This WordPress plugin provides security functionality and integration with Fail2ban.
Basic security functionality includes:
- Disabling login with username (require e-mail address)
- Preventing user enumeration (?author=nnn)
- Less detailed error messages on login failures
- Minimum username length
- Blocking specific usernames from being used to register new users
- Requiring e-mail address matching for new user registrations
- Warning about new user role setting
- Blocking of portions or all of WordPress REST API
- Disabling of RSS and Atom feeds
- Removal of “Generator” information from HTML and feeds
- Detection of Cloudflare IP addresses for logging of actual IP addresses
- Blocking/Allowing logins from IP addresses, IP ranges, and/or hostnames
- Partially or fully disable XMLRPC access
The plugin also plays nicely with Fail2ban, which is an advanced way of blocking IP addresses dynamically upon suspicious behavior.
Other notes:
- This plugin may work with earlier versions of WordPress
- This plugin optionally makes use of mb_() PHP functions
- Compatible with WordPress 5.5+ and WordPress 6.2+
- Compatible with PHP 7.2, 7.4, and 8.1.20
- This plugin may create entries in your PHP error log (if active)
- This plugin contains no Javascript
- This plugin contains no tracking code and does not store any information about users
Fail2WP on wordpress.org:
wordpress.org/plugins/fail2wp/
Smoke tests for Fail2WP:
plugintests.com/plugins/wporg/fail2wp/latest