Rename wp-login OR Permanently ban IPs outside exempt countries that trigger Authentication attempt via wp-login.php?

Hi I am using the Digital Ocean WordPress Droplet which comes with the WPf2b plugin installed. Inside the WordPress dashboard I have this WPf2b screen element -

It’s irritating seeing so many login attempts from IPs outside the websites target audience (United Kingdom). Note this is currently a noindex nofollow sandbox website so I am surprised bots have even found it… perhaps its a generic sub domain staging.mysite.com is how they found it.

If I renamed the wp-login would this prevent bots and reduce the WPf2b dashboard messages like Authentication attempt for unknown user admin from 171.244.0.91?

Another option I was thinking is, permanently ban IPs that fail to login that are outside a safelist of countries.

Generally speaking IPs failing to login come from -
China, Singapore, India, Vietnam, Germany, France, Switzerland and Thailand etc…

Is there a way to permanently ban these IPs only if they are outside a safe country list?

These are the fail2ban filters enabled -

etc/fail2ban/jail.d/wordpress-digitalocean.conf

[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath = /var/log/auth.log
maxretry = 3
port = http,https
bantime = 86400

[wordpress-soft]
enabled = true
filter = wordpress-soft
logpath = /var/log/auth.log
maxretry = 5
port = http,https
bantime = 1800

etc/fail2ban/jail.d/defaults-debian.conf

[sshd]
enabled = true

What I’m thinking is after 3 failed attempts to permanently block the IP if its outside a safe country list?

If this is a viable option please can someone advise how to implement? I don’t mind paying for help.

I was thinking about implementing a blanket ban for all countries outside a safelist but I think that could be more detrimental than helpful? i.e. if its a genuine customer abroad and possibly hurt SERPs?

Also I found this Ultimate Apache Bad Bot Blocker which uses Fail2Ban. Would it reduce the wp-login attempts? Is it worth installing?

Another option I found is WP fail2ban Blocklist. Would this help reduce bots trying to hack the website or is it similar to Ultimate Apache Bad Bot Blocker?

Please can someone advise?

Any advice is much appreciated.

Thank you

OK, so there are a lot of things to cover in your post

[I’m going to keep this to short paragraphs for now, as I suspect each aspect will need its own topic.]

Generally, it’s a bad idea to ban IPs permanently. IPs change hands, bots get taken down - what was a bad IP yesterday may not be today.

If you know that you want to block all requests from certain countries there are many different ways to do that; the Premium version of WPf2b is one of them - I’ll cover that in another topic.

However, WPf2b is primarily intended to block IPs based on their behaviour, not their location, so with WPf2b on its own you will always have fairly noisy logs. The noisier the logs the more WPf2b is catching.

For the examples you’ve shown you’ve got two choices:

1. Add admin to WP_FAIL2BAN_BLOCKED_USERS. This is the simplest solution, but also quite limited; or,
2. Enable WP_FAIL2BAN_BLOCK_USERNAME_LOGIN.

Both will allow you to ban the IP immediately.

Also, if you can, you should enable WP_FAIL2BAN_BLOCK_USER_ENUMERATION; again, this lets you ban the IP immediately.

The standard Digital Ocean config is a good compromise between being effective and keeping their support load down: it doesn’t ban IPs immediately.

[This part will get its own topic later as it’s a change in v5]

The wordpress-hard filter is intended to ban things immediately.
When I first added the rule to catch login attempts with an unknown username, I put it in the hard filter as that’s what made sense at the time.
In v5 I’ve moved it to the soft filter as that’s what makes sense now - things change.

So, with v4, if you make sure you never get your username/email address wrong when you login, or you have a static IP address and you’ve configured fail2ban to ignore it, you should change maxretry = 1 in the wordpress-hard filter.
This will immediately ban IPs matching the hard filters, as originally intended.
Once v5 is released and you’ve updated your filter files, there will be no reason not to set maxretry = 1.

WP fail2ban Blocklist is designed to catch and prevent bots that are attacking WordPress sites right now.
It’s preemptive - the whole point is to block IPs before the bot can attack your site.
It will reduce not only login attempts but other things like comment spam.

You’re better off doing country blocks in Cloudflare. They have a simple method of doing it in their WAF tool (free) - you simply create a single rule which can hold as many countries as you like using their “is in” operator.

And for countries that you don’t want to/shouldn’t block, but still want to restrict bots, use a “Challenge” rule.

Thanks for the help everyone.

I decided to rename the wp-login and now I don’t see any random unknown login attempts.