WP fail2ban

Wordpress Plugin
Download latest -



Download Stats

Today 25
Yesterday 69
Last Week 449
All Time 120,223
Banner 772x250

fail2ban is one of the simplest and most effective security measures you can implement to prevent brute-force attacks.

WP fail2ban logs all login attempts - including via XML-RPC, whether successful or not, to syslog using LOG_AUTH. For example:

Oct 17 20:59:54 foobar wordpress(www.example.com)[1234]: Authentication failure for admin from Oct 17 21:00:00 foobar wordpress(www.example.com)[2345]: Accepted password for admin from

WPf2b comes with three fail2ban filters: wordpress-hard.conf, wordpress-soft.conf, and wordpress-extra.conf. These are designed to allow a split between immediate banning (hard) and the traditional more graceful approach (soft), with extra rules for custom configurations.


  • Allow Pingbacks with XML-RPC Blocked [Premium only] Pingbacks might be a relic of a bygone age, but they're still nice to have. Wf2b can now allow Pingsbacks while blocking other XML-RPC requests.

  • Block XML-RPC Requests [Premium only] Allow access for Jetpack and other trusted IPs while blocking everything else; introduces a new "hard" filter.

  • Block Countries [Premium only] Nothing but attacks from some countries? Block them!

  • Multisite Support Version 4.3 introduced proper support for multisite networks.

  • Block username logins Sometimes it's not possible to block user enumeration (for example, if your theme provides Author profiles). Version 4.3 added support for requiring the use of email addresses for login.

  • Filter for Empty Username Login Attempts Some bots will try to login without a username. Version 4.3 logs these attempts and provides an "extra" filter to match them.

  • syslog Dashboard Widget Ever wondered what's being logged? The new dashboard widget shows the last 5 messages; the Premium version keeps a full history to help you analyse and prevent attacks.

  • Support for 3rd-party Plugins Version 4.2 introduced a simple API for authors to integrate their plugins with WPf2b, with 2 experimental add-ons:

    • Contact Form 7
    • Gravity Forms
  • CloudFlare and Proxy Servers WPf2b can be configured to work with CloudFlare and other proxy servers.

  • Comments WPf2b can log comments (see WP_FAIL2BAN_LOG_COMMENTS) and attempted comments (see WP_FAIL2BAN_LOG_COMMENTS_EXTRA).

  • Pingbacks WPf2b logs failed pingbacks, and can log all pingbacks. For an overview see WP_FAIL2BAN_LOG_PINGBACKS.

  • Spam WPf2b can log comments marked as spam. See WP_FAIL2BAN_LOG_SPAM.

  • Block User Enumeration WPf2b can block user enumeration.

  • Work-Arounds for Broken syslogd WPf2b can be configured to work around most syslogd weirdness. For an overview see WP_FAIL2BAN_SYSLOG_SHORT_TAG and WP_FAIL2BAN_HTTP_HOST.

  • Blocking Users WPf2b can be configured to short-cut the login process when the username matches a regex. For an overview see WP_FAIL2BAN_BLOCKED_USERS.

  • mu-plugins Support WPf2b can easily be configured as a must-use plugin - see Configuration.

Releases (46 )

Version Release Date Change Log 2022-12-08
  • Preparation for v5: prevent auto-updating across major release.
  • Update Freemius library. 2022-11-03
  • Backport fix for mu-plugins activation.
  • Update Freemius library. 2022-10-02
  • Fix initialisation error in event log. [Premium only]
  • Fix type error in event log when no events available. [Premium only]
  • Update Freemius library. 2022-03-04
  • Fix warning with array of blocked users (h/t @Znuff).
  • Fix reports. [Premium only] 2022-02-26
  • Fix type error (h/t @brianshim). 2020-12-31
  • Fix incorrect constant for disabling last messages (h/t @kermina).
  • Fix false positive with blocking user enumeration when a Contributor tries to list posts by another user.
  • Fix index issue with ancient versions of MySQL. [Premium only]
  • Fix harmless warning with a defined but empty WP_FAIL2BAN_PROXIES (h/t @stevegrunwell).
  • Backport new Block event class.
  • Update Freemius library. 2020-09-22
  • Workaround issue with user enumeration blocking being triggered by Gutenberg pre-loading Author list. (h/t @brrrrrrrt) [WordPress only] 2020-08-15
  • Finish refactoring to allow inclusion of constants in wp-config.php (h/t @iCounsellor).
  • Fix MaxMind database update. [Premium only] 2020-08-04
  • Fix Forbidden error on Posts page for roles below Editor when user enum blocking enabled. [WordPress only] 2020-07-30
  • Fix empty username detection for multisite.
  • Fix harmless warning when activating new multisite install.
  • Fix esoteric edge-case where wp-load.php is loaded via a script run from the CLI in a directory with a functions.php file. 2020-07-27

