There is a plugin for WordPress that works with fail2ban so you can lock out at the firewall persistent attempts at invalid passords http://wordpress.org/plugins/wp-fail2ban/ it works by login attempts and has a filter too.
However, with so many attacks on admin or administrator, which no one should really use anyway, I have written another filter so you can block these pointless attacks the first time they happen, (but still allowing your regular users a reasonable number of attempts).
[INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = wordpress # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[w-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)s(Authentication failure|Blocked authentication attempt) for (?i)(admin|administrator|adminadmin) from <HOST>$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
put the above code into a file called wordpress-admin.conf and place itin your fail2ban/filter.d directory and then add
[wordpress-admin] enabled = true filter = wordpress-admin action = iptables-multiport[name=WORDPRESS-ADMIN, port="http,https", protocol=tcp] sendmail-buffered[name=WORDPRESS-ADMIN, lines=100, dest=yourname@yourdomain] logpath = /var/log/messages maxretry = 1 findtime = 600 bantime = 604800
to your jail.local
restart fail2ban and you are all set to ban any IPs that use admin, administrator or adminadmin for a week
Leave a Reply