How to Protect Your WordPress Site from

Brute Force Attacks (WordPress + Nginx + fail2ban)

Brute force protection, WordPress Brute force

One of the most common attacks are Brute Force attacks on your WordPress site's xmlrpc.php or wp-login.php.
In a brute force attack the malicious script, which runs off server, tries a number of login combinations until it gains access to the site.

We will be using Fail2Ban framework. This framework monitors the server log files and looks for certain set patterns from each IP accessing the site.
Fail2Ban checks :

- vsftpd login failure
- SSH auth failure etc

Fail2ban is a python script, so make sure python is installed on your server.

To install fail2ban :

sudo apt-get update
sudo apt-get install fail2ban

Configure fail2ban with default config settings :

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Next we define a new filter in /etc/fail2ban/filter.d and call it wordpress-auth.conf :

failregex = ^ .*POST .*xmlrpc.php.*
            ^ .*POST .*login.php.*

ignoreregex =

Now append the following code to the jail.conf file :


enabled = true
port = http,https
filter = wordpress
logpath = /var/log/varnish/access.log
maxretry = 3
bantime = 43200

Restart fail2ban and we are done :

sudo service fail2ban restart
© 2024 WPOven Inc. All rights reserved. WPOven® and WordPress® are registered trademarks.
WPOven is the best Managed WordPress hosting for agencies and businesses that want to succeed. With Unlimited sites hosting option, its easy to use and manage, so you can focus on growing your business. 
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram