Brutal force login is one of the common attack to your WordPress.
We want to block people after the 3rd wrong login, to be correct we will block any IP from where we receive 3 failed login attempts in a short time.
Let’s see how to do it:
Prerequisite:
- your WordPress is installed on a Linux box
- you are the administrator
- you have installed Fail2Ban following the guide Protect SSH login with fail2ban
How fail2ban works
Fail2ban is service monitoring log files for specific events, and triggering specific commands when a defined amount of events happen in a defined amount of time.
First of all we need a log file where the events we want to monitor are logged in.
There are 2 possible choices: we can use the apache https log, where there is a line every time the login page is requested, and we can assume if an IP is calling many times the login page is because he is trying to login many times. This assumption is not very precise, it is a sort of proxy of what we want to monitor and can create false positive. The second choice is to use a specific plugin in charge of writing in a log file evry time thee is a failed login attempt. This is more accurate tracking of the even “failed login”.
We chose “WP fail2ban” plugin, you can find a detailed description in theĀ WP Fail2ban page.
1. Install WP Fail2ban plugin from your dashboard
2. Activate your plugin
from this moment all your failed login are logged with the details regarding date, time, ip, etc. In our case (centos 6.7) they are logged in /var/log/messages
Configure fail2ban to intercept failed login
Create in /etc/fail2ban/filters.d a config file called wordpress.conf
with this content:
#
# Author: Charles Lecklider
#[INCLUDES]# Read common prefixes. If any customizations available — read them from
# common.local
before = common.conf[Definition]_daemon = wordpress# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sAuthentication failure for .* from $
^%(__prefix_line)sBlocked authentication attempt for .* from $
^%(__prefix_line)sBlocked user enumeration attempt from $
^%(__prefix_line)sPingback requested from $# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
If you prefer you can find this file in the plugin directory and you can directly move into /etc/fail2ban/filters.d
After you create this filter, edit the fail2ban configuration file
and add at the end of the file these lines
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/messages
4: restart fail2ban with
Your protection is active
How to test it:
– write a wrong password during login in WP. Then check if in /var/log/messages you see a log about the failed login. This is the confirmation the new plugin is working
– try to fail login 3 times in few minute and you should not be able access any page in your WP. Only ports 80 and 443 are blocked. This means you still will be able to ssh to your server.
How to remove an IP from the block
First of all put all your known IP in the in /etc/fail2ban/jail.local in the vaiable knownip.
This will protect your locations with fixed to avoid to be banned. In case it happened, first of all login via ssh into your server.
check the status of your firewall
…
Chain FORWARD (policy ACCEPT)
num target prot opt source destinationChain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain f2b-SSH (1 references)
num target prot opt source destination
1 REJECT all — aa.bb.cc.dd 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all — ee.ff.gg.gg 0.0.0.0/0 reject-with icmp-port-unreachable
3 RETURN all — 0.0.0.0/0 0.0.0.0/0
…
As you can see there is the list of each chain (forward, output, f2b-SSH, …) with the rules implemented one by one. If you want to remove the block for the ip ee.ff.gg.hh, just ask iptables to remove the 2nd rules for the chian f2b-SSH
That’s all!