Security Blog
Security Blog

How to protect WordPress with Fail2Ban


By using WP Cerber Security and Fail2Ban together you can reinforce protection at the most effective level. That allows you to protect a WordPress from brute-force and DoS attacks at the OS level with iptables.

Read more about attacks: Brute-force, DoS, and DDoS attacks – what’s the difference?

Note: you have to have the root access to your Linux server to setup Fail2Ban.

With WP Cerber Security you have three options to use Fail2Ban

  1. Using HTTP 403 response headers if you want to monitor Apache access log
  2. Using syslog files to monitor failed login attempts
  3. Using a custom log file to monitor failed login attempts

Monitor Apache access log for HTTP 403 responses

When an attempt to log in fails WP Cerber returns 403 response in the HTTP header. That response will be written in the Apache access log and those records may be monitored by Fail2Ban. That behavior of WP Cerber is enabled by default. The downside to this approach is that Fail2Ban has to parse the entire access.log in order to find those attempts.

Using syslog to monitor failed login attempts

By default, WP Cerber uses the LOG_AUTH facility when it logs failed attempts to the syslog file. However, you can specify a facility with your own value. To setup a new value you have to define the CERBER_LOG_FACILITY constant with an integer value. Note: to enable writing to the syslog or a custom file (see below) you have to enable Write failed login attempts to the file in the Activity section of the plugin settings.

define('CERBER_LOG_FACILITY', LOG_AUTHPRIV);

Using a custom file to monitor failed login attempts

If you want to write all failed attempts to any custom log file, you need to specify a file name with an absolute path using constant CERBER_FAIL_LOG. Don’t forget to set write permission for Apache process on the folder or log file and enable Write failed login attempts to the file. If the file does not exist, the plugin attempts to create it. If CERBER_FAIL_LOG is defined, the plugin doesn’t write messages to the default syslog.

define('CERBER_FAIL_LOG','/var/log/fail2ban.log');

Make sure that web server process (Apache) has permission to write to a specified file.

Additional info:

https://timnash.co.uk/using-fail2ban-wordpress/

http://www.fail2ban.org

https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server

Last posts from WordPress security blog


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments
There are currently no comments.