Created
January 26, 2026 13:08
-
-
Save gerard-kanters/26b9e8faff2b68c8e29d8e23e6357bd1 to your computer and use it in GitHub Desktop.
Fail2ban wordpress configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [wordpress] | |
| enabled = true | |
| port = http,https | |
| filter = wordpress | |
| logpath = /var/log/apache2/access.log | |
| /var/log/apache2/access.log.1 | |
| maxretry = 3 | |
| findtime = 6h | |
| bantime = 1h |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Definition] | |
| # 1. Baseline: Brute force & Enumeration | |
| failregex = ^<HOST>\s+\S+\s+\S+\s+\[.*\]\s+"POST\s+/wp-login\.php(?:\s|\?).*HTTP/.*"\s+(200|302)\b | |
| ^<HOST>\s+\S+\s+\S+\s+\[.*\]\s+"GET\s+/\?author=\d+\s+HTTP/.*"\s+(301|302)\b | |
| # 2. Known exploit/backdoor paths (Scanners) | |
| # Focus on paths that legitimate users/admins never access | |
| ^<HOST>\s+\S+\s+\S+\s+\[.*\]\s+"GET\s+/(?:info\.php|wp-mail\.php|wp-config\.php\.bak|wp-config\.old|admin\.php)\b.*HTTP/.*"\s+(403|404)\b | |
| ^<HOST>\s+\S+\s+\S+\s+\[.*\]\s+"GET\s+/wp-includes/.*\.php\b.*HTTP/.*"\s+(403|404)\b | |
| ^<HOST>\s+\S+\s+\S+\s+\[.*\]\s+"GET\s+/wp-admin/.*\.php\b.*HTTP/.*"\s+(403|404)\b | |
| ^<HOST>\s+\S+\s+\S+\s+\[.*\]\s+"GET\s+/\.well-known/acme-challenge/.*\.php\b.*HTTP/.*"\s+(403|404)\b | |
| # 3. Generic PHP/Env probes (effective for catching infrastructure scanners) | |
| ^<HOST>\s+\S+\s+\S+\s+\[.*\]\s+"GET\s+/.*(?:\.env|\.git|\.config)\b.*HTTP/.*"\s+(403|404)\b | |
| ignoreregex = |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Create a new file in /etc/fail2ban/filter.d/wordpress.conf
add the settings to /etc/fail2ban/jail.local or create this as a new file.
Fail2ban will then use the default configuration and add this wordpress configuration.
It is very effective. Increase the bantime if you do not use recidive to 7 days (7d) instead of 1h
The logfile is now the default for apache2. You have to adapt it, if you use separate logfiles per website which is a best practice. You can add as many logfiles for scanning as you like.