Description

fail2ban is one of the simplest and most effective security measures you can implement to prevent brute-force attacks.

WP fail2ban logs all login attempts – including via XML-RPC, whether successful or not, to syslog using LOG_AUTH. For example:

Oct 17 20:59:54 foobar wordpress(www.example.com)[1234]: Authentication failure for admin from 192.168.0.1
Oct 17 21:00:00 foobar wordpress(www.example.com)[2345]: Accepted password for admin from 192.168.0.1

WPf2b comes with three fail2ban filters: wordpress-hard.conf, wordpress-soft.conf, and wordpress-extra.conf. These are designed to allow a split between immediate banning (hard) and the traditional more graceful approach (soft), with extra rules for custom configurations.

Features

NEW – Multisite Support
Version 4.3 introduces proper support for multisite networks.
NEW – Block username logins
Sometimes it’s not possible to block user enumeration (for example, if your theme provides Author profiles). Version 4.3 adds support for requiring the use of email addresses for login.
NEW – Filter for Empty Username Login Attempts
Some bots will try to login without a username. Version 4.3 logs these attempts and provides an “extra” filter to match them.
NEW – syslog Dashboard Widget
Ever wondered what’s being logged? The new dashboard widget shows the last 5 messages; the Premium version keeps a full history to help you analyse and prevent attacks.
Remote Tools Add-on
The Remote Tools add-on provides extra features without adding bloat to the core plugin. For more details see the add-on page.
Support for 3rd-party Plugins
Version 4.2 introduced a simple API for authors to integrate their plugins with WPf2b, with 2 experimental add-ons:
- Contact Form 7
- Gravity Forms
CloudFlare and Proxy Servers
WPf2b can be configured to work with CloudFlare and other proxy servers.
Comments
WPf2b can log comments (see WP_FAIL2BAN_LOG_COMMENTS) and attempted comments (see WP_FAIL2BAN_LOG_COMMENTS_EXTRA).
Pingbacks
WPf2b logs failed pingbacks, and can log all pingbacks. For an overview see WP_FAIL2BAN_LOG_PINGBACKS.
Spam
WPf2b can log comments marked as spam. See WP_FAIL2BAN_LOG_SPAM.
Block User Enumeration
WPf2b can block user enumeration.
Work-Arounds for Broken syslogd
WPf2b can be configured to work around most syslogd weirdness. For an overview see WP_FAIL2BAN_SYSLOG_SHORT_TAG and WP_FAIL2BAN_HTTP_HOST.
Blocking Users
WPf2b can be configured to short-cut the login process when the username matches a regex. For an overview see WP_FAIL2BAN_BLOCKED_USERS.
mu-plugins Support
WPf2b can easily be configured as a must-use plugin – see Configuration.

Installation

Install via the Plugin Directory, or upload to your plugins directory.
Activate the plugin through the ‘Plugins’ menu in WordPress.
Edit wp-config.php to suit your needs – see Configuration.

Reviews

mshallop August 23, 2021

Liked the plugin but cannot sustain the subscription atop all other subscriptions. Already have fail2ban installed and running at the OS level, which is actually free, making the plugin redundant. If you're not a devops, or uncomfortable with the cli, then this plugin is a better option for your site and you should absolutely consider installing and using. I also realize that the logs (output) is part of the subscription fee - but not seeing anything, anything, about the effectiveness of the plugin made me wonder if it was doing something other than taking up a slot in my plugin list. -1 for for stealth mode to encourage subscriptions. I think WP devs desperately need a better pricing model. Had this been an outright purchase in the $40 range, I probably would have bought it. But as a very small, ecom site, supporting the plugin isn't possible. -1 star for the pricing model. tl;dr: essential plugin if you're uncomfy with devops but factor subscription costs into the ROI for your site.

Cayo Medeiros July 4, 2021

If I already closed the upgrade notice, stop showing me again.

