I run a website with Wordpress (wordpress-4.9.5-1.el6.noarch) and fail2ban (fail2ban-0.9.6-1.el6.1.noarch). I also downloaded and installed the fail2ban plugin from Wordpress (
https://wordpress.org/plugins/wp-fail2ban/).
Yesterday, I experienced this attack:
Jun 1 15:19:14 myserver wordpress(mysite.dk)[18091]: XML-RPC authentication failure for myuser from 119.29.82.97
The attack lasted for half an hour, with a total of 882 attempts. It should have been caught by the wordpress-soft.conf filter in /etc/fail2ban/filter.d/, but obviously wasn't.
The filter's regex was:
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
^%(__prefix_line)sXML-RPC authentication failure from <HOST>$
I now have added an extra line:
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
^%(__prefix_line)sXML-RPC authentication failure for .* from <HOST>$
^%(__prefix_line)sXML-RPC authentication failure from <HOST>$
I guess this is not a bug in SME-server, but just want to provide the info.