My server is currently undergoing intense bruteforce attacks against WordPress login pages. All my websites are extremely slow due to these attacks. I have 40+ websites on my server.
I searched for a way for blocking all these attacks at once with fail2ban and found a lot of tutorials but none of them are working for me. I’m still receiving attacks and while testing, I’m not getting blocked.
I’m using Hestia 1.3.0 with Nginx + PHP-FPM
Now I’m using WP Fail2Ban plugin in one of the websites and still not lucky, copied filter.d/* files to /etc/fail2ban/filter.d and using this on nano /etc/fail2ban/jail.local:
Probaly the log path is wrong, attacks didnt get logged there because the user hasnt enough rights to write in that specific logs. I dont know where wordpress log this messages per default.
Probaly you want to install the wordfence plugin, aswell as start protect your websites behind cloudflare. Also you could start blocking the attacker ips with iptables, for this step, check each access logs of your website.
You’re right, I changed the log path to /var/log/nginx/domains/*.log and it’s working now. I’ll check wordfence and cloudflare solutions. I used free cloudflare plan in the past but I was getting problems with Letsencrypt renewels. I’ll try again soon. Thanks a lot.
I suggest adding apache basic auth to the login page. It stops the attack before it generates any PHP, which is the CPU-intensive part.
eg. Create a file in /home/user/conf/web/domain.com/apache2.conf_secure and apache2.ssl.conf_secure with the following