3.4. mu-plugins Support

There are two main reasons for using mu-plugins:

  1. You need to load WPf2b before other security plugins [1],
  2. You don’t trust the site administrators.

3.4.1. Loading Early

One of the better ways is to install WPf2b as usual and then create a symlink in mu-plugins:

lrwxr-xr-x  1  www  www  38  4 Nov 16:24 wp-fail2ban.php -> ../plugins/wp-fail2ban/wp-fail2ban.php

or for the Premium version:

lrwxr-xr-x  1  www  www  38  4 Nov 16:24 wp-fail2ban.php -> ../plugins/wp-fail2ban-premium/wp-fail2ban.php

This has the advantage that you can update WPf2b as usual without having to update mu-plugins directly. For the free version you don’t need to activate WPf2b, but you do for the Premium version.

3.4.2. Forcing Usage

The main objective here is to stop people fiddling with things, so there are necessarily some restrictions on configuring WPf2b.

WPf2b must be configured in wp-config.php - you can’t use the Premium config UI; not only does it make no sense, it won’t work [2].

The actual configuration itself is simple; for the Free version:

  1. Extract the Free version of WPf2b into a directory called wp-fail2ban within mu-plugins.
  2. symlink wp-fail2ban.php:
lrwxr-xr-x  1  www  www  38  4 Nov 16:24 wp-fail2ban.php -> wp-fail2ban/wp-fail2ban.php
  1. Keep WPf2b up-to-date.

For the Premium version:

  1. Extract the Premium version of WPf2b into a directory called wp-fail2ban-premium within mu-plugins.
  2. symlink wp-fail2ban.php:
lrwxr-xr-x  1  www  www  38  4 Nov 16:24 wp-fail2ban.php -> wp-fail2ban-premium/wp-fail2ban.php
  1. Keep WPf2b up-to-date.

3.4.2.1. Keeping WPf2b up-to-date

It’s that last step that catches out most people - WordPress doesn’t check mu-plugins for updates, so by configuring WPf2b in this way you are taking responsibility for keeping WPf2b up-to-date. I do my best, but I cannot guarantee there will never be a critical problem with WPf2b - you and you alone are responsible for checking for updates and installing them.

Footnotes

[1]For example, WordFence, which assumes it’s the only one.
[2]It may look like it works now, but in a future release it will be blocked.