Title: Fail2WP Author: joho68 Published: Pebrero 8, 2021 Last modified: Marso 16, 2026 --- Search plugins ![](https://ps.w.org/fail2wp/assets/banner-772x250.png?rev=2491650) ![](https://ps.w.org/fail2wp/assets/icon.svg?rev=2470884) # Fail2WP By [joho68](https://profiles.wordpress.org/joho68/) [Download](https://downloads.wordpress.org/plugin/fail2wp.1.2.6.zip) [Live Preview](https://ceb.wordpress.org/plugins/fail2wp/?preview=1) * [Details](https://ceb.wordpress.org/plugins/fail2wp/#description) * [Reviews](https://ceb.wordpress.org/plugins/fail2wp/#reviews) * [Installation](https://ceb.wordpress.org/plugins/fail2wp/#installation) * [Development](https://ceb.wordpress.org/plugins/fail2wp/#developers) [Support](https://wordpress.org/support/plugin/fail2wp/) ## Description This WordPress plugin provides security functionality and integration with fail2ban. It does not require fail2ban to function. Basic security functionality includes: * Disabling login with username (require e-mail address) * Allow/Deny login from IP address, hostname (including wildcard support) * Preventing user enumeration (?author=nnn) * Less detailed error messages on login failures * Minimum username length * Blocking specific usernames from being used to register new users * Requiring e-mail address matching for new user registrations * Warning about new user role setting * Blocking of portions or all of WordPress REST API * Disabling of RSS and Atom feeds * Removal of “Generator” information from HTML and feeds * Detection of Cloudflare IP addresses for logging of actual IP addresses * Blocking/Allowing logins from IP addresses, IP ranges, and/or hostnames * Partially or fully disable XMLRPC access The plugin also plays nicely with Fail2ban, which is an advanced way of blocking IP addresses dynamically upon suspicious behavior. Other notes: * This plugin **may** work with earlier versions of WordPress * This plugin has been tested with **WordPress 5.5+ and 6.x** at the time of this writing * This plugin has been tested with **PHP 7.4, 8.1, 8.2, and 8.3** at the time of this writing * Local syntax/runtime compatibility checks have also been run on **PHP 8.4** * This plugin optionally makes use of `mb_` PHP functions * This plugin may create entries in your PHP error log (if active) * This plugin contains no Javascript * This plugin contains no tracking code and does not store any information about users ### Credits The Fail2WP Plugin was written by Joaquim Homrighausen while converting caffeine into code. Fail2WP is sponsored by [WebbPlatsen i Sverige AB](https://webbplatsen.se), Sweden. Copyright 2020-2026 Joaquim Homrighausen; all rights reserved. Commercial support and customizations for this plugin is available from WebbPlatsen i Sverige AB in Sweden. If you find this plugin useful, the author is happy to receive a donation, good review, or just a kind word. If there is something you feel to be missing from this plugin, or if you have found a problem with the code or a feature, please do not hesitate to reach out to support@webbplatsen. se. This plugin can also be downloaded from [code.webbplatsen.net](https://code.webbplatsen.net/wordpress/fail2wp/) and [GitHub](https://github.com/joho1968/fail2wp) More detailed documentation is available at [code.webbplatsen.net/documentation/fail2wp/](https://code.webbplatsen.net/documentation/fail2wp/) Kudos to [Thomas Lutz](https://github.com/tholu). ## Installation This section describes how to install the plugin and get it working. 1. Upload the contents of the `fail2wp` folder to the `/wp-content/plugins/` directory 2. Activate the plugin through the ‘Plugins’ menu in WordPress 3. Configure the basic settings 4. To enable fail2ban integration, you will need to modify your fail2ban configuration. Please see `FAIL2BAN.txt` or `FAIL2BAN.md`. ## FAQ ### Is the plugin locale aware Fail2WP uses standard WordPress functionality to handle localization/locale. The native language localization of the plugin is English. It has been translated to Swedish by the author. ### Are there any incompatibilities This is a hard question to answer. There are no known incompatibilities. ## Reviews ![](https://secure.gravatar.com/avatar/1e271d290377997c8dcb90ca03a711894c2401648ce1b903248062dc144e4aa5? s=60&d=retro&r=g) ### 󠀁[Excellent plugin de protection](https://wordpress.org/support/topic/excellent-plugin-de-protection/)󠁿 [jeebeezebee](https://profiles.wordpress.org/jeebeezebee/) Oktubre 31, 2021 Très léger et très efficace ! ![](https://secure.gravatar.com/avatar/cfbd2f063efd6fed5805e7cf96f1710ca2ebacc9ba594924abe39431684e1f45? s=60&d=retro&r=g) ### 󠀁[Great plugin](https://wordpress.org/support/topic/great-plugin-29685/)󠁿 [jarven](https://profiles.wordpress.org/jarven/) Pebrero 10, 2021 Really cool, this plugin using Fail2Ban. [ Read all 2 reviews ](https://wordpress.org/support/plugin/fail2wp/reviews/) ## Contributors & Developers “Fail2WP” is open source software. The following people have contributed to this plugin. Contributors * [ joho68 ](https://profiles.wordpress.org/joho68/) * [ WebbPlatsen ](https://profiles.wordpress.org/webbplatsen/) “Fail2WP” has been translated into 1 locale. Thank you to [the translators](https://translate.wordpress.org/projects/wp-plugins/fail2wp/contributors) for their contributions. [Translate “Fail2WP” into your language.](https://translate.wordpress.org/projects/wp-plugins/fail2wp) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/fail2wp/), check out the [SVN