Not the best solution out there, but a piece that could help.

I’ve an hosting VPS with LEMP stack and ISPConfig, on which I have some WordPress sites. WordPress sites are known to be very popular among spammers and crackers, not because of the core itself but because its thousands of plugins are often not updated and so easily crackable, or beause they know their chickens and WP admins might use weak passwords which can be bruteforced.

So I often find a lot of POSTs against wp-login.php in my webserver log. How to block them?

An ignorant way (that’s what we say in Italy for blind and not really refined ways of doing) which came to my mind is to block too many frequent access to wp-login.php. It’s ignorant because could block legitimate failed accesses, but it’s better than installing plugins like Wordfence or others because blocks requests before they arrive to the webserver, lowering the resources needed to handle errors.

Assuming that you already installed fail2ban, create a new file /etc/fail2ban/filter.d/web-wordpress.conf with this content:

[Definition]
failregex = <HOST> - - .*(POST|GET) .*/wp-login.php HTTP.*

The filter should be fine even for Apache sites. Then append to /etc/fail2ban/jail.local

[web-wordpress]
enabled = true
banaction = iptables-allports
bantime = 7200
port = all
logpath = /var/www/clients/client*/web*/log/access.log
maxretry = 4
backend = auto

You might need to adjust banaction if you want to just block http/https access, but I prefer to keep allports to prevent any other access from the bruteforcing IP.

Also you might need to change the logpath parameter: that one searches all ISPConfig sites’ access.log. If you have just one, or want to monitor a single website, change it to the specific location.