Fail2WP for WordPress Documentation

We will be adding more detailed information and documentation for Fail2WP for WordPress to this page in due time.

Fail2WP plugin settings

You will find the Fail2WP plugin settings under Settings > Fail2WP in the WordPress administrator interface. It is visible only to users with the administrator role.

Basic configurationNew usersUser loggingREST APIAdvancedCloudflareImport/ExportAboutFail2ban

Basic configuration

Site label The site name to use for logging, defaults to your site name if left empty. This does typically not need to be changed.
Block user enum This will make Fail2WP block attempts to access your.site/...?author=nnn. These requests can be used by external parties to find out more information about users and their usernames on your site.
Block username login This will make Fail2WP disable the possibilities to login with usernames and instead require that the login credentials be an e-mail address.
Secure login messages This will make Fail2WP alter the error messages displayed after unsuccessful login attempts. Typically, WordPress is quite “helpful” in telling users trying to login exactly what is wrong with the provided credentials. We don’t need to tell potential attackers what they’re doing wrong.
Other settings
Remove generator info If enabled, Fail2WP, will remove “WordPress” from the output of HTML pages, RSS feeds, etc.
Remove feeds Disables the default RSS and Atom feeds on your site.
Remove settings Fail2WP will by default retain its settings when you uninstall the plugin. If you want Fail2WP to remove all its settings when you uninstall the plugin, you should enable this option. Settings are always retained when you deactivate the plugin.

New users

Membership warnings If enabled, Fail2WP will warn you about odd or possibly dangerous membership/user registration settings.
Check for role Fail2WP will check the “New User Default Role” setting against this setting and warn you if there is a mismatch.
Force role This setting will make Fail2WP force the WordPress setting “New User Default Role” to whatever is configured here (below).
Role to force If the “Force role” option is enabled, Fail2WP will use the “Role to force” setting to set the “New User Default Role” WordPress setting.
Minimum username length This is the minimum number of characters (2-200) for usernames when new users sign up for membership on the site. Setting this value to zero disables the checking by Fail2WP. This does not affect already registered users.
Banned usernames Usernames listed in this box, one per line, will not be allowed to sign up for site membership. The text is matched without regard for case, that is ADmiN matches admin and so on. The strings need to fully match to be banned, that is “admin” does not match “administrator”.
E-mail must match Text specified here will be matched against whatever e-mail address new users enter when signing up for the site. At least one one of the entries must match the e-mail address entered by the user for the registration to be successful. Partial matching is done, that is @mydomain.com will match jane.doe@mydomain.com.

User logging

This is logged to the system’s authentication log (such as /var/log/auth.log), which allows Fail2ban to dynamically block offending IP addresses. Configuration of the Fail2ban system daemon, or similar, must be done outside of WordPress for this to have any effect.

Successful login This configures logging for successful logins for the various WordPress user roles. This is not meant for banning but for auditing. The sample Fail2ban configuration supplied with the Fail2WP plugin ignores these.
Unsuccessful login This configures logging for unsuccessful logins for the various WordPress user roles. The sample Fail2ban configuration supplied with the Fail2WP plugin triggers Fail2ban actions for these. This should typically include any user role that can create content or change settings on the site.
Unknown users This setting will make Fail2WP create log entries similar to those for unsuccessful logins when unkown users are encountered.
Log user enum This setting will make Fail2WP create log entries for user enumeration attempts (i.e. your.site/...?author=nnn), which are often used to try to obtain information about users and usernames on the site. The sample Fail2ban configuration supplied with the Fail2WP plugin triggers Fail2ban actions for these.

REST API

Advanced

Cloudflare

Configure Fail2WP to detect and manage requests from Cloudflare proxied sites and visitors.

Import/Export

Allows you to import and export settings to easily deploy Fail2WP on multiple sites with identical or similar settings.

About

Some information about Fail2WP and WebbPlatsen i Sverige AB.

Fail2ban configuration

Fail2WP has functionality to allow the security daemon Fail2ban to block IP addresses from accessing websites on the server. It does this by writing entries to a system log, which is then scanned by Fail2ban. There is a sample Fail2ban configuration file distributed with Fail2WP. You can use it, more or less, out of the box, or customize it to suit your needs. The sample file is called fail2wp.conf and should be placed in /etc/fail2ban/filter.d

Fail2WP does not interact with Fail2ban in any other way, it simply provides the data for Fail2ban to make decisions about possibly blocking remote IP addresses due to some sort of “error condition” caused by that remote IP address.

 The sample Fail2ban configuration file that is distributed with the Fail2WP plugin creates only one definition (“fail2wp”) for Fail2ban to act upon. You may want to split this up in several sections and thus allowing Fail2ban to ban different types of errors in different ways.