fail2ban config for Wordpress running in Docker

This environment:

  • CentOS 7.x
  • WP 5.x
  • PHP 7.x
  • Fail2ban 0.11.x

WP/PHP running in Docker

In /etc/fail2ban/filter.d/wplogin.conf:

failregex = .*php7:notice.*\[client (<HOST>).*wp-admin.*Password Mismatch
ignoreregex =

Then in the WP home, we want to log errors to SYSLOG. Under $WP_HOME\plugins we create a directory eg log-auth-errors and create a file log-auth-errors.php inside there:



Plugin Name: Log Auth Errors
Plugin URI:
Description: Plugin to log authentication errors
Version: 1.0
Author: Ronald MacDonald
Author URI:
License: GPLv3

add_action( 'wp_login_failed', 'login_failed' );
function login_failed( $username ) {
    error_log("user $username: authentication failure for \"".admin_url()."\": Password Mismatch");


Then we can navigate to the WP installation and ‘activate’ the plugin. Authentication errors will be logged to global syslog.

To activate, we add the config to our jail.local:


enabled = true
port = http,https
banaction = iptables-multiport
filter = wplogin
logpath = /var/log/messages
maxretry = 3
bantime = 12h
#ignoreip = <your_network/cidr>

Once we restart fail2ban we can verify IPs are identified from the log:

# fail2ban-client status wplogin
Status for the jail: wplogin
|- Filter
|  |- Currently failed: 7
|  |- Total failed:     7
|  `- Journal matches:  
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:

… and check iptables is adding the entries to the list:

# iptables -L -n
... [snip]
Chain f2b-wplogin (1 references)
target     prot opt source               destination         
REJECT     all  --                reject-with icmp-port-unreachable
RETURN     all  --  


Note that on this flavour of CentOS, I also needed to add the following to my jail.local (YMMV):

banaction = firewallcmd-ipset
backend = systemd