Return to Wiki Index

! Should be customized to your needs !

[Definition]
# /etc/fail2ban/filter.d/http-wordpress.conf
# WordPress specific attack patterns

failregex = ^<HOST>.*(
  # WordPress Core and Admin
  /wp-admin/install.php.*|                # WordPress install script
  /wp-admin/.*/|                          # Wildcard to catch all wp-admin paths
  /wp-login.php.*|                        # Login page
  /wp-activate.php.*|                     # Account activation
  /wp-config.php.*|                       # Sensitive configuration file
  /wp-json/.*|                            # REST API (sometimes abused for brute-forcing)
  /xmlrpc.php.*|                          # XML-RPC endpoint (commonly brute-forced)
  
  # WordPress Plugin and Theme Exploits
  /wp-content/plugins/.*|                  # Catch all plugin paths
  /wp-content/plugins/.*\.php.*|           # Specific .php files within plugins
  /wp-content/themes/.*|                   # Catch all theme paths
  /wp-content/themes/.*\.php.*|            # Specific .php files within themes
  /wp-content/uploads/.*\.php.*|           # File uploads that might be PHP backdoors
  
  # Known Exploits
  /wp-content/plugins/hellopress/wp_filemanager.php.*|  # File manager plugin exploit
  /wp-content/plugins/akismet.*|                      # Akismet plugin abuses
  /wp-content/plugins/woocommerce/.*|                 # WooCommerce plugin abuses
  /wp-content/plugins/wp-e-commerce/.*|               # WP E-Commerce plugin abuses
  /wp-content/plugins/contact-form-7/.*|              # Contact Form 7 plugin exploit attempts
  /wp-content/plugins/jetpack/.*|                     # Jetpack plugin attempts
  /wp-content/plugins/wordpress-seo/.*|               # SEO plugin abuse
  /wp-content/plugins/revslider/.*|                   # Revolution Slider vulnerability
  /wp-content/themes/twenty.*|                        # WordPress default themes (sometimes targeted for known vulnerabilities)
  
  # Other known vulnerabilities and backdoors
  /wp-content/uploads/.*/.*\.php.*|                   # Uploads folder backdoor attempts
  /wp-content/uploads/.*/wp-shell.php.*|              # PHP shell upload
  /wp-content/uploads/.*/eval-base64.php.*|           # Base64 encoded backdoor uploads
  /wp-content/plugins/.*\.tar.*|                      # Exploits where `.tar` files are uploaded
  /wp-content/plugins/.*\.zip.*|                      # Exploits with `.zip` files
  
  # WordPress Miscellaneous Exploits
  /wp-content/plugins/wp-file-manager/.*/wp_filemanager.php.*|  # WP File Manager RCE exploit
  /wp-content/plugins/wordfence/.*/backdoor.php.*|            # Wordfence plugin abuse
  /wp-content/plugins/advanced-custom-fields/.*|             # ACF plugin abuse
  
  # Exploiting wp-admin paths
  /wp-admin/admin-ajax.php.*|                      # Admin-ajax abuse
  /wp-admin/theme-editor.php.*|                     # Theme editor abuse (used for code injection)
  /wp-admin/plugin-editor.php.*|                    # Plugin editor abuse (used for code injection)
  
  # WordPress Miscellaneous common exploits
  /wp-includes/class-wp.php.*|                      # Common wp-includes script abuses
  /wp-includes/.*\.php.*|                           # General abuse of WordPress includes
  /wp-includes/requests.*|                          # Exploit attempts on WordPress HTTP requests
  /wp-content/uploads/.*/.*\.jpg.*|                  # JPEG file upload abuse (exploiting vulnerability in image upload handling)
  
  # Common vulnerability file names (often targeted for uploading backdoors)
  /wp-content/uploads/.*/.*\.gif.*|                  # GIF file upload exploit
  /wp-content/uploads/.*/.*\.png.*|                  # PNG file upload exploit
  /wp-content/uploads/.*/.*\.txt.*|                  # Text file abuse for shellcode
  /wp-content/uploads/.*/.*\.js.*|                   # JS file abuse for client-side exploits
  /wp-content/uploads/.*/.*\.html.*|                 # HTML file abuse for XSS or other attacks
  
  # Vulnerable themes (classic or default themes)
  /wp-content/themes/twenty\w+.*/.*\.php.*|            # All default WordPress themes (Twenty Twelve, etc.)
  
  # Known Vulnerabilities via URL parameters
  /wp-admin/admin.php.*p=.*|                        # Exploit attempts using the 'p' parameter
  /wp-admin/options-general.php.*p=.*|              # Exploit using 'p' parameter in options page
  /wp-admin/edit-comments.php.*p=.*|                # Comment page exploitation
  /wp-admin/post-new.php.*p=.*|                     # Exploiting the post creation page
  
  # WordPress misc admin/management page
  /wp-admin/tools.php.*|                            # Tools page vulnerabilities
  
  # Directory traversal attempts
  /wp-admin/.*\.\./.*|                              # Attempting directory traversal to escape wp-admin
  
  # WordPress core backdoor names
  /wp-shell.php.*|                                  # Common backdoor PHP shell name
  /eval.php.*|                                      # Backdoor or eval injection attempts
  /base64.php.*|                                    # Base64 encoded malicious PHP scripts
  /backdoor.php.*|                                  # General backdoor attempt
)

ignoreregex =

[http-wordpress]
enabled  = true
banaction = %(banaction_allports)s
logpath  = /var/log/nginx/*.access.log
maxretry = 1
bantime  = 1d
findtime = 3d
backend = polling