{"id":136065,"date":"2021-02-08T14:27:03","date_gmt":"2021-02-08T14:27:03","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/fail2wp\/"},"modified":"2026-03-16T09:34:04","modified_gmt":"2026-03-16T09:34:04","slug":"fail2wp","status":"publish","type":"plugin","link":"https:\/\/tg.wordpress.org\/plugins\/fail2wp\/","author":1481119,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.2.6","stable_tag":"1.2.6","tested":"6.9.4","requires":"5.4.0","requires_php":"7.4","requires_plugins":null,"header_name":"Fail2WP","header_author":"WebbPlatsen, Joaquim Homrighausen <joho@webbplatsen.se>","header_description":"Security plugin for WordPress with support for fail2ban","assets_banners_color":"5983b0","last_updated":"2026-03-16 09:34:04","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/code.webbplatsen.net\/wordpress\/fail2wp\/","header_plugin_uri":"https:\/\/code.webbplatsen.net\/wordpress\/fail2wp\/","header_author_uri":"https:\/\/webbplatsen.se\/","rating":5,"author_block_rating":0,"active_installs":100,"downloads":3542,"num_ratings":2,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.2.1":{"tag":"1.2.1","author":"joho68","date":"2024-04-29 13:20:33"},"1.2.2":{"tag":"1.2.2","author":"joho68","date":"2024-09-03 13:55:11"},"1.2.3":{"tag":"1.2.3","author":"joho68","date":"2024-11-21 08:39:21"},"1.2.4":{"tag":"1.2.4","author":"joho68","date":"2025-12-09 14:15:18"},"1.2.6":{"tag":"1.2.6","author":"joho68","date":"2026-03-16 09:34:04"}},"upgrade_notice":{"1.2.6":"<ul>\n<li>Install the new version.<\/li>\n<\/ul>","1.2.5":"<ul>\n<li>Install the new version.<\/li>\n<\/ul>","1.2.0":"<ul>\n<li>Install the new version and walk through the settings.<\/li>\n<li>Check your fail2ban configuration against the supplied sample fail2wp.conf!<\/li>\n<\/ul>","1.1.2":"<ul>\n<li>Install the new version.<\/li>\n<\/ul>","1.1.1":"<ul>\n<li>Install the new version and walk through the settings.<\/li>\n<\/ul>","1.1.0":"<ul>\n<li>Install the new version and walk through the settings.<\/li>\n<\/ul>","1.0.0":"<ul>\n<li>Initial release<\/li>\n<\/ul>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":2},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":2470884,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":2470884,"resolution":"256x256","location":"assets","locale":""},"icon.svg":{"filename":"icon.svg","revision":2470884,"resolution":false,"location":"assets","locale":false}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":2491650,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.png":{"filename":"banner-772x250.png","revision":2491650,"resolution":"772x250","location":"assets","locale":""},"banner.svg":{"filename":"banner.svg","revision":2491650,"resolution":false,"location":"assets","locale":false}},"assets_blueprints":{"blueprint.json":{"filename":"blueprint.json","revision":3483644,"resolution":false,"location":"assets","locale":"","contents":"{\"landingPage\":\"\\\/wp-admin\\\/plugins.php\",\"preferredVersions\":{\"php\":\"8.1\",\"wp\":\"latest\"},\"phpExtensionBundles\":[\"kitchen-sink\"],\"features\":{\"networking\":true},\"steps\":[{\"step\":\"installPlugin\",\"options\":{\"activate\":true},\"pluginData\":{\"resource\":\"wordpress.org\\\/plugins\",\"slug\":\"fail2wp\"}},{\"step\":\"login\",\"username\":\"admin\",\"password\":\"password\"}]}"}},"all_blocks":[],"tagged_versions":["1.2.1","1.2.2","1.2.3","1.2.4","1.2.6"],"block_files":[],"assets_screenshots":[],"screenshots":[],"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[83,710,9229,1174,600],"plugin_category":[38,54],"plugin_contributors":[190415,190417],"plugin_business_model":[],"class_list":["post-136065","plugin","type-plugin","status-publish","hentry","plugin_tags-admin","plugin_tags-authentication","plugin_tags-fail2ban","plugin_tags-firewall","plugin_tags-security","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-joho68","plugin_contributors-webbplatsen","plugin_committers-joho68","plugin_support_reps-joho68","plugin_support_reps-webbplatsen"],"banners":{"banner":"https:\/\/ps.w.org\/fail2wp\/assets\/banner-772x250.png?rev=2491650","banner_2x":"https:\/\/ps.w.org\/fail2wp\/assets\/banner-1544x500.png?rev=2491650","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":"https:\/\/ps.w.org\/fail2wp\/assets\/icon.svg?rev=2470884","icon":"https:\/\/ps.w.org\/fail2wp\/assets\/icon.svg?rev=2470884","icon_2x":false,"generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>This WordPress plugin provides security functionality and integration with fail2ban.<\/p>\n\n<p>It does not require fail2ban to function.