WordPress Security Plugin · Multi-Site · Made in Germany

ReportedIP Hive — stop brute-force attacks before they reach WordPress

Real-time IP reputation from a community threat network, sixteen attack sensors incl. a Web Application Firewall and four-method two-factor authentication. Open-source core, EU-hosted relay, GDPR-ready DPA — built and operated in Germany.

Get Hive Pro Compare plans

Prefer to self-host the free edition? Download Hive on GitHub — full local protection, no signup.

Version 2.1.4PHP 8.1+ · WP 5.0–6.9EU-hosted relay · DPA included

Open source · GPL-2.0No telemetryEU-only mail & SMS · DPAMade in GermanyVersion 2.1.4

Sensor	Default threshold	What it catches
Failed Logins	5 / 15 min	Brute-force protection on wp-login, REST, and XML-RPC.
Password Spray	5 distinct usernames / 10 min	Hash-based detection of attackers cycling usernames.
Comment Spam	5 / 60 min	Automated comment-form spam detection.
XML-RPC Abuse	10 / 60 min	system.multicall amplification + repeated wp.getUsers tracked separately.
App-Password Abuse	5 / 15 min	REST/XML-RPC bypass attempts against application passwords.
REST API Rate-Limit	240 global / 20 sensitive / 5 min	Public REST flood with auth-user bypass.
User Enumeration	First probe blocks	?author=, /wp-json/wp/v2/users, oEmbed disclosure.
Scanner / 404	12 / 2 min + instant on known-bad	.env, wp-config.bak, /.git/, plugin paths.
Geographic Anomaly	First occurrence	New country / continent triggers fresh 2FA challenge.
Password Policy	Configurable	Length, char classes, optional HIBP k-anonymity check.
WooCommerce Login	5 / 15 min (separate)	my-account & checkout pages tracked independently.
Consent Endpoints	Always bypassed	Real Cookie Banner, Complianz, Borlabs, CookieYes — baked-in.

TOTP

Authenticator App

Time-based codes that work offline. Compatible with Google Authenticator, Authy, 1Password, Microsoft Authenticator. Secrets encrypted at rest. RFC 6238.

Email OTP

6-digit Code

Falls back to local wp_mail() in Local Shield, switches to managed relay on Pro+ for guaranteed delivery. Rate-limited, hashed storage.

SMS OTP

EU-only Providers

Sipgate, MessageBird, seven.io — EU-only, with explicit DPA. Geo-restricted whitelist (29 countries). Phone numbers encrypted.

WebAuthn

Passkey / Hardware Key

Phishing-resistant. Face ID, Touch ID, Windows Hello, YubiKey. RS256 + ES256, packed/none attestation. No external dependencies.

No email bypass

Email excluded from reset 2FA

A compromised mailbox cannot double as the second factor. The reset link and the 2FA confirmation must arrive on different channels — TOTP, Passkey, SMS or a single-use recovery code.

Defense in depth

Two-stage WordPress hook

Gated twice — once when the reset form loads, once at password_reset. A direct POST against the reset form without a verified token returns WP_Error immediately.

10-minute, single-use token

Bound to user + key + IP

The verified-reset transient is scoped to user ID, the hashed reset key and the hashed client IP. Consumed on first use, expires after 10 minutes.

Shared with login throttle

No separate brute-force surface

Failed reset-challenge attempts feed the same IP throttle that already shields wp-login.php. Optional hard-block for accounts that only have email-2FA — admin notification included.

Local Shield

100 % offline, no account

All 16 sensors and the full 2FA suite run locally on your own server. No external calls, no telemetry, no API key.

All 16 detection sensors active
Full 2FA suite (TOTP, Email, SMS, WebAuthn)
Manual whitelist and blocklist management
Zero external dependencies

Default after install. Switch any time.

Community Network

Real-time threat intelligence

Pre-auth IP reputation lookups against the public database. Coordinated-attack detection across thousands of sites. Anonymised reports flow back so every attack makes the network smarter.

Pre-authentication reputation lookup
Coordinated-attack detection
Threat feed access (community-driven blacklist)
Strictly opt-in — no usernames, no comment content

Free account at reportedip.de required. Free forever.

