WordPress Security: Part 2 (Or Why fail2ban Rocks)
I wrote previously about a few simple steps for stopping basic attacks in a wordpress install.
Back then I was just dipping my feet into the world of wordpress, and while the steps I outlined there are a solid first step for any noob to take, as I noted in the article they seemed quite dissatisfactory.
In particular, the security plugins touted for wordpress installs are a rather inefficient and slow method of instituting an auto-blocking strategy for malicious bots and other crackers. (That is if you can get the plugin to do its job in the first place, harder than you would think IMHO ;P).
Since the primary annoyance of these bots is that they put a drag on your sites performance, the fact that they are being ‘blocked’ does little good if the blocking itself still eats up the resources of the server.
So after noticing my site was still being overwhelmed by xmlrpc attacks I finally decided to look more deeply into fail2ban, an open source program which auto-scans log files for suspicious activity and institutes automatic bans at the firewall level of the network. This is oodles and oodles more efficient than doing it from a php process (like most wordpress plugins) or even server side (ie: blocking requests through blacklists in apache or nginx).
Rather than produce yet another guide on how to do the installation, I will just point you to two links which are both quite good.
- Block WordPress xmlprc.php DDOS attacks using Fail2Ban
- How To Protect WordPress with Fail2Ban on Ubuntu 14.04
The first article makes no use of any plugin (sweet, aren’t you tired of plugins?). It directly reads the server logs (for example apache or nginx).
The second is plugin based but does not do the actual blocking in the plugin so it’s still performant (the plugin only does some logging to a file and provides configs to fail2ban which tell it how to do the pattern matching).
Although both methods appear to be quite effective, my personal preference is for the first method, as it strikes me as a bit easier to understand exactly what it is doing, and is also one less plugin to worry about breaking your wordpress install. To really know what the second one does you’d need to take the extra step of looking into the plugin code itself which contains the logging logic.
Finally, it’s worth emphasizing that fail2ban is much more than a tool for protecting wordpress. It already comes preconfigured with rules that can be enabled for ssh, nginx, apache, you name. Anything network related that produces logs is game. So it’s really something that should be viewed as part of a more general networking security strategy for servers.