fail2ban is one of the simplest and most effective security measures you can implement to prevent brute-force attacks.
WP fail2ban logs all login attempts – including via XML-RPC, whether successful or not, to syslog using LOG_AUTH. For example:
Oct 17 20:59:54 foobar wordpress(www.example.com): Authentication failure for admin from 192.168.0.1 Oct 17 21:00:00 foobar wordpress(www.example.com): Accepted password for admin from 192.168.0.1
WPf2b comes with three
wordpress-extra.conf. These are designed to allow a split between immediate banning (hard) and the traditional more graceful approach (soft), with extra rules for custom configurations.
CloudFlare and Proxy Servers
WPf2b can be configured to work with CloudFlare and other proxy servers. For an overview see
WPf2b logs failed pingbacks, and can log all pingbacks. For an overview see
WPf2b can log comments marked as spam. See
Block User Enumeration
WPf2b can block user enumeration. See
WPf2b can be configured to short-cut the login process when the username matches a regex. For an overview see
WPf2b can easily be configured as a must-use plugin – see Configuration.
Install via the Plugin Directory, or upload to your plugins directory.
Activate the plugin through the ‘Plugins’ menu in WordPress.
wp-config.php to suit your needs – see Configuration.