Block WordPress login attempts when no WordPress is present

Block WordPress login attempts when no WordPress is present

I’ve set up LogWatch and saw these entries turning up every day.

404 Not Found 
     /admin/wp-login.php: 2 Time(s) 
     /administrator/index.php: 2 Time(s) 
     /blog/wp-login.php: 2 Time(s) 
     /section/wp-login.php: 2 Time(s) 
     /site/wp-login.php: 2 Time(s) 
     /wordpress/wp-login.php: 2 Time(s) 
     /wp-login.php: 2 Time(s) 
     /wp-login/: 2 Time(s) 
     /wp/wp-login.php: 2 Time(s) 
     /www.google.com/chrome: 1 Time(s)

I decided to ban them using fail2ban, seeing as there is no reason to try and use a WordPress login, when there is no wp running on that server. I based this on https://github.com/miniwark/miniwark-howtos/wiki/Fail2Ban-setup-for-Apache.

vi /etc/fail2ban/filter.d/wordpress-404.conf
# Fail2Ban configuration file

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values:  TEXT
#
failregex = ^ .*"GET .*wp-content.* 404
            ^ .*"GET .*wp-login.* 404

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Next add it to the jail. Using newer versions of fail2ban, you can add this to the conf.d folder in a separate config file.

vi /etc/fail2ban/jail.conf
[wordpress-404]
enabled = true
port    = http,https
filter   = wordpress-404
logpath  = /var/log/apache*/*access.log
maxretry = 1

Now watch the firewall block them 🙂

iptables -L -n

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.