What community reports actually contain

Just the attacker’s IP, a threat-category tag (failed_login, comment_spam, etc.), and a timestamp. No usernames, no comment bodies, no request payloads, no user-agents. The network needs to know that an IP attacked, not how or who. Mail and SMS relay use EU-only providers (Mailjet FR, seven.io DE) under signed DPA.

Login & checkout failure tracking — Free

Failed customer logins on /my-account/ and checkout-form abuse feed the same brute-force counter as wp-login attempts — on every plan, including Free. Hooks: woocommerce_login_failed and woocommerce_checkout_login_form_failed_login.

Frontend 2FA in your storefront — Professional

The second factor renders inside your active theme. No wp-login bouncer, no “log in to wp-admin to verify” detour. Customer self-service on a configurable setup slug (default reportedip-hive-2fa-setup) — never inside /wp-admin/. Cart and checkout state survive the redirect roundtrip; the trusted-device cookie is shared with the wp-login flow.

Complete integration — Business

White-label onboarding wizard, themed mail templates, and Subscriptions / Memberships audit. Agencies ship Hive under their own brand — customers never see “ReportedIP” until the support escalation page.

Plan	Price	Sites	€ / domain	Highlights
Free	0 €	1	0 €	All 16 sensors + WAF + 2FA, Local Shield
Professional	14.90 €/mo	3	4.97 €	Managed mail/SMS relay, Hardening Mode
Business	39 €/mo	15	2.60 €	White-label, full WP-CLI, GDPR export
Enterprise	from 99 €/mo	unlimited	—	Custom AVV, dedicated onboarding

No paywall on the protection

Every sensor and every 2FA method lives in the open-source core and stays free. Paid plans add managed mail/SMS delivery, multi-site licensing and higher API quotas — never the security itself. The relay runs on EU-only providers (Mailjet FR, seven.io DE) under signed DPA. Annual billing saves 17 % (149 €/yr Professional, 389 €/yr Business).

Get Hive Pro

Plans for every site

The Hive plugin is free and open source forever. Paid plans add managed 2FA mail and SMS relay, multi-site management, and higher API quotas.

Free

Local protection, free forever

Free

Full local Hive plugin — all 16 attack sensors
Web Application Firewall (engine + OWASP-Top-10 baseline ruleset)
Verified-bot detection, disposable-email blocking & comment honeypot
Basic security headers + protection & hardening score
Block-page reference codes & MainWP integration
Complete 2FA suite (TOTP, Email, WebAuthn)
1,000 API checks / day
50 reports / day
1 domain
Community support

Sign up free

Professional

Solo developers and small sites

149.00 € / yearincl. 19 % VAT12.42 € / month, billed yearly

Everything in Contributor
25,000 API checks / day
1,000 reports / day
500 2FA mails / month included
25 2FA SMS / month included
Up to 3 domains
Bulk operations & analytics
Coordinated-attack hardening mode (auto-tighten thresholds during burst attacks)
Priority Sync: deeper, frequently-updated WAF rulesets (Paranoia Level 2/3) + live bot-IP and disposable-domain feeds
Advanced security headers (HSTS, Permissions-Policy, Content-Security-Policy, cross-origin isolation)
WooCommerce Frontend-2FA: themed challenge in your storefront, no wp-login bounce
Email support, 48 h SLA

Start free trial

14-day money-back guarantee. Cancel anytime.

Business

Agencies, WooCommerce, white-label

389.00 € / yearincl. 19 % VAT32.42 € / month, billed yearly

Everything in Professional
100,000 API checks / day
5,000 reports / day
2,500 2FA mails / month included
75 2FA SMS / month included
Up to 15 domains per licence
Need more capacity? Book 2×–20× Business — the whole plan (API quota, 2FA mail/SMS, domains) multiplies, with an automatic volume discount
White-label setup wizard, 2FA pages, mail templates
WooCommerce complete integration (white-label templates, Subscriptions / Memberships audit)
Audit event trail: append-only user-lifecycle log (logins, password resets, role changes incl. acting user) with CSV/JSON export
GDPR export tool
Priority support, 12 h SLA

Start free trial

14-day money-back guarantee. Cancel anytime.

