Lately I had a lot of brute force attacks on my WordPress blog. I used basic auth to /wp-admin part in nginx configuration to block this and as a better solution I wan’t to block source IPs at all on firewall.
To do this, place this filter code in /etc/fail2ban/filter.d/wp-login.conf:
# WordPress brute force wp-login.php filter:
#
# Block IPs trying to authenticate in WordPress blog
#
# Matches e.g.
# 178.218.54.109 - - [31/Dec/2015:10:39:34 +0100] "POST /wp-login.php HTTP/1.1" 401 188 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
#
[Definition]
failregex = ^<HOST> .* "POST /wp-login.php
ignoreregex =
Then edit your /etc/fail2ban/jail.local and add:
[wp-login]
enabled = true
port = http,https
filter = wp-login
logpath = /var/log/nginx/access.log
maxretry = 3
Now restart fail2ban:
service fail2ban restart
All done 😄