org/support/plugin/wp-fail2ban-redux/reviews/?filter=4)
 *  [  0 3-star reviews     ](https://wordpress.org/support/plugin/wp-fail2ban-redux/reviews/?filter=3)
 *  [  0 2-star reviews     ](https://wordpress.org/support/plugin/wp-fail2ban-redux/reviews/?filter=2)
 *  [  0 1-star reviews     ](https://wordpress.org/support/plugin/wp-fail2ban-redux/reviews/?filter=1)

[Your review](https://wordpress.org/support/plugin/wp-fail2ban-redux/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/wp-fail2ban-redux/reviews/)

## Contributors

 *   [ Brandon Allen ](https://profiles.wordpress.org/thebrandonallen/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/wp-fail2ban-redux/)

## Donate

Would you like to support the advancement of this plugin?

 [ Donate to this plugin ](https://brandonallen.me/donate/)