---
title: "Prevent Brute-Force WordPress Logins with WP fail2ban"
description: "WP fail2ban is a freemium WordPress security plugin with features for logging, brute-force attack prevention, and spam protection. In the free version you must edit the wp-config.php file with any..."
url: https://www.inmotionhosting.com/support/edu/wordpress/prevent-brute-force-wordpress-logins-with-wp-fail2ban/
date: 2020-01-23
modified: 2021-08-16
author: "InMotion Hosting Contributor"
categories: ["WordPress Tutorials"]
type: post
lang: en
---

# Prevent Brute-Force WordPress Logins with WP fail2ban

[WP ](https://wordpress.org/plugins/wp-fail2ban/)[fail2ban](https://wordpress.org/plugins/wp-fail2ban/) is a freemium WordPress security plugin with features for logging, brute-force attack prevention, and spam protection. In the free version you must edit the wp-config.php file with any configurations. Then, it’ll view within your WordPress dashboard.

If you prefer a full-featured security plugin, we recommend [Cerber Security, Antispam & Malware Scan](https://www.inmotionhosting.com/support/edu/wordpress/wp-cerber-restrict-website-access/) and [BBQ: Block Bad Queries](https://www.inmotionhosting.com/support/edu/wordpress/how-to-setup-bbq-block-bad-queries-on-wordpress/).

There’s a lot of data in your [wp-config.php](https://www.inmotionhosting.com/support/edu/wordpress/editing-your-wordpress-wp-config-php-file/) file already. However, you only need to add two lines to block user enumeration (requests for author username queries). Below we cover how to block user login attempts with WP fail2ban using your [wp-config.php file (free version)](#wpconfig) and the [WordPress dashboard (paid version)](#dashboard).

[Install the WP fail2ban plugin](https://www.inmotionhosting.com/support/edu/wordpress/plugins/install-wordpress-plugins/) before continuing.

## WP-config.php

1. [Log into SSH](https://www.inmotionhosting.com/support/server/ssh/do-you-provide-ssh-access/), [cPanel or FTP](https://www.inmotionhosting.com/support/website/how-to-edit-a-file/)
2. Navigate to your WordPress [root directory](https://www.inmotionhosting.com/support/website/where-to-upload-files/)
3. Edit your wp-config.php file
4. Under your database lines (e.g. `define( 'DB_COLLATE', '' );`, add this to block users who try to login with specific usernames:`define('WP_FAIL2BAN_BLOCKED_USERS', ['^admin$', '^root$']);`This blocks any user login attempts including “admin” or “root”This is case-insensitive and you can use regular expression (regex) if you’re using [PHP 7 or higher](https://www.inmotionhosting.com/support/edu/cpanel/cpanel-multiphp-ini-editor/).
5. Add this to block enumeration: attempts:`define('WP_FAIL2BAN_BLOCK_USER_ENUMERATION', true);`
6. Save your changes

## Paid Version

Users with the paid subscription can block user enumeration attempts and login attempts within the WordPress dashboard:

1. [Log into your WordPress dashboard](https://www.inmotionhosting.com/support/edu/wordpress/logging-into-wordpress-dashboard/)
2. On the left, select **WP fail2ban**, then **Settings**
3. Click the **Users** tab
4. Check the **User Enumeration** box and add **Usernames** to block

![](https://www.inmotionhosting.com/support/wp-content/uploads/2020/01/fail2ban-wp-users.png)

Get more comfortable with the file with our [in-depth look at ](https://www.inmotionhosting.com/support/edu/wordpress/wp-config-file/)[wp](https://www.inmotionhosting.com/support/edu/wordpress/wp-config-file/)[.](https://www.inmotionhosting.com/support/edu/wordpress/wp-config-file/)[config](https://www.inmotionhosting.com/support/edu/wordpress/wp-config-file/)[.](https://www.inmotionhosting.com/support/edu/wordpress/wp-config-file/)[php](https://www.inmotionhosting.com/support/edu/wordpress/wp-config-file/).

Enhance your WordPress performance with our NGINX-powered [WordPress Hosting](https://www.inmotionhosting.com/wordpress-hosting).
