Foliovision

How to setup login protection

BusinessPress works with Fail2Ban Linux utility to protect against bruteforce hacking of WordPress login form and XML-RPC.

Requirements

First thing the check is if BusinessPress is able to output bad logins into your Linux operating system SSH logins log file. The file might be:

  • /var/log/auth.log
  • /var/log/secure

Simply do a bad login attempt and see if your IP address was appended to the file. It should look like this:

Aug 22 08:08:47 web wordpress(your-website.com)[14410]: BusinessPress fail2ban login error – Authentication failure for test from 10.11.12.13

Installation steps

Fail2Ban

Use your Linux distribution package manager to install Fail2Ban. It should be:

sudo apt install fail2ban

Or

sudo yum install fail2ban

If your Fail2Ban comes with /etc/fail2ban/jail.d/00-firewalld.conf then we recommend commenting out each line with # as Firewalld does not seem to work with using DROP instead of REJECT.

Using DROP instead of REJECT is necessary to avoid multiple malicious requests to be sent over the already established TCP connection.

To get that change blocktype = REJECT --reject-with icmp-port-unreachable and blocktype = REJECT --reject-with icmp6-port-unreachable to blocktype = DROP.

This has to be done in different files (some of the might not contain it) as it depends on your OS:

  • /etc/fail2ban/action.d/iptables.conf
  • /etc/fail2ban/action.d/iptables-common.conf

Then verify the Fail2Ban configuration:

fail2ban-client -d

There should be no errors.

WordPress Login Protection

Copy the Fail2Ban configuration files from BusinessPress to your Fail2Ban configuration:

sudo sh -c 'cd /YOUR-WEBSITE-FOLDER/wp-content/plugins/businesspress/ && cp fail2ban/wordpress.conf /etc/fail2ban/filter.d && cp fail2ban/jail.local /etc/fail2ban/jail.d/wordpress.conf && echo "All done!"'

Simply replace /YOUR-WEBSITE-FOLDER in the above command with your actual WordPress path. Then the command should report “All done!”.

Next verify the Fail2Ban configuration:

fail2ban-client -d

There should be no errors. If you get:

2022-08-22 08:04:41,694 fail2ban.jailreader [4923]: WARNING Have not found any log file for wordpress jail

Then edit /etc/fail2ban/jail.d/wordpress.conf and put in the proper logpath for your SSH logins log file. It might be /var/log/secure or /var/log/messages.

Finally you can reload Fail2Ban configuration:

sudo systemctl restart fail2ban

Then you should be able to see your new WordPress jail:

$ sudo fail2ban-client status
Status
|- Number of jail:  2
`- Jail list:   sshd, wordpress

Now anytime you do a bad login attempt you should see a line appended in /var/log/fail2ban.log:

$ sudo tail -f /var/log/fail2ban.log
2022-08-22 08:18:38,358 fail2ban.actions        [8045]: NOTICE  [wordpress] Restore Ban 95.217.144.248
2022-08-22 08:18:43,647 fail2ban.filter         [8045]: INFO    [wordpress] Found 185.119.81.102 - 2022-08-22 08:18:43
2022-08-22 08:18:53,661 fail2ban.filter         [8045]: INFO    [wordpress] Found 159.89.207.135 - 2022-08-22 08:18:53
2022-08-22 08:19:08,880 fail2ban.filter         [8045]: INFO    [wordpress] Found 109.43.114.167 - 2022-08-22 08:19:08
2022-08-22 08:19:20,895 fail2ban.filter         [8045]: INFO    [wordpress] Found 20.168.24.53 - 2022-08-22 08:19:20
2022-08-22 08:19:20,895 fail2ban.filter         [8045]: INFO    [wordpress] Found 20.168.24.53 - 2022-08-22 08:19:20
2022-08-22 08:19:22,097 fail2ban.filter         [8045]: INFO    [wordpress] Found 159.203.121.12 - 2022-08-22 08:19:22
2022-08-22 08:19:49,329 fail2ban.filter         [8045]: INFO    [wordpress] Found 185.119.81.98 - 2022-08-22 08:19:48
2022-08-22 08:20:19,364 fail2ban.filter         [8045]: INFO    [wordpress] Found 185.165.42.75 - 2022-08-22 08:20:18
2022-08-22 08:20:35,384 fail2ban.filter         [8045]: INFO    [wordpress] Found 51.91.220.143 - 2022-08-22 08:20:34
2022-08-22 08:20:50,602 fail2ban.filter         [8045]: INFO    [wordpress] Found 103.101.162.249 - 2022-08-22 08:20:50
2022-08-22 08:20:54,608 fail2ban.filter         [8045]: INFO    [wordpress] Found 10.11.12.13 - 2022-08-22 08:20:53

…until you do more than 12 attempts (this is set in) and you get banned:

2022-08-22 08:21:50,322 fail2ban.actions        [8045]: NOTICE  [wordpress] Ban 10.11.12.13

Troubleshooting

First thing to do is to check if the Fail2Ban jails are properly stored in iptables:

Then you can check your IP which got banned to ensure the rules are there:

$ sudo iptables -vnL | grep 10.11.12.13
    0     0 DROP       all  --  *      *       10.11.12.13          0.0.0.0/0

Next Steps

We also recommend blocking the repeated offenders: How to block repeated offenders with BusinessPress

You can use BusinessPress a Web Application Firewall too: How to block malicious web requests with BusinessPress

Footer

All materials © 2025 Foliovision s.r.o. | Panská 12 - 81101 Bratislava - Slovakia | info@foliovision.com
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses first party cookies only so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.