To take advantage of the new features you will need up update your fail2ban filters; existing filters will continue to work as before. Premium users: Please backup your database before upgrading. 2020-05-04
4.3.0-RC4 2020-04-30
4.2.8 2020-04-17
  • Add link to new support forum.
  • Fix user enumeration conflict with Gutenberg (h/t @dinghy).
  • Fix notices wrt admin menu (h/t @marioivangf).
  • Fix harmless XDebug notice (h/t @dinghy).
  • Update Freemius library.
4.3.0-RC3 2020-04-16 2019-09-30
  • Fix error when blocking user enumeration via oembed (h/t @wordpressfab).
4.2.7 2019-09-24
  • Fix error when blocking user enumeration via REST.
  • Fix buttons on Settings tabs.
4.2.6 2019-09-23
  • Add support for Remote Tools add-on.
  • Add support for the new ClassicPress security page.
  • Improved user enumeration blocking.
4.2.5 2019-07-15
  • Properly fix PHP 5.3 support; tested on CentOS 6. Does not support any UI or Premium features.
  • Fix potential issue with WP_FAIL2BAN_BLOCK_USER_ENUMERATION if calling REST API or XMLRPC from admin area.
4.2.4 2019-06-23
  • Add filter for login failed message.
  • Fix logging spam comments from admin area.
  • Fix Settings link from Plugins page.
  • Update Freemius library
4.2.3 2019-05-16
  • Workaround for some versions of PHP 7.x that would cause define()s to be ignored.
  • Add config note to settings tabs.
  • Fix documentation links.
4.2.2 2019-04-20
  • Fix 5.3 compatibility.
4.2.1 2019-04-20
  • Completed support for WP_FAIL2BAN_COMMENT_EXTRA_LOG.
  • Add support for 3rd-party plugins; see Developers.
    • Add-on for Contact Form 7 (experimental).
    • Add-on for Gravity Forms (experimental).
  • Change logging for known-user with incorrect password; previously logged as unknown user and matched by hard filters (due to limitations in older versions of WordPress), now logged as known user and matched by soft.
  • Bugfix for email-as-username - now logged correctly and matched by soft, not hard, filters.
  • Bugfix for regression in code to prevent Free/Premium conflict.
4.1.0 2019-03-13
  • Add separate logging for REST authentication.
  • Fix conflict with earlier versions pre-installed in mu-plugins. See Is WPf2b Already Installed?.
4.0.2 2019-01-28
  • Fix PHP 5.3 compatibility.
  • Bugfix for WP_FAIL2BAN_REMOTE_ADDR summary.
4.0.1 2019-01-25
  • Add extra features via Freemius. This is entirely optional. WPf2b works as before, including new features listed here.
  • Add settings summary page (Settings -> WP fail2ban).
  • Add WP_FAIL2BAN_LOG_COMMENTS_EXTRA - enable logging for attempted comments on posts which are:
    • not found,
    • closed for commenting,
    • in the trash,
    • drafts,
    • password protected
  • Block user enumeration via REST API.
3.6.0 2018-11-07
  • The filter files are now generated from PHPDoc in the code. There were too many times when the filters were out of sync with the code (programmer error) - this should resolve that by bringing the patterns closer to the code that emits them.
  • Added PHPUnit tests. Almost 100% code coverage, with the exception of WP_FAIL2BAN_PROXIES which is quite hard to test properly.
  • Bugfix for wordpress-soft.conf.
  • WP_FAIL2BAN_PROXIES now supports an array of IPs with PHP 7.
  • Moved all documentation to https://wp-fail2ban.readthedocs.io/.
3.5.3 2017-07-04
  • Bugfix for wordpress-hard.conf.
3.5.1 2016-08-09
3.5.0 2016-08-07
  • WP_FAIL2BAN_BLOCKED_USERS now supports an array of users with PHP 7. *
3.0.3 2016-07-07
  • Fix regex in wordpress-hard.conf
3.0.2 2016-06-23
  • Prevent double logging in WP 4.5.x for XML-RPC authentication failure
3.0.1 2016-04-21
  • Fix regex in wordpress-hard.conf
3.0.0 2016-03-28
  • Log XML-RPC authentication failure.
  • Add better support for MU deployment.
2.3.2 2015-10-21
2.3.1 2015-10-21
2.3.0 2014-11-03
  • Bugfix in experimental WP_FAIL2BAN_PROXIES code (thanks to KyleCartmell).
2.2.1 2014-08-09
  • Fix stupid mistake with WP_FAIL2BAN_BLOCKED_USERS.
2.2.0 2014-08-07
  • Custom authentication log is now called WP_FAIL2BAN_AUTH_LOG
  • Add logging for pingbacks
  • Custom pingback log is called WP_FAIL2BAN_PINGBACK_LOG
2.1.1 2014-03-03
  • Minor bugfix.
2.1.0 2013-08-28
  • Add support for blocking user enumeration; see WP_FAIL2BAN_BLOCK_USER_ENUMERATION
  • Add support for CIDR notation in WP_FAIL2BAN_PROXIES.
2.0.0 2013-08-05
  • Add experimental support for X-Forwarded-For header; see WP_FAIL2BAN_PROXIES
  • Add experimental support for regex-based login blocking; see WP_FAIL2BAN_BLOCKED_USERS
1.2.1 2013-04-12

Update FAQ.

1.2 2012-12-20

Fix harmless warning.

1.1 2012-11-18

Minor cosmetic updates.

1.0 2012-10-19

Initial release.