<\/p>\n\n<p>Basic security functionality includes:<\/p>\n\n<ul>\n<li>Disabling login with username (require e-mail address)<\/li>\n<li>Allow\/Deny login from IP address, hostname (including wildcard support)<\/li>\n<li>Preventing user enumeration (?author=nnn)<\/li>\n<li>Less detailed error messages on login failures<\/li>\n<li>Minimum username length<\/li>\n<li>Blocking specific usernames from being used to register new users<\/li>\n<li>Requiring e-mail address matching for new user registrations<\/li>\n<li>Warning about new user role setting<\/li>\n<li>Blocking of portions or all of WordPress REST API<\/li>\n<li>Disabling of RSS and Atom feeds<\/li>\n<li>Removal of \"Generator\" information from HTML and feeds<\/li>\n<li>Detection of Cloudflare IP addresses for logging of actual IP addresses<\/li>\n<li>Blocking\/Allowing logins from IP addresses, IP ranges, and\/or hostnames<\/li>\n<li>Partially or fully disable XMLRPC access<\/li>\n<\/ul>\n\n<p>The plugin also plays nicely with Fail2ban, which is an advanced way of blocking IP addresses dynamically upon suspicious behavior.<\/p>\n\n<p>Other notes:<\/p>\n\n<ul>\n<li>This plugin <strong>may<\/strong> work with earlier versions of WordPress<\/li>\n<li>This plugin has been tested with <strong>WordPress 5.5+ and 6.x<\/strong> at the time of this writing<\/li>\n<li>This plugin has been tested with <strong>PHP 7.4, 8.1, 8.2, and 8.3<\/strong> at the time of this writing<\/li>\n<li>Local syntax\/runtime compatibility checks have also been run on <strong>PHP 8.4<\/strong><\/li>\n<li>This plugin optionally makes use of <code>mb_<\/code> PHP functions<\/li>\n<li>This plugin may create entries in your PHP error log (if active)<\/li>\n<li>This plugin contains no Javascript<\/li>\n<li>This plugin contains no tracking code and does not store any information about users<\/li>\n<\/ul>\n\n<h3>Credits<\/h3>\n\n<p>The Fail2WP Plugin was written by Joaquim Homrighausen while converting caffeine into code.<\/p>\n\n<p>Fail2WP is sponsored by <a href=\"https:\/\/webbplatsen.se\">WebbPlatsen i Sverige AB<\/a>, Sweden.<\/p>\n\n<p>Copyright 2020-2026 Joaquim Homrighausen; all rights reserved.<\/p>\n\n<p>Commercial support and customizations for this plugin is available from WebbPlatsen i Sverige AB in Sweden.<\/p>\n\n<p>If you find this plugin useful, the author is happy to receive a donation, good review, or just a kind word.<\/p>\n\n<p>If there is something you feel to be missing from this plugin, or if you have found a problem with the code or a feature, please do not hesitate to reach out to support@webbplatsen.se.<\/p>\n\n<p>This plugin can also be downloaded from <a href=\"https:\/\/code.webbplatsen.net\/wordpress\/fail2wp\/\">code.webbplatsen.net<\/a> and <a href=\"https:\/\/github.com\/joho1968\/fail2wp\">GitHub<\/a><\/p>\n\n<p>More detailed documentation is available at <a href=\"https:\/\/code.webbplatsen.net\/documentation\/fail2wp\/\">code.webbplatsen.net\/documentation\/fail2wp\/<\/a><\/p>\n\n<p>Kudos to <a href=\"https:\/\/github.com\/tholu\">Thomas Lutz<\/a>.<\/p>\n\n<!--section=installation-->\n<p>This section describes how to install the plugin and get it working.<\/p>\n\n<ol>\n<li>Upload the contents of the <code>fail2wp<\/code> folder to the <code>\/wp-content\/plugins\/<\/code> directory<\/li>\n<li>Activate the plugin through the 'Plugins' menu in WordPress<\/li>\n<li>Configure the basic settings<\/li>\n<li>To enable fail2ban integration, you will need to modify your fail2ban configuration. Please see <code>FAIL2BAN.txt<\/code> or <code>FAIL2BAN.md<\/code>.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"is%20the%20plugin%20locale%20aware\"><h3>Is the plugin locale aware<\/h3><\/dt>\n<dd><p>Fail2WP uses standard WordPress functionality to handle localization\/locale. The native language localization of the plugin is English. It has been translated to Swedish by the author.<\/p><\/dd>\n<dt id=\"are%20there%20any%20incompatibilities\"><h3>Are there any incompatibilities<\/h3><\/dt>\n<dd><p>This is a hard question to answer. There are no known incompatibilities.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.2.6<\/h4>\n\n<ul>\n<li>Fixed a nasty REST API regression that could log <code>Blocked REST API request<\/code> even when the REST block settings were not enabled<\/li>\n<li>Fixed the same regression so ordinary unauthenticated REST namespace requests are no longer treated as blocked just because user enumeration protection is active<\/li>\n<li>Fixed blocked REST API logging so it now respects the \"Log blocked requests\" setting consistently<\/li>\n<li>Verified with WordPress 6.9<\/li>\n<li>Updated internal version metadata<\/li>\n<\/ul>\n\n<h4>1.2.5<\/h4>\n\n<ul>\n<li>Added an admin-side helper to fetch current Cloudflare IPv4 and IPv6 ranges into the settings form without auto-saving<\/li>\n<li>Improved the Cloudflare tab UX so the ranges and refresh controls stay available but are visually muted when Cloudflare support is disabled<\/li>\n<li>Changed