Severe problems with filters included with v3.0

Updating the plug-in itself (the php) alters the way the plugin writes to the system logs (/var/log/messages on Redhat/CentoS) and thus:

unknown users are no longer blocked
xml-rpc failed authentications are no longer blocked

Whereas in wp-fail2ban v2.3.1 an xml-rpc authentication attempt or an authentication attempt from an unknown user was merely logged as an “authentication failure” and thus easily caught by one simple filter line. . . wp-fail2ban v3.0 now defines those attempts as an “authentication attempt for unknown user x” where x is the username or as “XML-RPC authentication failure from x.x.x.x”. This is more accurate, but unless the filters are updated to take note of these, things break.

To confuse things further, two filter files are included. But neither of them are quite right.

wordpress-soft.conf will catch known users when they fail to authenticate. And it will catch the new xml-rpc failures. But it won’t catch unknown users.

wordpress-hard.conf, due to a missing “.*” already noted by others, will not catch unknown users at all. Nor will it catch known users, nor xml-rpc attempts. It’s the worst of all possible choices.

Watching my /var/log/messages, and /var/log/fail2ban.log while doing some testing, I eventually confirmed that the following will work (in then end, I decided against using either of the provided filters and instead just adjusted the existing one provided in wp-fail2ban v2.3.1):

failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
^%(__prefix_line)sPingback requested from <HOST>$
^%(__prefix_line)sXML-RPC authentication failure from <HOST>$

https://www.ads-software.com/plugins/wp-fail2ban/