Got a firewall? Use it.

fail2ban already handles SSH. Let it handle WordPress too.

[wowbagger@tanngrisnir] Connecting...█

WP fail2ban is different

An attack does not become less expensive because WordPress says “blocked”. If the request reaches PHP, opens a database connection, increments a counter and renders a response, the attacker is still making your site work.

WP fail2ban gets the work out of PHP. WPf2b recognises WordPress-specific behaviour reliably — failed logins, blocked usernames, XML-RPC abuse, user enumeration, comment spam, suspicious password resets. WPf2b turns those events into structured syslog messages. fail2ban reads them and applies the ban at the firewall.

A firewall ban is a real ban. No PHP loop. No database counter. No "blocked" page that still costs the server work. The attacker is stopped by the part of the system meant to do that job, before WordPress is involved again.

Most WordPress security plugins fight inside PHP. They inspect every request, keep counters in the database, and try to enforce bans from PHP. It is a layer too high for the job.

WPf2b is also unusually quiet to live with. Because the heavy lifting happens outside WordPress, WPf2b has a small, well-defined surface area. Configuration constants added years ago still work. Upgrades rarely require revisiting a working setup. Install it, connect the filters, and let the operating system do the part it was built to do.

WPf2b has worked this way since 2011. The architecture hasn’t changed because the problem hasn’t.

WP fail2ban will work with your hosting (probably)

Preinstalled

You may already have it without realising — DigitalOcean WordPress Droplets ship with WPf2b already installed. Check the WordPress plugins screen first; if it is active there, check whether the fail2ban filters are up-to-date.

Full self-managed

If you run your own VPS, dedicated server, or home-lab WordPress box, WPf2b will definitely work. Install fail2ban with your package manager if it is not already there, copy the WPf2b filters into place, and enable the jails.

cPanel and similar shared hosting

It depends on the host. Many reputable shared hosts already run fail2ban and expose enough of the logging path for WPf2b to work. Ask support whether WordPress syslog messages can be used by fail2ban on your account.

Fully managed WordPress hosting

Hosts such as WP Engine, Kinsta, and Pantheon manage the whole stack for you, security included. WPf2b needs access these hosts don't typically give you, so the free version won’t deliver much. Premium is a different matter: the WAF runs inside WordPress, catching SQL injection and guarding sensitive operations in ways general hosting security usually doesn't. On managed hosting, that's worth paying for.

The usual suspects

WPf2b catches everything a WordPress security plugin should, and several things most of them don’t. Some of those, WPf2b did first.

Authentication & login

Every login tells a story. WPf2b logs successful and failed attempts across normal WordPress login, REST and XML-RPC, including blocked usernames and password-reset failures.

User-enumeration defence

Bots often start by asking WordPress who the users are. WPf2b shuts down the usual routes: author archives, REST users, user sitemaps and oEmbed author data.

Comments, pingbacks & trackbacks

Comment bots are noisy and repetitive. WPf2b logs real comments and catches attempts against posts where comments should not be possible, including closed, draft and password-protected posts.

XML-RPC

XML-RPC can turn one HTTP request into many login attempts. WPf2b detects multicall authentication failures, and Premium can block the endpoint entirely while preserving trusted access.

Spam

When spam is found later, the original spammer still matters. WPf2b uses the comment’s stored IP, so a retroactive spam decision can still lead back to the right source.

Geo-blocking Premium

Block countries by ISO code, with normal 403 blocks and 451 legal blocks kept separate. The MaxMind GeoLite2 database is refreshed automatically.

Web Application Firewall (Premium)

The WAF focuses on high-value classes of abuse: SQL injection, rogue option updates and unauthorised user deletion. SQLi detection uses a parser, not a pile of hopeful regex.

Reports & dashboard (Premium)

See what the plugin has been doing without dropping to the command line: event log, maps, graphs, and summaries by IP, country, username and password.

Premium, when you need it

You run a personal or small business site

The free version gives the site the protection: WPf2b recognises abuse, fail2ban bans repeat offenders. Premium is for when you want to see what's happening without reading syslog. The dashboard shows who has been trying, from where, and how often. It turns “I think it is working” into “there it is”.

You manage sites for clients

Premium pays back in support time. Reports let you show clients what their site is experiencing without handing them shell access or pasting log extracts into emails. For multisite networks, the silver tier gives you the same visibility across the whole network instead of one site at a time.

You need an audit trail for compliance

Events leave WordPress through syslog and flow into whatever you already use to aggregate or archive logs — journald, Graylog, Splunk, ELK, or plain log files. Premium adds in-WordPress event reporting on top of that. Since v6.2, each Premium release ships with an SBOM.

You just want to support the work

Some people buy a licence they'll never install, purely to back the work. Some even buy the Gold tier — it adds nothing over the cheaper tiers, but a software licence is a cleaner way to support a project than a donation, and usually an easier one to put through the books.

FAQ

What is the performance overhead?

Small. WPf2b logs the event once, fail2ban reads the log, and future requests from the attacker are stopped at the firewall before reaching PHP again.

Does WP fail2ban work on shared hosting?

Often, yes. It depends on whether your host runs fail2ban and allows WordPress syslog events to reach it. If you are not sure, ask support whether a WordPress plugin can send syslog messages that their fail2ban setup can read.

Do I need to install fail2ban separately?

On a self-managed server, yes, unless it is already installed. On shared hosting, the host normally controls fail2ban. WPf2b supplies the WordPress-side events and the filter patterns; fail2ban itself is the server component that applies bans.

What if I do not have shell or root access?

You can still install the plugin, but the banning side depends on the host. They control the firewall and the fail2ban service, so you’ll need to ask support whether they can enable or already support WPf2b filters. If they cannot, the plugin can still log events, but the firewall bans will not happen on that host.

Can I run it as a must-use plugin?

Yes. WPf2b supports MU use, and Site Health includes checks to help catch common deployment mistakes. It is a good fit for managed fleets where the security baseline should not depend on each site administrator leaving a normal plugin active.

Does it work with WordPress multisite?

Yes. The free plugin runs on multisite, and Premium has a multisite tier for network-level reporting. Useful when “is this site being attacked?” has turned into “what is happening across the network?”

How does it interact with other security plugins?

WPf2b does a different job — turning WordPress events into system-level signals for fail2ban — so it usually sits alongside other security plugins without conflict. The exception: if another plugin stops a request before WordPress reaches the relevant hook, WPf2b will not see that particular event.

How often will I need to update my configuration?

Almost never. By design. The in-WordPress configuration has stayed unusually stable over years of releases. You may need to update fail2ban filter files when moving between plugin versions, especially if you want new event types, but a working WordPress configuration should not need regular attention.