disabled feed requests to return <code>404<\/code> instead of redirecting to the home page<\/li>\n<li>Extended user enumeration blocking\/logging to cover unauthenticated REST users endpoints<\/li>\n<li>Fixed the REST <code>users<\/code> route block so it also covers individual user endpoints<\/li>\n<li>Fixed REST route blocking so route-only rules are activated correctly<\/li>\n<li>Fixed REST handling so logged in and authenticated requests bypass REST blocking<\/li>\n<li>Fixed override IP handling for security\/fail2ban alert messages<\/li>\n<li>Fixed IPv6 CIDR validation for login allow and deny lists<\/li>\n<li>Removed PHP 8.2 and PHP 8.3 dynamic property deprecations<\/li>\n<li>Fixed PHP 8.4 syslog signature deprecation while keeping PHP 7.4 compatibility<\/li>\n<li>Refreshed the bundled <code>php-cidr-match<\/code> library from current upstream<\/li>\n<li>Updated translation assets, including the Cloudflare refresh flow and Swedish admin strings<\/li>\n<li>Updated internal version metadata<\/li>\n<\/ul>\n\n<h4>1.2.4<\/h4>\n\n<ul>\n<li>Verified with WordPress 6.8 and WordPress 6.9<\/li>\n<li>Removed PHP 7.2 compatibility (PHP 7.4 or above is now required)<\/li>\n<\/ul>\n\n<h4>1.2.3<\/h4>\n\n<ul>\n<li>Verified with WordPress 6.7<\/li>\n<li>Verified with Plugin Check (PCP)<\/li>\n<li>Fixed issue when requiring REST API authentication and IPv4\/IPv6 bypass was configured<\/li>\n<li>Fixed issue with uninitialized variable in XML-RPC handling<\/li>\n<li>Fixed PHP warning for json_decode() call, this did not impact functionality<\/li>\n<li>Corrected some Swedish translations<\/li>\n<li>Corrected some checks for <code>uninstall.php<\/code> and made it more WP-CLI compatible<\/li>\n<\/ul>\n\n<h4>1.2.2<\/h4>\n\n<ul>\n<li>Verified with WordPress 6.6<\/li>\n<li>Improved code for role notification settings (PR#2)<\/li>\n<li>Improved code for e-mail checking for new user registrations (PR#1)<\/li>\n<li>Thanks to philscott-rg and Edward Casbon<\/li>\n<\/ul>\n\n<h4>1.2.1<\/h4>\n\n<ul>\n<li>Verified with WordPress 6.5.2<\/li>\n<li>Updated \"About\" information<\/li>\n<\/ul>\n\n<h4>1.2.0<\/h4>\n\n<ul>\n<li>Verified with WordPress 6.2.2 and PHP 8.1.20<\/li>\n<li>Added support for allow\/deny list for login (IP address, hostname with wildcard support)<\/li>\n<li>Added entry in fail2wp.conf example fail2ban configuration for allow\/deny login<\/li>\n<li>Corrected typo in fail2wp.conf example fail2ban configuration, CHECK AGAINST YOURS!<\/li>\n<li>Added support for HTTP_X_REAL_IP (X-Real-IP) header to \"decode\" actual remote IP address<\/li>\n<li>Added support for partially or fully disabling XMLRPC<\/li>\n<li>Added entry in fail2wp.conf example fail2ban configuration for XMLRPC access attempts<\/li>\n<\/ul>\n\n<h4>1.1.2<\/h4>\n\n<ul>\n<li>Verified with WordPress 5.8.3<\/li>\n<li>Fixes for various PHP warning messages<\/li>\n<\/ul>\n\n<h4>1.1.1<\/h4>\n\n<ul>\n<li>Verified with WordPress 5.8<\/li>\n<\/ul>\n\n<h4>1.1.0<\/h4>\n\n<ul>\n<li>Added minimum username length<\/li>\n<li>Added blocking of specific usernames (user registration)<\/li>\n<li>Added requiring e-mail address matching setting<\/li>\n<li>Added warning about new user role setting<\/li>\n<li>Added blocking of portions or all of WordPress REST API<\/li>\n<li>Added setting to disable RSS and Atom feeds<\/li>\n<li>Added setting to remove \"Generator\" information from HTML and feeds<\/li>\n<li>Minor corrections and general improvements<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<\/ul>","raw_excerpt":"Security plugin for WordPress with support for fail2ban. Tested with WordPress 5.5+ and PHP 7.4-8.4","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/tg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/136065","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/tg.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/tg.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=136065"}],"author":[{"embeddable":true,"href":"https:\/\/tg.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/joho68"}],"wp:attachment":[{"href":"https:\/\/tg.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=136065"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/tg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=136065"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/tg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=136065"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/tg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=136065"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/tg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=136065"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/tg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=136065"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}