If you run wordpress and want to use fail2ban to block login-attacks, it's important to change the standard backend used by the wordpress jail.
I used this entry in /etc/fail2ban/jail.conf:
[wordpress-soft]
enabled = true
filter = wordpress-soft
logpath = /var/log/messages
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
The filter worked, but attacks were not discovered and blocked. I had hundreds of attacks, logged in /var/log/messages, but not discovered by fail2ban.
Now, I've changed the backend to polling, and all seems fine. New snip from /etc/fail2band/jail.conf:
[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath = /var/log/messages
maxretry = 3
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
backend = polling
[wordpress-soft]
enabled = true
filter = wordpress-soft
logpath = /var/log/messages
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
backend = polling