WP fail2ban on wpengine: where do logs go?

toddS · 4 November 2024 13:56

Plugin version: 5.3.2
PHP version: 8.2
WPEngine version: 6.6.2

I have successfully updated / enabled constants in wp-config.php per instructions on wpengine and https://docs.wp-fail2ban.com/en/latest/defines/all.html. I’m able to block users enumerated in WP_FAIL2BAN_BLOCKED_USERS - any attempt to log in as one of those users is met with the message Forbidden and nothing else; the attempt is not captured in the normal logs.

Notable that if I try and fail to log in with another user NOT in the WP_FAIL2BAN_BLOCKED_USERS list, I do get that failed attempt in the error logs.

Is it possible to effectively use the free version of this plugin on wpengine.com? If so, how can we configure the plugin to write logs in a way that’s visible to the admins?

Follow up to that: does the paid version allow logging to a file, or some other way that will make those logs accessible to the system/user, or does the plugin require full control of the platform (including access to a proper syslog facility)?

Any help is appreciated!
Thanks,
Todd

wp-fail2ban · 8 November 2024 06:05

Answering this is surprisingly complex; I’ll address the simple part first:

The Premium version writes all the events to the database. It’s designed for human consumption rather than machine, but the table schema is very straightforward.

As for logging to a file, well, that’s where things get complicated.

You would be forgiven for thinking that the actual “writing to the file” part of writing to a file is trivial: fopen(), fputs(), fclose(). Easy.

Unfortunately, that’s no longer true.

WP are in the process of automating the process of reviewing plugins, the first step being the Plugin Check plugin (PCP). You can probably guess where this is going.

One of the checks in the PCP is for fopen(), with an admonition to use WP_Filesystem instead.

That would be fine, except that WP_Filesystem_Direct can only write complete files - it provides no mechanism for appending to an existing file.

Thus, the Free version cannot both log to a file and pass the PCP checks.

The good news is that I’ve been working on an addon for systems without syslog - this problem isn’t unique to WPE.

The bad news is that, thanks to the WP vs. WPE drama, I’ve had to put it on the back burner while I get v5.4 out; there’ll be a blog post out later today with all the details - there are some big changes.

So TL;DR: Free version, no, but an addon in a few weeks, yes.

toddS · 14 November 2024 12:46

Very nice, thank you for the detailed update!