Create the following filter for wp-login in /etc/fail2ban/filter.d/wp-login.conf
<sxh bash>
[Definition]
failregex = ^<HOST> .* "POST /wp-login.php
ignoreregex =
</sxh>
\\
Append the following to /etc/fail2ban/jail.conf
<sxh bash>
[wp-login]
enabled = true
port = http,https
filter = wp-login
logpath = %(nginx_access_log)s
maxretry = 4
findtime = 7200
# bantime: 1 year
bantime = 31536000
</sxh>