In case you have not made the first step please visit this link.
WordPress is a great platform, but people often use trivial passwords such as “password123” or “John123” etc. Using dictionary or brute force attacks it is possible to discover chosen password, but then it is too late. First and basic advice is that “admin” user should change his or hers username to “theAdmin” or something else.
Attackers usually target /wp-admin i.e. /wp-login.
We can take advantage of this and use fail2ban for detecting number of login attempts.
Edit /etc/fail2ban/jail.local, and at the end of the code add:
enabled = true
port = all
action = iptables[name=WP, port=http, protocol=tcp]
sendmail-whois[name=Wordpress wp-login hack, lines=15, firstname.lastname@example.org]
filter = apache-wordpress
logpath = /var/www/clients/client*/web*/log/*-access.log
maxretry = 6
bantime = 3600
bantime – number of seconds the IP will be banned (eg. 360 = 6 minutes)
maxretry – how many times a bot must appear in the log
change action dest = email@example.com
Create new file /etc/fail2ban/filter.d/apache-wordpress.conf:
#failregex = <HOST> - - "POST /wp-login.php HTTP/1.0" 200 \d+ "-" "-"
# bensig in the comments section below found this solution which should
# be much faster than the one I commented out above.
# I have not tested it yet, but it looks definitely right.
#failregex = ^<HOST> - - "POST /wp-login.php HTTP/1.1"
failregex = <HOST>.*] "POST /wp-login.php
#failregex = ^[a-zA-Z0-9\.]+ <HOST> .*POST.*/wp-login\.php HTTP.*
I made examples for other reg-exes in case you are using another way of logging in. That’s it! Simple, isn’t it?