WordPress botnet attack arrived and thwarted

I knew it was just a matter of time before the now famous botnet would try to gain access to my WordPress site too and today it tried. It didn’t gain access for three reasons.

  1. I do not use admin
  2. I have a strong password
  3. I use my own WordPress plugin plus Fail2ban

They tried 185 times in the span of 40 minutes.

AVH Log Login

As everybody on the net is saying, do not use the admin user as your administrator user and use a strong password. Well I have been doing this for years but when the news broke of the botnet I decided to add an extra layer of security.

I created a very basic plugin that will log all logins and login attempts to a file.

I use this log file in combination with the Linux program Fail2ban. I set up a filter and updated the jail configuration file and IP’s that tried a number of times to login and files are blocked by the firewall. Correct, I completely block these IP’s from accessing my site.


Here’s what the logfile looks like: ERROR - [2013-05-07 12:14:06] " Login Failed - User: 'admin' Password: 'liverpool' " ERROR - [2013-05-07 12:17:05] " Login Failed - User: 'admin' Password: 'dallas' " ERROR - [2013-05-07 12:22:30] " Login Failed - User: 'admin' Password: 'adidas' " ERROR - [2013-05-07 12:24:47] " Login Failed - User: 'admin' Password: 'scotty' "
x.x.x.x INFO - [2013-05-07 12:54:25] " Login Successful - User: '....'

The last line was me logging in.

Fail2ban filter file:

failregex = ^<HOST> ERROR.*Login Failed.*
ignoreregex = 

Fail2ban jail configuration:

enabled = true
filter = wordpress-login
port      = http
logpath = /var/log/nginx/*app.log
maxretry = 2
findtime = 86400 ; 1 day
bantime  = 86400 ; 1 day

This setup allows any IP two tries within a day to login, and they will be banned for a day if they fail.


I haven’t released the plugin as I haven’t released the plugin yet because I haven’t had time to write an admin section so the logfile location can be modified. Right now it’s hardcoded for my needs.
If there’s a need, let me know in the comments.

The plugin will only work when you have access to the Fail2ban files, usually a dedicated server or VPS. It’s not limited to Fail2ban, there are other program you could use to read the logfile and act upon it.

This article is filed under the categories Development » WordPress and has the following tag associated with it: .
  • I would LUV 2 have this made into a Plugin if possible, I’m sure anyone else who found this Post would also! I don’t understand Linux coding, or have never heard of Fail2ban though to make these features in a Plugin for WP would be extraordinary and popular i’d imagine. I too don’t use Admin, and ALL the Login Page Protection plugins I have used are not that great 2 begin with, and I have yet to find one that logs the logins (which let’s face it, if you want full protection u need to know who is logging in/trying to login, especially for Blogs with multiple Authors this would come in handy 10 fold!)…

    If I knew how to code plugins, I’d have a go at making it myself by researching what you’ve talked about here, but my PHP sucks for one, and 2 I have NEVER used Linux other than to use cPanel in a hosting situation, and only Shared Hosting so far (currently studying how to Manage a VPS – if u know any good tuts or eBooks on Managing VPS’s would be greatful BTW!)

    Tweet me: Code_Collective or jayoism on twitter (or) loose the _ in the twitter username & add an ‘s’ to the end of collective at gmail

    Thanks for ur time!