WordPress is the most widely used content management system, powering over 40% of all websites worldwide. This popularity makes WordPress a primary target for malicious bots, hackers, and brute-force attacks. Securing your WordPress site involves both application-level and server-level protection. Tools like Wordfence, a leading WordPress security plugin, can block malicious activity at the application layer and log these incidents in detail. However, combining Wordfence logs with server-level tools such as IPTables, CSF (ConfigServer Security & Firewall), or Fail2Ban ensures stronger security and automation of IP banning at the server level.

At ENGINYRING, we have extensive experience helping clients secure their WordPress environments by combining application and server-level security measures. This guide will show you how to configure your server tools to read Wordfence logs and block abusers automatically. Whether you're running a RHEL-based system (e.g., CentOS, AlmaLinux, Rocky Linux) or a Debian-based system (e.g., Ubuntu, Debian), we’ve got you covered.

Why Combine Wordfence Logs with Server-Level Tools?

Wordfence is an excellent plugin for securing WordPress at the application level, but it doesn’t act at the server layer. Tools like IPTables, CSF, or Fail2Ban can monitor Wordfence logs and enforce bans at the operating system level. Here’s why combining these tools enhances security:

  • Reduced Resource Usage: Server-level tools block malicious IPs before they reach WordPress, reducing the load on your application and database servers.
  • Expanded Protection: Tools like IPTables and CSF block abusive IPs across all server services, including SSH, FTP, and HTTP/S.
  • Automated Responses: Integrating Wordfence logs allows tools like Fail2Ban or CSF to automatically block IPs flagged by Wordfence without manual intervention.

By hosting your WordPress site on ENGINYRING’s VPS hosting, you can easily configure advanced server-level protection to enhance your site’s security and performance.

Step 1: Preparing Wordfence Logs and Installing Server Tools

Before integrating Wordfence logs with server-level tools, ensure that logging is enabled in Wordfence and install the required tools on your server.

1.1 Enabling Wordfence Logs

Wordfence logs important details about malicious activities in the attack-log.json file, located in /wp-content/uploads/wflogs. To verify that Wordfence logging is enabled:

  1. Log in to your WordPress admin dashboard.
  2. Go to Wordfence > Tools > Live Traffic.
  3. Ensure that logging is enabled. If not, enable it to start capturing malicious activity.

For efficient management of WordPress security, we recommend using ENGINYRING’s web hosting services, which include support for WordPress-specific security configurations.

1.2 Installing Required Tools

Install the necessary server tools based on your system:

For IPTables

IPTables is often pre-installed on Linux systems. To check its availability, run:

sudo iptables --version

If it’s not installed, use the following commands:

RHEL-based systems:

sudo yum install iptables -y

Debian-based systems:

sudo apt install iptables -y

For Fail2Ban

Fail2Ban scans log files for malicious patterns and automatically blocks IPs. Install Fail2Ban using:

RHEL-based systems:

sudo yum install epel-release -y
sudo yum install fail2ban -y

Debian-based systems:

sudo apt update
sudo apt install fail2ban -y

For CSF (ConfigServer Security & Firewall)

CSF is not included in Linux repositories and must be installed manually:

cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

For optimized security configurations, consider using ENGINYRING’s cPanel management services, which include advanced CSF setup.

Step 2: Configuring Fail2Ban to Monitor Wordfence Logs

Fail2Ban works by creating "jails" that monitor specific log files for malicious patterns. Here’s how to configure a Fail2Ban jail for Wordfence logs:

2.1 Create a Fail2Ban Jail

1. Open the Fail2Ban configuration file:

sudo nano /etc/fail2ban/jail.local

2. Add the following configuration:

[wordfence]
enabled = true
port = http,https
filter = wordfence
logpath = /var/www/html/wp-content/uploads/wflogs/attack-log.json
maxretry = 5
bantime = 3600
action = iptables-allports[name=Wordfence, protocol=all]

Replace /var/www/html with the path to your WordPress installation directory.

2.2 Create a Filter for Wordfence

1. Create a custom filter file:

sudo nano /etc/fail2ban/filter.d/wordfence.conf

2. Add the following filter definition:

[Definition]
failregex = .*ip:.*blockType":"manual-block".*
ignoreregex =

This regex matches IP addresses flagged by Wordfence in attack-log.json.

3. Restart Fail2Ban to apply the changes:

sudo systemctl restart fail2ban

Step 3: Configuring CSF to Read Wordfence Logs

CSF integrates well with Wordfence logs and can block malicious IPs using custom regex patterns. Follow these steps:

3.1 Enable Custom Log Monitoring in CSF

1. Open the CSF configuration file:

sudo nano /etc/csf/csf.conf

2. Enable custom log monitoring by setting:

LF_CUSTOMTRIGGER = 1

Restart CSF to apply the changes:

sudo systemctl restart csf

3.2 Add a Custom Regex for Wordfence

1. Open the custom regex configuration file:

sudo nano /etc/csf/regex.custom.pm

2. Add the following rule:

if (($globlogs{CUSTOM_LOG1} = "/var/www/html/wp-content/uploads/wflogs/attack-log.json")) {
    if ($line =~ /ip:(\d+\.\d+\.\d+\.\d+).*blockType":"manual-block"/) {
        return ("Wordfence manual block", $1, "wordpress", "1");
    }
}

Restart CSF to apply the configuration:

sudo csf -r

Need assistance with custom CSF configurations? ENGINYRING’s DirectAdmin server management services include advanced security setups tailored to your needs.

Step 4: Automating IPTables with a Custom Script

If you prefer not to use Fail2Ban or CSF, you can create a custom script to read Wordfence logs and block IPs using IPTables.

4.1 Create the Script

1. Open a new script file:

sudo nano /usr/local/bin/ban_wordfence_ips.sh

2. Add the following script:

#!/bin/bash
LOGFILE="/var/www/html/wp-content/uploads/wflogs/attack-log.json"
BANNED_IPS="/var/log/banned_ips.txt"

grep -Po '"ip":"\K[0-9.]+(?=")' $LOGFILE | sort | uniq > /tmp/wordfence_ips.txt

for IP in $(cat /tmp/wordfence_ips.txt); do
    if ! grep -q "$IP" $BANNED_IPS; then
        iptables -A INPUT -s $IP -j DROP
        echo "$IP" >> $BANNED_IPS
    fi
done

Make the script executable:

sudo chmod +x /usr/local/bin/ban_wordfence_ips.sh

4.2 Schedule the Script with Cron

1. Open the crontab editor:

sudo crontab -e

2. Add the following line to run the script every hour:

0 * * * * /usr/local/bin/ban_wordfence_ips.sh

Step 5: Testing and Monitoring

Regularly test and monitor your setup to ensure it’s functioning as intended.

Testing Fail2Ban

Add a test entry to the Wordfence log:

echo '{"ip":"192.168.1.100","blockType":"manual-block"}' >> /var/www/html/wp-content/uploads/wflogs/attack-log.json

Check the status of the Fail2Ban jail:

sudo fail2ban-client status wordfence

Testing CSF

Verify if an IP is blocked:

sudo csf -g 192.168.1.100

Testing IPTables

List banned IPs:

sudo iptables -L -n | grep DROP

Conclusion

By integrating Wordfence logs with tools like Fail2Ban, CSF, or IPTables, you enhance your server’s ability to automatically block malicious IPs at the operating system level. This integration not only reduces the load on your WordPress site but also provides comprehensive protection against brute-force and other attacks.

At ENGINYRING, we specialize in managing secure WordPress environments. Whether you need assistance with server configuration or advanced security setups, our team of experts is here to help.