Informational Website publish

Blog

News about our company, tutorials about IT and much more you will find in this page.

How to Protect WordPress with Fail2Ban

Janeiro 31st, 2018

WordPress is a very robust content-management system (CMS) that is free and open source. Because anyone can comment, create an account, and post on WordPress, many malicious actors have created networks of bots and servers that compromise and spam WordPress sites through brute-force attacks. The tool Fail2Ban is useful in preventing unauthorized access to both your Server and your WordPress site. It notes suspicious or repeated login failures and proactively bans those IP’s by modifying firewall rules for your Server.

Note: This tutorial assumes that you already have fail2ban installed and configured on your server. If you don’t have fail2ban installed or configured, follow this How To Protect SSH with Fail2Ban on CentOS 6 tutorial, before proceeding any further.

1. Installing the WordPress fail2ban Plugin

First, log in to your WordPress site by visiting https://your_server_ip/wp-admin in your browser and using the admin credentials you created while installing WordPress.

Once logged in, in the WordPress dashboard, look to the left sidebar for the word Plugins, which will appear about halfway down the sidebar.

Near the top, in the right section, you can click on Add New. This allows you to add new plugins to your WordPress site that can customize, secure, or extend your site. In this case, we will be searching for the fail2ban plugin.

Type fail2ban in the search field, and press ENTER on your keyboard.

Click Install Now to start the installation, where you will see two prompts: Activate Plugin and Return to Plugin Installer. Choose to Activate Plugin, and your browser will return you to the list of installed plugins, with the new WP fail2ban plugin in the list.

At this time, you can click View details to see more information about your new plugin.

2. Applying the WordPress Filter to Fail2Ban

This WordPress plugin includes a new custom fail2ban filter. In this step, we will install that filter so fail2ban can correctly parse and use the authentication logs being sent to the syslog.

First, move the filter from the WordPress plugin directory to the appropriate fail2ban filter location:

  • cp /var/www/html/wp-content/plugins/wp-fail2ban/wordpress.conf /etc/fail2ban/filter.d/

With your new wordpress.conf filter in place, you can point fail2ban to the appropriate authentication log by editing the file /etc/fail2ban/jail.local. A jail in fail2ban refers to a series of rules and actions that provide the filters for IP addresses.

Open the file jail.local using your favorite text editor.

  • vi /etc/fail2ban/jail.local

Once the file is open, scroll to the bottom and append the following lines to the end. These lines enable the plugin, set the filter to the wordpress.conf filter we previously copied over to the filters.d directory, set the appropriate logging destination for the access attempts, and specify that this traffic will come in on http and https ports.

[wordpress]

enabled = true
filter = wordpress
logpath = /var/log/auth.log
port = http,https

Save and close the file.

Next, you can restart fail2ban to ensure the new filter is now in place by running this command:

  • service fail2ban restart
3. Rotating Your Log Files

If you find your WordPress site is getting a very large amount of unauthorized login attempts and your log file is growing rapidly, you can rotate the log file out for a new one by editing the file /etc/logrotate.conf.

  • vi /etc/logrotate.conf

Append these lines, which set the maximum size of the file, the permissions for the log, and the number of weeks. For example, you can set 4 as number of weeks the file will exist for before being refreshed:

/var/log/auth.log {
    size 30k
    create 0600 root root
    rotate 4
}

Save and exit the file appropriately.

Now your WordPress instance is much more robust and secure against unauthorized login attempts, comment spam, and intrusion on your site.