Filters

Tags

Tag

Description

F-SITE

The site name in the syslog identifier (FQDN or <domain-name>/<site-name> for multisite).

F-SITE_INLINE

The site name in the message body (FQDN or <domain-name>/<site-name> for multisite).

F-ALT_USER

The username.

F-HTTP_STATUS

The HTTP status code.

F-ISO_CODE

The ISO 3166-1 alpha-2 code of the country.

F-POST_ID

The ID of the post.

F-POST_STATUS

The status of the post: non-existent, closed, trashed, draft, password-protected.

F-COMMENT_ID

The ID of the Comment, Pingback, or Trackback.

F-REQUEST_PATH

The path of the request.

F-ERRCODE

The error code.

F-TRACKBACK_URL

The URL of the Trackback sent.

F-PINGBACK_URL

The URL of the Pingback sent.

F-PINGBACK_FROM_URL

The URL of the Pingback sender.

F-PINGBACK_TO_URL

The URL of the Pingback receiver.

History

Added in version 6.0.0.

Files

wordpress-hard.conf

Note

This filter is auto-generated.

# Fail2Ban filter for hard failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:wordpress|wp)
_tail = (?: on <F-SITE_INLINE>\S+(?:/\S+)?</F-SITE_INLINE>)? from <ADDR>

failregex = ^%(__prefix_line)sBlocked user enumeration attempt<_tail>$
            ^%(__prefix_line)s(?:REST|XML-RPC) authentication attempt for unknown user <F-ALT_USER>.*</F-ALT_USER><_tail>$
            ^%(__prefix_line)sBlocked authentication attempt for <F-ALT_USER>.*</F-ALT_USER><_tail>$
            ^%(__prefix_line)sPingback error <F-ERRCODE>\d+</F-ERRCODE> generated by "<F-PINGBACK_FROM_URL>.*</F-PINGBACK_FROM_URL>" to "<F-PINGBACK_TO_URL>.*</F-PINGBACK_TO_URL>"<_tail>$
            ^%(__prefix_line)sXML-RPC request blocked<_tail>$
            ^%(__prefix_line)sXML-RPC multicall authentication failure<_tail>$
            ^%(__prefix_line)sBlocked access <F-HTTP_STATUS>\d\d\d</F-HTTP_STATUS> from country '<F-ISO_CODE>..</F-ISO_CODE>'<_tail>$
            ^%(__prefix_line)sAttempted access to honeypot \(robots.txt: <F-REQUEST_PATH>.*?</F-REQUEST_PATH>\)<_tail>$
            ^%(__prefix_line)sAkismet discarded spam comment<_tail>$
            ^%(__prefix_line)sImmediately block connections<_tail>$
            ^%(__prefix_line)sTrackback failed for post <F-POST_ID>\d+</F-POST_ID> by "<F-TRACKBACK_URL>.+</F-TRACKBACK_URL>"<_tail>$
            ^%(__prefix_line)sSpam <F-COMMENT_TYPE>.+</F-COMMENT_TYPE> <F-COMMENT_ID>\d+</F-COMMENT_ID><_tail>$
            ^%(__prefix_line)sUntrusted X-Forwarded-For header<_tail>$

ignoreregex =

journalmatch = SYSLOG_IDENTIFIER=wordpress

# DEV Notes:
# Requires the 'WP fail2ban' plugin:
# https://wp-fail2ban.com/
#
# Author: Charles Lecklider
# Version: 6.0.1
# Build Date: 2025-10-25T21:26:38+00:00

wordpress-soft.conf

Note

This filter is auto-generated.

# Fail2Ban filter for soft failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:wordpress|wp)
_tail = (?: on <F-SITE_INLINE>\S+(?:/\S+)?</F-SITE_INLINE>)? from <ADDR>

failregex = ^%(__prefix_line)sAuthentication attempt with empty username<_tail>$
            ^%(__prefix_line)sBlocked username authentication attempt for <F-ALT_USER>.*</F-ALT_USER><_tail>$
            ^%(__prefix_line)s(?:REST|XML-RPC) authentication failure for <F-ALT_USER>.*</F-ALT_USER><_tail>$
            ^%(__prefix_line)sAuthentication (?:failure for|attempt for unknown user) <F-ALT_USER>.*</F-ALT_USER><_tail>$
            ^%(__prefix_line)sComment attempt on <F-POST_STATUS>(?:non-existent|closed|trashed|draft|password-protected|unapproved comment)</F-POST_STATUS>(?:(?<=unapproved comment) <F-COMMENT_ID>\d+</F-COMMENT_ID> on post|(?<!unapproved comment) post) <F-POST_ID>\d+</F-POST_ID><_tail>$
            ^%(__prefix_line)sPingback <F-COMMENT_ID>\d+</F-COMMENT_ID> on post <F-POST_ID>\d+</F-POST_ID> by "<F-PINGBACK_FROM_URL>.+</F-PINGBACK_FROM_URL>"<_tail>$
            ^%(__prefix_line)sTrackback <F-COMMENT_ID>\d+</F-COMMENT_ID> on post <F-POST_ID>\d+</F-POST_ID> by "<F-TRACKBACK_URL>.+</F-TRACKBACK_URL>"<_tail>$
            ^%(__prefix_line)sFailed password reset(?: for(?: (?:unknown user )?<F-ALT_USER>.*</F-ALT_USER>))?<_tail>$

ignoreregex =

journalmatch = SYSLOG_IDENTIFIER=wordpress

# DEV Notes:
# Requires the 'WP fail2ban' plugin:
# https://wp-fail2ban.com/
#
# Author: Charles Lecklider
# Version: 6.0.1
# Build Date: 2025-10-25T21:26:38+00:00

wordpress-extra.conf

Note

This filter is auto-generated.

# Fail2Ban filter for extra failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:wordpress|wp)
_tail = (?: on <F-SITE_INLINE>\S+(?:/\S+)?</F-SITE_INLINE>)? from <ADDR>

failregex = ^%(__prefix_line)sComment <F-COMMENT_ID>\d+</F-COMMENT_ID><_tail>$
            ^%(__prefix_line)sPassword reset requested for <F-ALT_USER>.*</F-ALT_USER><_tail>$

ignoreregex =

journalmatch = SYSLOG_IDENTIFIER=wordpress

# DEV Notes:
# Requires the 'WP fail2ban' plugin:
# https://wp-fail2ban.com/
#
# Author: Charles Lecklider
# Version: 6.0.1
# Build Date: 2025-10-25T21:26:38+00:00

wordpress-wpf2b-waf.conf

Note

This filter is auto-generated.

# Fail2Ban filter for wpf2b-waf failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:wordpress|wp)
_tail = (?: on <F-SITE_INLINE>\S+(?:/\S+)?</F-SITE_INLINE>)? from <ADDR>

prefregex = ^%(__prefix_line)sWAF\[blocked\] <F-CONTENT>.*</F-CONTENT>$

failregex = ^update_option\(<F-OPTION_NAME>.*?</F-OPTION_NAME>\)="<F-OPTION_VALUE>.*</F-OPTION_VALUE>"<_tail>$
            ^attempt to delete user <F-ALT_USER>.*</F-ALT_USER> \(<F-ALT_USER_ID>\d+</F-ALT_USER_ID>\)<_tail>$
            ^SQLi<_tail>$

ignoreregex =

journalmatch = SYSLOG_IDENTIFIER=wordpress

# DEV Notes:
# Requires the 'WP fail2ban' plugin:
# https://wp-fail2ban.com/
#
# Author: Charles Lecklider
# Version: 6.0.1
# Build Date: 2025-10-25T21:26:38+00:00