The es-wordpress module was developed by Extra Systems to protect WordPress hosting from hacker activity within the fail2ban system. Its core functionality is to detect specific activity in the /var/log/nginx/access.log file.
Connecting es-wordpress to fail2ban is done in the following way:
[es-wordpress] enabled = true filter = es-wordpress logpath = /var/log/nginx/access.log action = iptables-allports[name=es-wordpress, blocktype=DROP, protocol=all]
Please note that this filter blocks all protocols on all ports for the identified hacker, using the DROP method. This turns your host into a complete "black hole" for this particular attacker. They will receive no response to any subsequent IP packets. This significantly reduces the load on your server's resources.
The code for our es-wordpress filter looks like this:
[Definition]
failregex = ^<HOST> - - \[.*\] "POST /.*wp-login\.php HTTP/.*" (200|301)
^<HOST> - - \[.*\] "GET /.*(wp-content|wp-includes|wp-json).* HTTP/.*" 404
^<HOST> - - \[.*\] "GET /\?(p|m|author)=\d+ HTTP/.*" 404
^<HOST> - - \[.*\] "POST //?xmlrpc\.php HTTP/.*" 200
^<HOST> - - \[.*\] "GET /.*wlwmanifest\.xml HTTP/.*" 404
^<HOST> - - \[.*\] "POST /wp-comments-post\.php HTTP/.*" 403
ignoreregex =
In practical use on our Linux servers, this filter has proven to be very effective in suppressing hacker and spammer activity on websites created on the WordPress platform.
The content of this page is also available in Russian.
| © Extra Systems, 2026 |
|