repository](https://plugins.svn.wordpress.org/fail2wp/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/fail2wp/) by [RSS](https://plugins.trac.wordpress.org/log/fail2wp/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.2.6 * Fixed a nasty REST API regression that could log `Blocked REST API request` even when the REST block settings were not enabled * Fixed the same regression so ordinary unauthenticated REST namespace requests are no longer treated as blocked just because user enumeration protection is active * Fixed blocked REST API logging so it now respects the “Log blocked requests” setting consistently * Verified with WordPress 6.9 * Updated internal version metadata #### 1.2.5 * Added an admin-side helper to fetch current Cloudflare IPv4 and IPv6 ranges into the settings form without auto-saving * Improved the Cloudflare tab UX so the ranges and refresh controls stay available but are visually muted when Cloudflare support is disabled * Changed disabled feed requests to return `404` instead of redirecting to the home page * Extended user enumeration blocking/logging to cover unauthenticated REST users endpoints * Fixed the REST `users` route block so it also covers individual user endpoints * Fixed REST route blocking so route-only rules are activated correctly * Fixed REST handling so logged in and authenticated requests bypass REST blocking * Fixed override IP handling for security/fail2ban alert messages * Fixed IPv6 CIDR validation for login allow and deny lists * Removed PHP 8.2 and PHP 8.3 dynamic property deprecations * Fixed PHP 8.4 syslog signature deprecation while keeping PHP 7.4 compatibility * Refreshed the bundled `php-cidr-match` library from current upstream * Updated translation assets, including the Cloudflare refresh flow and Swedish admin strings * Updated internal version metadata #### 1.2.4 * Verified with WordPress 6.8 and WordPress 6.9 * Removed PHP 7.2 compatibility (PHP 7.4 or above is now required) #### 1.2.3 * Verified with WordPress 6.7 * Verified with Plugin Check (PCP) * Fixed issue when requiring REST API authentication and IPv4/IPv6 bypass was configured * Fixed issue with uninitialized variable in XML-RPC handling * Fixed PHP warning for json_decode() call, this did not impact functionality * Corrected some Swedish translations * Corrected some checks for `uninstall.php` and made it more WP-CLI compatible #### 1.2.2 * Verified with WordPress 6.6 * Improved code for role notification settings (PR#2) * Improved code for e-mail checking for new user registrations (PR#1) * Thanks to philscott-rg and Edward Casbon #### 1.2.1 * Verified with WordPress 6.5.2 * Updated “About” information #### 1.2.0 * Verified with WordPress 6.2.2 and PHP 8.1.20 * Added support for allow/deny list for login (IP address, hostname with wildcard support) * Added entry in fail2wp.conf example fail2ban configuration for allow/deny login * Corrected typo in fail2wp.conf example fail2ban configuration, CHECK AGAINST YOURS! * Added support for HTTP_X_REAL_IP (X-Real-IP) header to “decode” actual remote IP address * Added support for partially or fully disabling XMLRPC * Added entry in fail2wp.conf example fail2ban configuration for XMLRPC access attempts #### 1.1.2 * Verified with WordPress 5.8.3 * Fixes for various PHP warning messages #### 1.1.1 * Verified with WordPress 5.8 #### 1.1.0 * Added minimum username length * Added blocking of specific usernames (user registration) * Added requiring e-mail address matching setting * Added warning about new user role setting * Added blocking of portions or all of WordPress REST API * Added setting to disable RSS and Atom feeds * Added setting to remove “Generator” information from HTML and feeds * Minor corrections and general improvements #### 1.0.0 * Initial release ## Meta * Version **1.2.6** * Last updated **3 Semana ago** * Active installations **100+** * WordPress version ** 5.4.0 or higher ** * Tested up to **6.9.4** * PHP version ** 7.4 or higher ** * Languages * [English (US)](https://wordpress.org/plugins/fail2wp/) and [Swedish](https://sv.wordpress.org/plugins/fail2wp/). * [Translate into your language](https://translate.wordpress.org/projects/wp-plugins/fail2wp) * Tags * [admin](https://ceb.wordpress.org/plugins/tags/admin/)[authentication](https://ceb.wordpress.org/plugins/tags/authentication/) [fail2ban](https://ceb.wordpress.org/plugins/tags/fail2ban/)[firewall](https://ceb.wordpress.org/plugins/tags/firewall/) [security](https://ceb.wordpress.org/plugins/tags/security/) * [Advanced View](https://ceb.wordpress.org/plugins/fail2wp/advanced/) ## Ratings 5 out of 5 stars. * [ 2 5-star reviews ](https://wordpress.org/support/plugin/fail2wp/reviews/?filter=5) * [ 0 4-star reviews ](https://wordpress.org/support/plugin/fail2wp/reviews/?filter=4) * [ 0 3-star reviews ](https://wordpress.org/support/plugin/fail2wp/reviews/?filter=3) * [ 0 2-star reviews ](https://wordpress.org/support/plugin/fail2wp/reviews/?filter=2) * [ 0 1-star reviews ](https://wordpress.org/support/plugin/fail2wp/reviews/?filter=1) [Add my review](https://wordpress.org/support/plugin/fail2wp/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/fail2wp/reviews/) ## Contributors * [ joho68 ](https://profiles.wordpress.org/joho68/) * [ WebbPlatsen ](https://profiles.wordpress.org/webbplatsen/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/fail2wp/) ## Donate Would you like to support the advancement of this plugin? [ Donate to this plugin ](https://code.webbplatsen.net/wordpress/fail2wp/)