Fail2WP for WordPress

This WordPress plugin provides security functionality and integration with Fail2ban.

Basic security functionality includes:

  • Disabling login with username (require e-mail address)
  • Preventing user enumeration (?author=nnn)
  • Less detailed error messages on login failures
  • Minimum username length
  • Blocking specific usernames from being used to register new users
  • Requiring e-mail address matching for new user registrations
  • Warning about new user role setting
  • Blocking of portions or all of WordPress REST API
  • Disabling of RSS and Atom feeds
  • Removal of “Generator” information from HTML and feeds
  • Detection of Cloudflare IP addresses for logging of actual IP addresses
  • Blocking/Allowing logins from IP addresses, IP ranges, and/or hostnames
  • Partially or fully disable XMLRPC access

The plugin also plays nicely with Fail2ban, which is an advanced way of blocking IP addresses dynamically upon suspicious behavior.

Other notes:

  • This plugin may work with earlier versions of WordPress
  • This plugin optionally makes use of mb_() PHP functions
  • Compatible with WordPress 5.5+ and WordPress 6.2+
  • Compatible with PHP 7.2, 7.4, and 8.1.20
  • This plugin may create entries in your PHP error log (if active)
  • This plugin contains no Javascript
  • This plugin contains no tracking code and does not store any information about users

Fail2WP on wordpress.org:
wordpress.org/plugins/fail2wp/

Smoke tests for Fail2WP:
plugintests.com/plugins/wporg/fail2wp/latest