Nerd says what? XMLRPC, Login, and fail2ban

KO GEEK Leave a Comment

You’ve managed to get your self hosted Linux server with WordPress site going, and so far so good. But you took a look at your HTTPD access logs and found out that your xmlrpc.php is getting hammered, and quite possibly your login.php. I’m going to assume you have fail2ban installed and running, and if so this will be easier than you think. First lets get the terminal fired up and going. We’re going to create a WordPress filter. Yes, you’ll be root for this exercise. Let’s go!

vi /etc/fail2ban/filter.d/wordpress.conf

Now add or paste this

failregex = ^ .* "POST .*wp-login.php
            ^ .* "POST .*xmlrpc.php
ignoreregex =

Now let’s create the jail

vi /etc/fail2ban/jail.local

The same, add or paste this is the jails section. I usually create right above the SSH jails.

enabled = true
port = http,https
filter = wordpress
logpath = %(apache_access_log)s
maxretry = 3
findtime = 14400
bantime = 864000

Now you can control the maxretry number, findtime in seconds, and length of bantime. I allow 3 tries, yes the old 3 strikes, you’re out, and 4 hours find time, and 10 days in jail. Do what suits you, and then restart fail2ban.

systemctl restart fail2ban

Let’s check things out.

fail2ban-client status

This should show your new jail. Now let’s check to see if you have any banned ip’s.

fail2ban-client status wordpress

Check back from time to time and you will see the jail filling up with ip’s if they exceed your settings, and you’ll sleep better knowing the two main vulnerabilities in Word Press are being watched and secured. Have a lot of fun!

Speak on it!

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.