Security plugin for WordPress with support for fail2ban. Tested with WordPress 5.5+ and PHP 7.4/8.1.x.
This WordPress plugin provides security functionality and integration with Fail2ban and Cloudflare.
The WordPress slug is fail2wp
.
The plugin is also available on wordpress.org
Basic security functionality includes:
- Disabling login with username (require e-mail address)
- Preventing user enumeration (?author=nnn)
- Less detailed error messages on login failures
- Minimum username length
- Blocking specific usernames from being used to register new users
- Requiring e-mail address matching for new user registrations
- Warning about new user role setting
- Blocking of portions or all of WordPress REST API
- Disabling of RSS and Atom feeds
- Removal of "Generator" information from HTML and feeds
- Detection of Cloudflare IP addresses for logging of actual IP addresses
- Blocking/Allowing logins from IP addresses, IP ranges, and/or hostnames
- Partially or fully disable XMLRPC access
The plugin also plays nicely with Fail2ban, which is an advanced way of blocking IP addresses dynamically upon suspicious behavior.
- This plugin
may
work with earlier versions of WordPress - This plugin has been tested with
WordPress 5.5.x and 6.x
at the time of this writing - This plugin has been tested with
PHP 7.2, 7.4, and 8.1.x
at the time of this writing - This plugin optionally makes use of
mb_
PHP functions - This plugin may create entries in your PHP error log (if active)
- This plugin contains no Javascript
- This plugin contains no tracking code and does not store any information about users
This section describes how to install the plugin and get it working.
- Upload the
fail2wp
folder to the/wp-content/plugins/
directory (or install it from the 'Plugins' menu in WordPress) - Activate the plugin through the 'Plugins' menu in WordPress
- Configure the basic settings
Fail2WP uses standard WordPress functionality to handle localization/locale. The native language localization of the plugin is English. It has been translated to Swedish by the author.
All logging to system logs (i.e. php.log
or auth.log
) is done in English.
This is a hard question to answer. There are no known incompatibilities.
- Copy the file
fail2wp.conf
to/etc/fail2ban/filter.d
- Create an entry in
/etc/fail2ban/jail.local
as per the instructions infail2wp.conf
- In the plugin configuration, enable logging of Unsuccessful logins and possibly other triggers
- Re-start Fail2ban
- Verified with WordPress 6.7
- Verified with Plugin Check (PCP)
- Fixed issue when requiring REST API authentication and IPv4/IPv6 bypass was configured
- Fixed issue with uninitialized variable in XML-RPC handling
- Fixed PHP warning for json_decode() call, this did not impact functionality
- Corrected some Swedish translations
- Corrected some checks for
uninstall.php
and made it more WP-CLI compatible
- Verified with WordPress 6.6
- Improved code for role notification settings, PR#2
- Improved code for e-mail checking for new user registrations PR#1
- Thanks to philscott-rg and Edward Casbon
- Verified with WordPress 6.5.2
- Updated "About" information
- Verified with WordPress 6.2.2 and PHP 8.1.20
- Added support for allow/deny list for login (IP address, hostname with wildcard support)
- Added entry in
fail2wp.conf
example fail2ban configuration for allow/deny login - Corrected typo in
fail2wp.conf
example fail2ban configuration, CHECK AGAINST YOURS! - Added support for HTTP_X_REAL_IP (X-Real-IP) header to "decode" actual remote IP address
- Added support for partially or fully disabling XMLRPC
- Added entry in
fail2wp.conf
example fail2ban configuration for XMLRPC access attempts
- Verified for WordPress 5.8
- Added minimum username length
- Added blocking of specific usernames (user registration)
- Added requiring e-mail address matching setting
- Added warning about new user role setting
- Added blocking of portions or all of WordPress REST API
- Added setting to disable RSS and Atom feeds
- Added setting to remove "Generator" information from HTML and feeds
- Minor corrections and general improvements
- Initial release
- Install the new version, no changes have been made to settings.
- Install the new version and walk through the settings.
- Check your fail2ban configuration against the supplied sample
fail2wp.conf
!
- Install the new version, no changes have been made to settings.
- Install the new version and walk through the settings.
- Initial release
Please see LICENSE for a full copy of GPLv2
Copyright (C) 2020-2024 Joaquim Homrighausen; all rights reserved.
This file is part of Fail2WP. Fail2WP is free software.
You may redistribute it and/or modify it under the terms of the GNU General Public License version 2, as published by the Free Software Foundation.
Fail2WP is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with the Fail2WP package. If not, write to:
The Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor
Boston, MA 02110-1301, USA.
The Fail2WP WordPress Plugin was written by Joaquim Homrighausen while converting β into code.
Fail2WP is sponsored by WebbPlatsen i Sverige AB πΈπͺ
Commercial support and customizations for this plugin is available from WebbPlatsen i Sverige AB in πΈπͺ
If you find this plugin useful, the author is happy to receive a donation, good review, or just a kind word.
If there is something you feel to be missing from this plugin, or if you have found a problem with the code or a feature, please do not hesitate to reach out to support@webbplatsen.se.
This plugin can also be downloaded from code.webbplatsen.net and WordPress.org
More detailed documentation is available at code.webbplatsen.net/documentation/fail2wp/
Kudos to Vincent Le Moign and Webalys and Thomas Lutz
These links are not here for any sort of endorsement or marketing, they're purely for informational purposes.
- me; π https://joho.se and https://github.com/joho1968
- WebbPlatsen; https://webbplatsen.se and https://code.webbplatsen.net