Koen Reus December 4, 2020

Recent spam and brute force attacks prompted me to install this plugin on my multisite network, and it works really well! It needs some minor configuration on the server up front, but once that was all set, it instantly started banning IP's that violated the defined filters. Highly recommended. Minor point of criticism: links to the documentation don't work in the plugin

humankind October 22, 2020

It's impossible to even evaluate the usefulness of this plugin because it's got lots of bugs. Upon installation the plugin provides links to documentation that results in 404 page not found. Then the documentation that is available doesn't seem to work properly. If you put the constants necessary to enable logging in the wp-config, it throws undefined variable warnings. The whole thing is a mess, and it constantly nags you to pay them money. The administrative interface doesn't work - it's just a decoration to show you what MIGHT work if you pay them money. This is NOT how you do Shareware or encourage people to use your products. I'll be looking for an alternative that actually works and isn't obnoxious. The really sad part is, this is a pay plugin that relies on a free, open source system, Fail2Ban. If I was going to pay anybody, it will be the creators of fail2ban, not this crappy, non-working plugin.

iCounsellorUK August 12, 2020

I've been an aficionado of Fail2ban for nigh on a decade. Whilst I have WordFence installed there are times when blocking would-be-intruders earlier than WordFence gets to is preferable. Enter WP Fail2ban. Documentation needs a mug or two to read through. I've been working, as a developer, with WordPress for nigh on twelve years now and even I got a bit "does he mean....?" during reading the config advice. Pro Tip: You really do need to read the online manual if things aren't working for you. My installation worked first time (Debian 10, Apache2, WordPress 5.5, early release of Fail2ban 0.11.1 ) Bonus: author is responsive to comments and feedback (I spotted a problem with the documentation, which has been addressed). Cons: the "oh do please buy the pro version" and "WP2F2B has been improved!" repetitive messages & flags is a bit of a pain in the ass (and quite frankly comes across a little bit amature). Re the price for "pro" - I looked at the cost of the pro version and I think the author needs to have a re-think about what this app really offers and what's it's worth in money. Compared with, say, the cost of an annual WordFence license I don't think it compares.

Alan Rezende April 11, 2020

Free version is all locked

Read all 56 reviews

Contributors & Developers

“WP fail2ban – Advanced Security Plugin” is open source software. The following people have contributed to this plugin.

invisnet

“WP fail2ban – Advanced Security Plugin” has been translated into 2 locales. Thank you to the translators for their contributions.

Translate “WP fail2ban – Advanced Security Plugin” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

4.3.0.9

Fix incorrect constant for disabling last messages (h/t @kermina).
Fix false positive with blocking user enumeration when a Contributor tries to list posts by another user.
Fix index issue with ancient versions of MySQL. [Premium only]
Fix harmless warning with a defined but empty WP_FAIL2BAN_PROXIES (h/t @stevegrunwell).
Backport new Block event class.
Update Freemius library.

4.3.0.8

Workaround issue with user enumeration blocking being triggered by Gutenberg pre-loading Author list. (h/t @brrrrrrrt) [WordPress only]

4.3.0.7

Finish refactoring to allow inclusion of constants in wp-config.php (h/t @iCounsellor).
Fix MaxMind database update. [Premium only]

4.3.0.6

Fix Forbidden error on Posts page for roles below Editor when user enum blocking enabled. [WordPress only]

4.3.0.5

Fix empty username detection for multisite.
Fix harmless warning when activating new multisite install.
Fix esoteric edge-case where wp-load.php is loaded via a script run from the CLI in a directory with a functions.php file.

4.3.0.4 “Columbo”

Add new dashboard widget: last 5 syslog messages.
Add full multisite support.
Add username login blocking (force login with email).
Add separate logging for login attempts with an empty username.
Improve user enumeration blocking compatibility with the WordPress block editor (Gutenberg).
Bump the minimum PHP version to 5.6.

4.2.8

Add link to new support forum.
Fix user enumeration conflict with Gutenberg (h/t @dinghy).
Fix notices wrt admin menu (h/t @marioivangf).
Fix harmless XDebug notice (h/t @dinghy).
Update Freemius library.

4.2.7.1

Fix error when blocking user enumeration via oembed (h/t @wordpressfab).

4.2.7

Fix error when blocking user enumeration via REST.
Fix buttons on Settings tabs.

4.2.6

Add support for Remote Tools add-on.
Add support for the new ClassicPress security page.
Improved user enumeration blocking.

4.2.5.1

Fix premium activation issue with PHP < 7.0.

4.2.5

Properly fix PHP 5.3 support; tested on CentOS 6. Does not support any UI or Premium features.
Fix potential issue with WP_FAIL2BAN_BLOCK_USER_ENUMERATION if calling REST API or XMLRPC from admin area.

4.2.4

Add filter for login failed message.
Fix logging spam comments from admin area.
Fix Settings link from Plugins page.
Update Freemius library

4.2.3

Workaround for some versions of PHP 7.x that would cause define()s to be ignored.
Add config note to settings tabs.
Fix documentation links.

4.2.2

Fix 5.3 compatibility.