Compare all plans

Includes Contributor and Enterprise tiers plus the full feature comparison table.

Running Hive for clients?

Built for freelancers and agencies who secure more than one WordPress site.

One licence covers 3 sites (Professional) or 15 sites (Business) — not one purchase per client
White-label: ship Hive under your own brand — clients never see “ReportedIP” (Business)
WP-CLI bulk onboarding plus Settings Import/Export for staging→production
Resell managed security at a 2.60 € per-domain cost base

WordPress security for agencies →See Business plan

Download

Grab the latest release ZIP from GitHub Releases. The same build powers every plan from Free to Business.

Upload & activate

In WP Admin: Plugins → Add New → Upload Plugin. Pick the ZIP, activate. The 10-step setup wizard launches automatically.

Configure

Pick Local Shield or Community Network. Enable 2FA roles. Done. Auto-updates via the GitHub Plugin Update Checker (PUC v5.6+).

Does it work on multisite (WP Network)?

Yes. Hive activates network-wide and tracks attacks per-site, with optional global blocklist sharing across the network. Multi-site licence (Hive Pro = 3 sites, Business = 15 sites) controls how many independent sites can use the managed mail/SMS relay.

How does the auto-update mechanism work?

Hive ships with the Plugin Update Checker (PUC v5.6+). The plugin checks GitHub Releases every 12 h. When you push a new vX.Y.Z tag, a GitHub Action builds the ZIP and the WordPress dashboard surfaces the update like any plugin from WordPress.org.

Will it slow down my site?

No. Sensor counters use object cache (Redis when available) with millisecond lookups. Reputation API responses are cached locally with ETag support to save credits. The admin dashboard loads on demand, never on the front-end.

Is it compatible with caching plugins (WP Rocket, W3 Total Cache, LiteSpeed)?

Yes. All plugin admin and login pages are excluded from page cache automatically. Reputation lookups happen server-side before WordPress renders, so cached pages are served untouched. We test against WP Rocket every release.

Can I export the logs / blocked IPs?

Yes. Every list table (Blocked IPs, Whitelist, Logs, API Queue, 2FA Grid) supports CSV and JSON export from the admin UI. WP-CLI commands cover the same operations for automation (full WP-CLI on Business+).

What is the difference between Hive and Hive Light?

The Full Edition documented on this page ships via GitHub Releases and is the complete security suite: sixteen sensors incl. a Web Application Firewall, four-method 2FA, multisite, WooCommerce integration, tier-based pricing, managed mail / SMS relay. Hive Light is the focused brute-force login protector on WordPress.org: no 2FA, no tiers, no upsell. Pick one — never install both side-by-side. Light Edition documentation lives at /docs/wordpress-plugin-light/.

Why two editions instead of one plugin?

WordPress.org plugin guidelines disallow upsell, managed paid relays and tier-based multi-site licensing — all features the Full Edition relies on. Rather than mutilate the Full Edition to fit those rules, we publish a focused Light Edition on wp.org so casual users can install Hive in one click from inside Plugins → Add New. The two plugins share authorship, security model, and the underlying Community Network API.

Can I migrate from Hive Light to Hive (Full)?

Yes. Deactivate Hive Light, install the Full Edition ZIP from GitHub, then activate. Both editions use the same wp_reportedip_hive_* table prefix; the Full Edition extends the schema idempotently and preserves your existing attempts, blocked IPs, whitelist and queue. Settings are mostly compatible — the Full Edition adds many new options that simply default to the same values.

What is paywalled, and what stays free?

The protection is never paywalled: all sixteen sensors and all four 2FA methods are in the open-source core and free forever, on every plan. Paid plans (Professional 14.90 €/mo, Business 39 €/mo) add the convenience layer — managed 2FA mail and SMS delivery, multi-site licensing (3 or 15 domains on one licence), higher API quotas, Hardening Mode, white-label and full WP-CLI. All prices incl. 19 % VAT.

Is there a trial or money-back guarantee?

You can run the free edition indefinitely. Paid plans come with a voluntary 14-day money-back guarantee (under § 12 of our Terms, excluding already-consumed SMS or mail bundle credits) and you can cancel any time from the dashboard.