WordPress is a very robust content-management system (CMS) that is free and open source. Because anyone can comment, create an account, and post on WordPress, many malicious actors have created networks of bots and servers that compromise and spam WordPress sites through brute-force attacks. The tool Fail2ban is useful in preventing unauthorized access to both your Droplet and your WordPress site. It notes suspicious or repeated login failures and proactively bans those IPs by modifying firewall rules for your Droplet.
In this guide, we will be using version 0.9.3 of Fail2ban on an Ubuntu 14.04 LAMP server, and integrating it with WordPress by using a spam log plugin.
To complete this guide, you need
One Ubuntu 14.04 Droplet using the one-click WordPress instance or your own WordPress Droplet
A non-root user configured with sudo privileges for administrative tasks. You can learn how to set this up by following our Ubuntu 14.04 initial server setup guide.
Set up and configure Fail2ban by following this How To Install and Use Fail2ban on Ubuntu 14.04 tutorial.
Follow the guide on How To Configure Secure Updates and Installations in WordPress on Ubuntu
First, log in to your WordPress site by visiting https://your_server_ip/wp-admin
in your browser and using the admin credentials you created while installing WordPress. Once logged in, you will see the following screen, which is your WordPress dashboard.
Look to the left sidebar for the word Plugins, which will appear about halfway down the sidebar. After clicking Plugins, you will see this screen:
Near the top, in the right section, you can click on Add New. This allows you to add new plugins to your WordPress site that can customize, secure, or extend your site. In this case, we will be searching for the Fail2ban plugin. The next screen will appear like this:
Enter Fail2ban in the search field, and press ENTER
on your keyboard. The results should return a screen that shows a few plugins, with the one to install being WP fail2ban.
Click Install Now to start the installation, where you will see two prompts: Activate Plugin and Return to Plugin Installer. Choose to Activate Plugin, and your browser will return you to the list of installed plugins, with the new WP fail2ban plugin in the list. At this time, you can click View details to see more information about your new plugin. There is also a FAQ that will help you understand how to enable features, like blocking of specific users that may be used to spam your WordPress site with content or comments.
This WordPress plugin includes a new custom Fail2ban filter. In this step, we will install that filter so Fail2ban can correctly parse and use the authentication logs being sent to the syslog.
First, move the filter from the WordPress plugin directory to the appropriate Fail2ban filter location. We will use the “hard” WordPress filter for better protection:
- sudo cp /var/www/html/wp-content/plugins/wp-fail2ban/filters.d/wordpress-hard.conf /etc/fail2ban/filter.d/
With your new wordpress-hard.conf
filter in place, you can point Fail2ban to the appropriate authentication log by editing the file /etc/fail2ban/jail.local
. A jail in Fail2ban refers to a series of rules and actions that provide the filters for IP addresses.
Open the file jail.local
using nano or your favorite text editor.
- sudo nano /etc/fail2ban/jail.local
Once the file is open, scroll to the bottom and append the following lines to the end. These lines enable the plugin, set the filter to the wordpress-hard.conf
filter we previously copied over to the filters.d
directory, set the appropriate logging destination for the access attempts, and specify that this traffic will come in on http
and https
ports.
[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath = /var/log/auth.log
maxretry = 3
port = http,https
Save and close the file.
Next, you can restart Fail2ban to ensure the new filter is now in place by running this command in your terminal:
- sudo service fail2ban restart
In order to prevent you or other known users from being banned through accidental authentication failures, we recommend ignoring your own local computer’s public IP address.
If you are using a Linux-based OS, use this command:
curl ipecho.net/plain ; echo
Otherwise, visit http://checkip.dyndns.org
to determine your computer’s public IP address. If there are any other users of your WordPress site in alternate locations, you may want to find their addresses too.
Open jail.local
for editing again:
- sudo nano /etc/fail2ban/jail.local
The following line will list off any ignored IP addresses starting with the local server IP (localhost) with a space separating each other value for known hosts that you would like to have access to WordPress. Add this to DEFAULT section, under the ignoreip statement you added during the WordPress plugin setup steps.
ignoreip = 127.0.0.1/8 your_computer_ip
Save and exit your editor.
To test if the filter is working, you can log out of your WordPress site’s wp-admin site and log in again.
You can use this Fail2ban jail status to ensure that your successful login was not noted by the filter.
- sudo fail2ban-client status wordpress-hard
You should see results similar to this:
Status for the jail: wordpress-hard
|- filter
| |- File list: /var/log/auth.log
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
If you view the auth.log
file, you will see your successful login near the bottom of the file by using tail
which will show the last 10 lines of output:
- sudo tail /var/log/auth.log
The successful authentication will appear like this:
Month Day Hour:Minute:Second your_server wordpress(your_server_ip)[PID]: Accepted password for admin from your_computer_ip
If an unauthorized user or failed authentication appears in the logs, your new plugin will ensure that this IP is blocked from accessing your site by altering your firewall rules appropriately.
If you find your WordPress site is getting a very large amount of unauthorized login attempts and your log file is growing rapidly, you can rotate the log file out for a new one by editing the file /etc/logrotate.conf
.
- sudo nano /etc/logrotate.conf
Append these lines, which set the maximum size of the file, the permissions for the log, and the number of weeks. For example, you can set 4 as number of weeks the file will exist for before being refreshed:
/var/log/auth.log {
size 30k
create 0600 root root
rotate 4
}
Save and exit the file appropriately.
By following the steps in this guide, you installed and configured the Fail2ban plugin, excluded your local IP address, and tested your work. You also set up log rotation to keep your log files from growing indefinitely. Now your WordPress instance is much more robust and secure against unauthorized login attempts, comment spam, and intrusion on your site.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Great tutorial. However you shouldn’t need to edit logrotate.conf. On my Ubuntu installation auth.log is already being rotated by the rsyslog script. I don’t know if rotating it twice would cause any issues, but it’s not necessary to add anyway.
Great article, I used this to improve my Wordpress security along with some tips from a blog post I found.
You have excellent tutorials DO crew. Keep up the good work.
Agree with rsmith4321. I received messages from cron.daily saying that ‘/etc/logrotate.conf:40 duplicate log entry for /var/log/auth.log’ auth.log is rotated by logrotate as defined in /etc/logrotate.d/rsyslog The default configuration is:
Following the instructions, I changed this way:
I don’t know the meaning of the suggested line
create 0600 root root
. The default owner-user/owner-group for auth.log is syslog:adm.I am having the same issue. I believe it is setup correctly. Fail2ban works for nginx-http-auth.
Here are my logs after failed attempts:
I used a VPN so it didnt ignore my IP. Here is my wordpress.conf as provided:
And my jail.local setting for wordpress
Regex debug:
I don’t understand why it’s not working. I am assuming has something to do with regex in the wordpress.conf, but when running debug, it matched it 24 times. For some reason it’s not banning them. Do I need to set a custom action/banaction?
Any ideas?
Thanks
Thanks for the tutorial! I have a question though. Can I use this WordPress jail for several WP sites on one server?
Great tutorial, as always. However, I am seeing some strange behavior.
Once I enable the wordpress filter, my ssh filter seems to stop working. After a reboot, the ssh filter is working again but the wordpress filter is not (confirmed with fail2ban-client status).
Both wordpress and ssh continue to log failed attempts in /var/log/auth.log but for some reason fail2ban refuses to work with both at the same time.
Any idea what might be causing this?