內容簡介
Fail2ban是您可以實施來保護 WordPress 網站的最簡單和最有效的安全措施之一。
WP fail2ban 提供 WordPress 與 fail2ban 之間的連接:
Oct 17 20:59:54 foobar wordpress(www.example.com)[1234]: Authentication failure for admin from 192.168.0.1
Oct 17 21:00:00 foobar wordpress(www.example.com)[2345]: Accepted password for admin from 192.168.0.1
WPf2b 附帶三個 fail2ban 過濾器: wordpress-hard.conf、wordpress-soft.conf 和 wordpress-extra.conf。這些過濾器旨在允許立即封鎖(hard)和傳統優雅方法(soft)之間的區分,以及針對自定義配置的額外規則。
特點
登錄失敗嘗試
WPf2b 的第一個功能:記錄登錄失敗嘗試,以便可以封禁 IP 地址。如今仍然非常有用。
阻止用戶列舉
最常見的強制猜測密碼攻擊的先決條件之一是使用者列舉。 WPf2b 可以封鎖它,阻止攻擊開始。
封鎖用戶名登錄
有時無法封鎖用戶列舉(例如,如果您的佈景主題提供作者檔案)。 WPf2b 可以要求用戶使用電子郵件地址而不是用戶名登錄。
封鎖用戶
WPf2b 中較早的功能之一:可以對指定的用戶名中止登錄過程。
假設一個機器人在封鎖用戶列舉之前收集了您網站的用戶名。一旦您更改了所有的用戶名,將舊的用戶名添加到列表中。任何使用它們的東西都會觸發“硬”失敗。
空的用戶名登錄嘗試
一些機器人會嘗試在沒有用戶名的情況下登錄;無害,但很煩人。這些嘗試被記錄為“soft”失敗,因此更持久的機器人將被禁止。
垃圾郵件
當其評為垃圾郵件時,WPf2b 會將垃圾郵件的 IP 地址記錄為“hard”失敗;高級版本還會在 Akismet 放棄“顯而易見”的垃圾郵件時記錄 IP 地址。
試圖發表評論
一些垃圾郵件機器人會試圖在任何事情上發表評論,即使該事物不存在。 WPf2b 檢測到這些並將其記錄為“hard”失敗。
Pingbacks
Pingbacks 是一個很棒的功能,但它們可能被濫用以攻擊其他網站。 WPf2b 通過記錄 IP 地址作為“soft”失敗有效地限制潛在攻擊者的速率。
阻止 XML-RPC 請求 [Premium]
除了 Pingbacks 之外,大多數站點需要 XML-RPC 的唯一原因是 Jetpack; WPf2b Premium 可以封鎖 XML-RPC,同時允許 Jetpack 和/或 Pingbacks。
封鎖國家 [Premium]
有時您需要更大的鎚子-如果您只看到來自某些國家的攻擊,請封鎖它們!
Cloudflare 和代理服務器
WPf2b 將與 Cloudflare 一起運作,高級版本將自動設置。
外掛標籤
開發者團隊
② 後台搜尋「WP fail2ban – Advanced Security」→ 直接安裝(推薦)
📦 歷史版本下載
原文外掛簡介
fail2ban is one of the simplest and most effective security measures you can implement to protect your WordPress site.
WP fail2ban provides the link between WordPress and fail2ban:
Oct 17 20:59:54 foobar wordpress(www.example.com)[1234]: Authentication failure for admin from 192.168.0.1
Oct 17 21:00:00 foobar wordpress(www.example.com)[2345]: Accepted password for admin from 192.168.0.1
WPf2b comes with three fail2ban filters: wordpress-hard.conf, wordpress-soft.conf, and wordpress-extra.conf. These are designed to allow a split between immediate banning (hard) and the traditional more graceful approach (soft), with extra rules for custom configurations.
Features
Failed Login Attempts
The very first feature of WPf2b: logging failed login attempts so the IP can be banned. Just as useful today as it was then.
Block User Enumeration
One of the most common precursors to a password-guessing brute force attack is user enumeration. WPf2b can block it, stopping the attack before it starts.
Block username logins
Sometimes it’s not possible to block user enumeration (for example, if your theme provides Author profiles). WPf2b can require users to login with their email address instead of their username.
Blocking Users
Anther of the older WPf2b features: the login process can be aborted for specified usernames.
Say a bot collected your site’s usernames before you blocked user enumeration. Once you’ve changed all the usernames, add the old ones to the list; anything using them will trigger a “hard” fail.
Empty Username Login Attempts
Some bots will try to login without a username; harmless, but annoying. These attempts are logged as a “soft” fail so the more persistent bots will be banned.
Spam
WPf2b will log a spammer’s IP address as a “hard” fail when their comment is marked as spam; the Premium version will also log the IP when Akismet discards “obvious” spam.
Attempted Comments
Some spam bots try to comment on everything, even things that aren’t there. WPf2b detects these and logs them as a “hard” fail.
Pingbacks
Pingbacks are a great feature, but they can be abused to attack the rest of the WWW. Rather than disable them completely, WPf2b effectively rate-limits potential attackers by logging the IP address as a “soft” fail.
Block XML‑RPC Requests [Premium]
The only reason most sites need XML‑RPC (other than Pingbacks) is for Jetpack; WPf2b Premium can block XML‑RPC while allowing Jetpack and/or Pingbacks.
Block Countries [Premium]
Sometimes you just need a bigger hammer – if you’re seeing nothing but attacks from some countries, block them!
Cloudflare and Proxy Servers
WPf2b will work with Cloudflare, and the Premium version will automatically update the list of Cloudflare IP addresses.
You can also configure your own list of trusted proxies.
syslog Dashboard Widget
Ever wondered what’s being logged? The dashboard widget shows the last 5 messages; the Premium version keeps a full history to help you analyse and prevent attacks.
Site Health Check
WPf2b will (try to) check that your fail2ban configuration is sane and that the filters are up to date; out-of-date filters are the primary cause of WPf2b not working as well as it can.
When did you last run the Site Health tool?
mu-plugins Support
WPf2b can easily be configured as a “must-use plugin” – see Configuration.
API to Extend WPf2b
If your plugin can detect behaviour which should be blocked, why reinvent the wheel?
Event Hooks [Premium]
Need to do something special when WPf2b detects a particular event? There’s a hook for that.
Premium
Web Application Firewall (WAF)
Akismet support.
Block XML‑RPC while allowing Jetpack and/or Pingbacks.
Block Countries.
Auto-update Cloudflare IPs.
Event log.
Event hooks.
