ReportedIP Hive Light

ReportedIP Hive Light protects WordPress logins against brute-force and password-spray attacks. It is intentionally focused: a per-IP attempt counter, a progressive block ladder, and an optional community lookup. No bloat, no dashboards, no upsell.

Two operating modes

• Local Shield (default). Counts failed logins per IP and blocks attackers based on configurable thresholds. The plugin makes zero outbound network requests in this mode — all data stays on your server.
• Community Network (optional). When you enter a free Community Access Key from reportedip.de, the plugin additionally checks the source IP against the reportedip.de community database during login attempts and shares blocked IPs back to the community. Both calls are clearly disclosed in the settings UI.

How it works

• wp_login_failed increments a per-IP counter using an atomic upsert (no race conditions under concurrent attacks).
• When the counter exceeds your threshold, the IP is blocked for a duration drawn from a progressive ladder (5 min → 15 min → 30 min → 24 h → 48 h → 7 days).
• wp_authenticate_user short-circuits known-bad IPs before the WordPress core authentication runs.
• Cache plugins (WP Rocket, W3 Total Cache, WP Super Cache, LiteSpeed) are honoured via the HTTP 403 status plus explicit Cache-Control: no-store, no-cache, must-revalidate, max-age=0 and Pragma: no-cache headers on the block page.

Privacy

• IP addresses are processed for the legitimate purpose of network security (GDPR Art. 6(1)(f)).
• Usernames are stored only as a SHA-256 hash, salted with wp_salt(). Plain-text usernames are never persisted or transmitted.
• In Local Shield mode, no data leaves your server. In Community Network mode, only the IP, hashed username, event type, and timestamp are sent — no domain, no contact details, no traffic data.

For developers

• Filters: reportedip_hive_is_whitelisted, reportedip_hive_get_client_ip, reportedip_hive_event_category_map, reportedip_hive_api_endpoint.
• Actions: reportedip_hive_log, reportedip_hive_ip_blocked, reportedip_hive_report_queued.

A free Community Access Key is available at reportedip.de. The plugin works without one in Local Shield mode.

External services

This plugin can connect to the ReportedIP API at https://reportedip.de. All external requests are opt-in only — they are made exclusively when (a) a «Community Access Key» has been entered in the plugin settings and (b) the «Operation Mode» is set to «Community Network». The default mode is «Local Shield», which performs zero external requests.

Endpoint 1: IP-reputation lookup

• URL: https://reportedip.de/wp-json/reportedip/v2/check?ip={ip}
• HTTP verb: GET
• Auth header: X-Key: {your-access-key}
• Trigger: a login attempt reaches wp_authenticate_user
• Timeout: 2 seconds (fail-open — login proceeds when the API does not respond)
• Data sent: only the source IP address of the current login attempt
• Data NOT sent: usernames, passwords, cookies, server identifiers, domain name

Endpoint 2: Blocked-IP report

• URL: https://reportedip.de/wp-json/reportedip/v2/report
• HTTP verb: POST (JSON body)
• Auth header: X-Key: {your-access-key}
• Trigger: a brute-force / spray threshold has been exceeded; the report is queued in the database and dispatched by a 15-minute cron job
• Data sent: the offending IP, an integer category ID for the threat type, and a short human-readable comment (e.g. «5 failed logins in 15 minutes»)
• Data NOT sent: usernames in plain text, passwords, full request bodies, domain name, contact information

Endpoint 3: Access-key verification

• URL: https://reportedip.de/wp-json/reportedip/v2/verify-key
• HTTP verb: GET
• Auth header: X-Key: {entered-key}
• Trigger: an administrator clicks «Test connection» in the plugin settings
• Data sent: only the access key under verification

Hashing of submitted usernames

When a brute-force attempt is detected and the failing username is recorded locally, the plugin stores sha256( username + wp_salt() ) only — never the plain text. The salted hash is also what would be transmitted with a report, preventing recipients from recovering the original username.

Service provider

• Operator: Patrick Schlesinger, Germany
• Service URL: reportedip.de
• Legal notice (Impressum): reportedip.de/impressum
• Terms of use: reportedip.de/nutzungsbedingungen
• Privacy policy: reportedip.de/datenschutzerklaerung
• Source code: github.com/reportedip/reportedip-hive-light
• Contact: 1@reportedip.de

You can switch back to Local Shield mode at any time in Settings → ReportedIP Hive → Connection. Doing so stops all external traffic immediately.

Bundled assets

This plugin ships every stylesheet and script it needs inside the plugin folder. No CDN, no Google Fonts, no remote stylesheets, no remote scripts are loaded — every asset URL begins with the plugin’s own wp-content/plugins/reportedip-hive/ path.

The full list of bundled, locally-served assets:

• assets/css/design-system.css — design tokens and components used on every plugin admin page.
• assets/css/admin.css — admin-page overrides on top of the design system.
• assets/css/wizard.css — standalone styles for the first-run setup wizard.
• assets/js/admin.js — handles tab switching and the AJAX «Test connection» button. Its only network call is fetch() against WordPress’ own admin-ajax.php (same origin); no third-party endpoint is contacted.
• Inline SVG icons (the shield logo, the menu icon, and trust-badge glyphs) are emitted from PHP via wp_kses() with an explicit allow-list — no <img> element points at an external host.

The complete list of files distributed in the WordPress.org ZIP is visible at Plugins → Plugin File Editor once the plugin is installed.

Third-party services and licences

• GPLv2 (or later) licence text is bundled with the plugin in the LICENSE file at the plugin root and is also referenced from the plugin header (License URI: https://www.gnu.org/licenses/gpl-2.0.html).
• No third-party PHP, JavaScript, or CSS libraries are bundled with the plugin. There is no Composer vendor/ directory, no jQuery copy, no minified third-party bundle. WordPress itself supplies any global scripts (jquery, wp-list-table, etc.) and the plugin only depends on WordPress core APIs.
• The only external HTTP service the plugin can talk to is the https://reportedip.de/wp-json/reportedip/v2/ API, and only when the administrator has explicitly enabled Community Network mode — see the «External services» section above for the full data flow.

Privacy

• IP addresses are processed under GDPR Art. 6(1)(f) (legitimate interest in network security).
• Usernames are stored as a salted SHA-256 hash; plain-text values are never persisted or transmitted.
• In Local Shield mode (default) no data leaves your server.
• In Community Network mode the data listed above is sent to reportedip.de.
• Data retention is configurable in Settings → Privacy. The default attempt window is 15 minutes; the API queue retention is 7 days.
• Activate «Delete all data on uninstall» in Settings → Privacy to remove all plugin tables and options when the plugin is deleted.

Disclaimer

ReportedIP Hive Light is provided «as is», without warranty of any kind, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, and non-infringement. The author shall not be liable for any claim, damages, or other liability arising from the use of this software (this is the standard GPLv2-or-later disclaimer; see the LICENSE file for the full text).

The plugin provides defense-in-depth against brute-force and password-spray login attacks. It does not replace strong passwords, two-factor authentication, server-level firewalls, or web-application firewalls. No single security measure offers a 100 % guarantee against compromise. You remain responsible for the overall security posture of your WordPress site.

The optional Community Network mode forwards data to the third-party service operated at https://reportedip.de — see the «External services» section above for the full data flow. Site operators that enable Community Network mode are responsible for assessing the lawful basis under their applicable data-protection regime (in the EU, GDPR Art. 6(1)(f) — legitimate interest in network security — typically applies) and for updating their own privacy policy accordingly.