WordPress Anti Spam Measures using Fail2ban

I recently got really excited when I noticed, that the number of page views on my blog suddenly sky-rocketed from around 70 to over 300! What brought me back down to earth was the fact, that I also received around 120 spam comments on that single day. Luckily all of those were reliably caught by Antispam Bee.

Sudden peaks in page view and spam comment statistics.

Still, it would be nice to have accurate statistics about page views and those stupid spam requests distort the number of views. Also I’d like to fight spam with tooth and nail, so simply filtering out the comments is not enough for me.

That’s why I did some research and found out about the plugin WP Fail2Ban Redux, which allows logging of spammed comments for integration with the famous fail2ban tool. The plugin does not come with a settings page, so any settings and options have to be defined in the wp-config.php. In my case it was sufficient to just add the following setting:

/path/to/wordpress/wp-config.php

define('ANTISPAM_BEE_LOG_FILE', '/var/log/spam.log');

Now, whenever Antispam Bee classifies a comment as spam, the IP of the author is logged in the given log file.

Now all I need it to configure fail2ban to read host names from that file and to swing that ban hammer!

/etc/fail2ban/filter.d/antispambee.conf

[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]
_daemon = wp
failregex = ^%(__prefix_line)s comment for post.* from host= marked as spam$
/etc/fail2ban/jail.local 

[antispambee]
enabled = true
filter = antispambee
logpath = /var/log/spam.log
bantime = 21600
maxretry = 1
port = http,https

Now whenever a spammer leaves a “comment” on my blog, its IP is written in the spam.log file where it is picked up by fail2ban, which results in a 6 hour ban for that IP.

Those sweet, sweet bans 🙂

Update:

Yaaaay!

One thought on “WordPress Anti Spam Measures using Fail2ban

  1. hi thank you so much for your suggestions but I’m receiving the following error in /var/log/fail2ban.log about the missing of host group. Any syggestions? many thanks

    2019-07-24 09:57:42,943 fail2ban.filter [937]: ERROR No ‘host’ group in ‘^(?:\[\])?\s*(?:\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]
    ?wp(?:\(\S+\))?[\]\)]?:?|[\[\(]?wp(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)? comment for post.* from host= marked as spam$’
    2019-07-24 09:57:42,943 fail2ban.transmitter [937]: WARNING Command [‘set’, ‘antispambee’, ‘addfailregex’, ‘^(?:\\[\\])?\\s*(?:\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d$
    [\\[\\(]?wp(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)? comment for post.* from host= marked as spam$'”,)

Leave a Reply

Your email address will not be published.