There are many plugins that use a database to check for malicious IPs
after they connect, and of course
fail2ban
stops
repeated attacks, but what if bad IPs could be blocked
before they attack?
By working collaboratively - sharing attack data -
WP fail2ban Blocklist does exactly that.
The Blocklist Network Service (BNS) collects attack data from participating sites, performs some analytical magic, and sends back a list of IPs that are attacking sites now but haven't yet attacked that site. In other words, each site periodically gets a unique list of IPs to block
preemptively.
GDPR
The BNS doesn't collect personal data, and bots don't have rights.
That said, the BNS only collects the minimum data required (time, IP, event), and only for IPs that have behaved maliciously.
Of course, it is possible that some data is generated by
people behaving maliciously, but the BNS has no way to differentiate - and nor should it: an attack is an attack.
Freemius
To work, the BNS
must know:
- which sites are running the blocklist add-on,
- which version is in use,
- and a shared secret for secure communication.
Freemius already provides all these, and
WP fail2ban already uses Freemius; why reinvent the wheel?
Therefore, unlike the core
WP fail2ban plugin, you
must opt into Freemius for the blocklist to work.
- Ensure WP fail2ban is installed. N.B. Requires version 4.4.0 or later.
- Install via the Plugin Directory, or upload to your plugins directory.
- Activate the plugin through the 'Plugins' menu in WordPress.
- Opt into Freemius; the Blocklist will not work without without this.
- The Blocklist Network Service (BNS) uses the WordPress REST API to communicate. If there is another security plugin installed be sure it allows access to the blocklist endpoint:
/wp-json/wp-fail2ban/v1/blocklist
- Important: ensure you set
maxretry = 1
in your wordpress‑hard
or wpf2b‑blocklist‑hard
jail; the add-on will not work otherwise.
Details of the configuration steps can be found
here.