Securing WordPress with Fail2ban

Friday, 06 February, 2015

WordPress is a great platform but people often use trivial passwords such as “password123” or “John123” etc. By using dictionary or brute force attacks it is possible to discover chosen password, but then it is already too late. That is why we’ve decided to write this post on securing WordPress with Fail2ban.

In case you have not made the first step please visit this link.

WordPress is a great platform, but people often use trivial passwords such as “password123” or “John123” etc. Using dictionary or brute force attacks it is possible to discover chosen password, but then it is too late. First and basic advice is that “admin” user should change his or hers username to “theAdmin” or something else.

Attackers usually target /wp-admin i.e. /wp-login.
We can take advantage of this and use fail2ban for detecting number of login attempts.

Securing WordPress

Edit /etc/fail2ban/jail.local, and at the end of the code add:

bantime – number of seconds the IP will be banned (eg. 360 = 6 minutes)

maxretry – how many times a bot must appear in the log

change action dest = abuse@example.com

Create new file /etc/fail2ban/filter.d/apache-wordpress.conf:

I made examples for other reg-exes in case you are using another way of logging in. That’s it! Simple, isn’t it?

Sebastijan Placento

Comments

© 2017, All Rights Reserved