3. Installation

3.1. Overview

WP fail2ban installs like any other WordPress plugin; in most cases, you don’t need to do anything differently.

However, recent changes in the WordPress ecosystem mean you should carefully consider which flavour [1] of WP fail2ban is right for you.

Starting with version 5.4.0, there is a Canonical flavour (GitHub) and a WordPress.org flavour (LTS).

This decision is a response to increasing security concerns regarding the WordPress Plugin Directory, notably the recent supply chain attack on Advanced Custom Fields (ACF). You can read more about the changes in this blog post.

3.1.1. Canonical Flavour (GitHub)

The latest stable version, updated with new features and security patches, is hosted on GitHub. This is the recommended flavour.

3.1.2. WordPress.org Flavour (LTS)

The version hosted on WordPress.org will focus on long-term stability. It will receive bug fixes and compatibility updates to support newer versions of WordPress and will support PHP 7.4 for as long as possible, but it will generally lag at least one major version behind Canonical.

3.2. Installation Methods

Depending on your workflow and preferences, there are several ways to install WP fail2ban:

3.2.1. Canonical Flavour (GitHub)

3.2.1.1. ZIP file from GitHub

This is the simplest method, and the best option if you already have the LTS flavour installed:

  • Download the latest release directly from GitHub releases.

  • Optionally (but recommended), verify the signature of the zip file.

  • Upload the zip file to your WordPress installation.

3.2.1.2. Install via Composer

Add the following to your composer.json file:

"require": {
    "wp-fail2ban/wp-fail2ban": "@stable"
}

or, from the command line,

composer require wp-fail2ban/wp-fail2ban

3.2.1.3. Install with WP-CLI

This method requires the Git Updater plugin. From the command line, run:

wp plugin install-git wp-fail2ban

3.3. LTS flavour

Install through the WordPress Plugin Directory as usual.

3.4. Premium Flavour

The Premium flavour of WP fail2ban can be downloaded from Freemius and installed as a zip file, or installed via Composer. Details for installation using Composer can be found on the Members page.

Activating WP fail2ban Premium will create two database tables:

  • wp_fail2ban_log

  • wp_fail2ban_plugins

Note that WP fail2ban Premium never drops these database tables.

3.5. Self-Updater and Signed Releases

With version 5.4.0, a self-updater has been introduced in the Canonical flavour, making it easy to keep the plugin up-to-date without the WordPress Plugin Directory; the Premium version already supported self-updates. If the Git Updater plugin or Composer is detected, they will take precedence.

In addition, signed releases are now part of the update process. Both release tags and archives are signed, allowing you to verify the authenticity of the plugin before installing it. While this verification process is currently manual, automated verification is planned.

Footnotes