3. Installation
3.1. Overview
WP fail2ban installs like any other WordPress plugin; in most cases, you don’t need to do anything differently.
However, recent changes in the WordPress ecosystem mean you should carefully consider which flavour [1] of WP fail2ban is right for you.
Starting with version 5.4.0, there is a Canonical flavour (GitHub) and a WordPress.org flavour (LTS).
This decision is a response to increasing security concerns regarding the WordPress Plugin Directory, notably the recent supply chain attack on Advanced Custom Fields (ACF). You can read more about the changes in this blog post.
3.1.1. Canonical Flavour (GitHub)
The latest stable version, updated with new features and security patches, is hosted on GitHub. This is the recommended flavour.
3.1.2. WordPress.org Flavour (LTS)
The version hosted on WordPress.org will focus on long-term stability. It will receive bug fixes and compatibility updates to support newer versions of WordPress and will support PHP 7.4 for as long as possible, but it will generally lag at least one major version behind Canonical.
3.2. Installation Methods
Depending on your workflow and preferences, there are several ways to install WP fail2ban:
3.2.1. Canonical Flavour (GitHub)
3.2.1.1. ZIP file from GitHub
This is the simplest method, and the best option if you already have the LTS flavour installed:
Download the latest release directly from GitHub releases.
Optionally (but recommended), verify the signature of the zip file.
Upload the zip file to your WordPress installation.
3.2.1.2. Install via Composer
Add the following to your composer.json
file:
"require": {
"wp-fail2ban/wp-fail2ban": "@stable"
}
or, from the command line,
composer require wp-fail2ban/wp-fail2ban
3.2.1.3. Install with WP-CLI
This method requires the Git Updater plugin. From the command line, run:
wp plugin install-git wp-fail2ban
3.3. LTS flavour
Install through the WordPress Plugin Directory as usual.
3.5. Self-Updater and Signed Releases
With version 5.4.0, a self-updater has been introduced in the Canonical flavour, making it easy to keep the plugin up-to-date without the WordPress Plugin Directory; the Premium version already supported self-updates. If the Git Updater plugin or Composer is detected, they will take precedence.
In addition, signed releases are now part of the update process. Both release tags and archives are signed, allowing you to verify the authenticity of the plugin before installing it. While this verification process is currently manual, automated verification is planned.
Footnotes