4.2.1

Completed support for WP_FAIL2BAN_COMMENT_EXTRA_LOG.
Add support for 3rd-party plugins; see Developers.
- Add-on for Contact Form 7 (experimental).
- Add-on for Gravity Forms (experimental).
Change logging for known-user with incorrect password; previously logged as unknown user and matched by hard filters (due to limitations in older versions of WordPress), now logged as known user and matched by soft.
Bugfix for email-as-username – now logged correctly and matched by soft, not hard, filters.
Bugfix for regression in code to prevent Free/Premium conflict.

4.2.0

Not released.

4.1.0

Add separate logging for REST authentication.
Fix conflict with earlier versions pre-installed in mu-plugins. See Is WPf2b Already Installed?.

4.0.5

Add WP_FAIL2BAN_COMMENT_EXTRA_LOG.
Add WP_FAIL2BAN_PINGBACK_ERROR_LOG (future functionality).
Change WP_FAIL2BAN_LOG_SPAM to use LOG_NOTICE.
Change WP_FAIL2BAN_SPAM_LOG to LOG_AUTH.
Change WP_FAIL2BAN_LOG_COMMENTS_EXTRA events to use LOG_NOTICE by default.
Fix conflict with 3.x in mu-plugins.

4.0.2

Fix PHP 5.3 compatibility.
Bugfix for WP_FAIL2BAN_LOG_COMMENTS_EXTRA.
Bugfix for WP_FAIL2BAN_REMOTE_ADDR summary.

4.0.1

Add extra features via Freemius. This is entirely optional. WPf2b works as before, including new features listed here.
Add settings summary page (Settings -> WP fail2ban).
Add WP_FAIL2BAN_PASSWORD_REQUEST_LOG.
Add WP_FAIL2BAN_SPAM_LOG.
Add WP_FAIL2BAN_LOG_COMMENTS_EXTRA – enable logging for attempted comments on posts which are:
- not found,
- closed for commenting,
- in the trash,
- drafts,
- password protected
Block user enumeration via REST API.

4.0.0

Not released.

3.6.0

The filter files are now generated from PHPDoc in the code. There were too many times when the filters were out of sync with the code (programmer error) – this should resolve that by bringing the patterns closer to the code that emits them.
Added PHPUnit tests. Almost 100% code coverage, with the exception of WP_FAIL2BAN_PROXIES which is quite hard to test properly.
Bugfix for wordpress-soft.conf.
Add WP_FAIL2BAN_XMLRPC_LOG.
Add WP_FAIL2BAN_REMOTE_ADDR.
WP_FAIL2BAN_PROXIES now supports an array of IPs with PHP 7.
Moved all documentation to https://docs.wp-fail2ban.com/.

3.0.2

Prevent double logging in WP 4.5.x for XML-RPC authentication failure

3.0.1

Fix regex in wordpress-hard.conf.

3.0.0

Add WP_FAIL2BAN_SYSLOG_SHORT_TAG.
Add WP_FAIL2BAN_HTTP_HOST.
Log XML-RPC authentication failure.
Add better support for MU deployment.

2.3.2

Bugfix WP_FAIL2BAN_BLOCKED_USERS.

2.3.0

Bugfix in experimental WP_FAIL2BAN_PROXIES code (thanks to KyleCartmell).

2.2.1

Fix stupid mistake with WP_FAIL2BAN_BLOCKED_USERS.

2.2.0

Custom authentication log is now called WP_FAIL2BAN_AUTH_LOG.
Add logging for pingbacks; see WP_FAIL2BAN_LOG_PINGBACKS.
Custom pingback log is called WP_FAIL2BAN_PINGBACK_LOG.

2.1.1

Minor bugfix.

2.1.0

Add support for blocking user enumeration; see WP_FAIL2BAN_BLOCK_USER_ENUMERATION.
Add support for CIDR notation in WP_FAIL2BAN_PROXIES.

2.0.1

Bugfix in experimental WP_FAIL2BAN_PROXIES code.

2.0.0

Add experimental support for X-Forwarded-For header; see WP_FAIL2BAN_PROXIES.
Add experimental support for regex-based login blocking; see WP_FAIL2BAN_BLOCKED_USERS.

1.2.1

Update FAQ.

1.2

Fix harmless warning.

1.1

Minor cosmetic updates.

1.0

Initial release.

WordPress.org

Liked it but…

Pushes too hard to upgrade to the premium version

Must have for self-hosted WordPress sites

Free version is buggy and useless

Pretty brilliant – but you must RTFM 😄

Did not work for me.