First: the best thing you can do for the security and performance of your WordPress site is install fail2ban on your server with reasonably tight settings (I'd allow more than the default three tries and ban for much longer than an hour). The next best step is to add WordPress login to the fail2ban system.
WP fail2ban looks after this. The idea is great, the code is not bad but there are holes in it. Almost everyone who installs the WP fail2ban has to do a lot of unnecessary changes for compatibility. Example here. We spent a couple of hours troubleshooting WP fail2ban for ourselves.
Really invisnet should go the last mile and make WP fail2ban work out of the box for almost everyone.
We're willing to contribute if there's an easy path to collaboration. Emailing code changes would not qualify as an easy path. When invisnet or we fix WP fail2ban, we're happy to raise our review to 5 stars. If you're not a developer (with time on your hands) be careful about putting up WP fail2ban as is. It probably won't do anything without changes.
I spent quite a lot of time troubleshooting the setup. It's not mentioned in the readme but the plugin may need to tweaking depending on your OS. For CentOS 6, I had to change the jail conf to monitor /var/log/messages. I did not have to change any of the plugin PHP code as someone mentioned in the forum (threw me off since I did it).
Also, I never got fail2ban to trigger the ban action even though it was regex matching (apparently a common issue). I ended up going with CSF LFD to ban per http://forum.configserver.com/viewtopic.php?f=6&t=6663#p20069
As my server already had fail2ban, this was just the perfect plugin from brute force attacks!
The configs suggested in the help did not work, so minor tweaking were needed.
You must log in to submit a review. You can also log in or register using the form near the top of this page.