This article demonstrates how to use Fail2Ban to block IP addresses attempting to compromise a WordPress instance via the login process. In this walk-through, we’re using CentOS 7 and FirewallD. Just be aware that if you’re using a caching service like CloudFlare, you can’t use this method because you’ll block the cache and not the source of the traffic.
Install Fail2Ban:
yum install fail2ban fail2ban-firewalld
Edit the “/etc/fail2ban/jail.conf” file. Add the following chunk to the bottom of that file. Notice the log file to be monitored. You can either specify it exactly or use a wild-card:
[apache-wordpress-login] enabled = true action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp] port = http,https filter = apache-wordpress-login logpath = /var/log/httpd/*_log bantime = 36000 findtime = 600 maxretry = 1
And modify the “ignoreip” line to include the IP that you’re coming from (so you don’t get kicked out):
ignoreip = 127.0.0.1/8 ::1 my.ip.address
And set the following to ensure FirewallD is assumed:
#banaction = iptables-multiport banaction = firewallcmd-ipset
Create the file “/etc/fail2ban/filter.d/apache-wordpress-login.conf” and enter the following content:
[Definition] mode = normal failregex = ^.* "POST .*wp-login.php
Enable and Start Fail2Ban:
systemctl enable fail2ban systemctl start fail2ban
Check the status of Fail2Ban blocking hosts:
fail2ban-client status apache-wordpress-login firewall-cmd --list-all iptables -L -n tail -f /var/log/fail2ban.log