12 Attack Sensors That Catch WordPress Intrusions in Real Time
WordPress attack detection is only as good as the signals it watches. ReportedIP Hive runs 12 independent sensors across the login, comment, REST, XMLRPC and 404 surfaces — every one with a tunable threshold and a sane default.
This guide lists all 12 sensors, the default thresholds they ship with, and the attack each one stops.
What is ReportedIP Hive?
ReportedIP Hive is a complete WordPress security plugin that combines brute-force protection, a full 2FA suite and opt-in community threat intelligence. The detection layer described here is free in every mode, including fully offline Local Shield. The full ReportedIP Hive feature set lives on the product hub.
The 12 detection sensors and their defaults
Each sensor counts events per IP inside a rolling window. Cross the threshold and the IP graduates to the block ladder. Defaults are conservative on purpose — you can tighten or loosen every one under Settings → Protection.
- Failed logins — 5 fails / 15 min.
- Password spray — distinct usernames from one IP, 5 / 10 min. Counters are hashed, so no plaintext usernames are stored.
- Comment spam — 5 / 60 min, evaluated before the comment filter runs.
- XMLRPC abuse — 10 / 60 min, with
system.multicallwatched separately. - Application-password abuse — REST/XMLRPC Basic-Auth attempts that try to bypass 2FA, 5 / 15 min.
- REST API rate-limit — global 240 / 5 min, sensitive routes 20 / 5 min.
- User enumeration defence — blocks
?author=N,/wp-json/wp/v2/usersand oEmbed lookups, and masks login errors. - 404 / scanner detection — 12 / 2 min, plus an instant block on known-bad paths like
.env,wp-config.bakand/.git/. - Geographic anomaly — a login from a country never seen for that user, which can optionally revoke trusted-device cookies.
- Password policy — minimum length, character classes and an optional Have-I-Been-Pwned k-anonymity check.
- WooCommerce login hooks — checkout and my-account forms tracked separately from
wp-login.php. - Cookie-banner consent endpoints — Real Cookie Banner, Complianz, Borlabs and CookieYes are whitelisted from the REST rate-limit by default.
Why search engines and AI crawlers do not trip them
Since 2.0.5, Googlebot, Bingbot, GPTBot, ClaudeBot, PerplexityBot and other verified crawlers are excluded from the 404 and REST burst triggers, so a legitimate crawl over stale URLs never lands a bot in the block ladder. The exception is deliberate: a request to a honeypot path like /.env still triggers instantly, even from a self-declared “Googlebot” — that request is the attack indicator.
How counting becomes a block
The brute-force-style sensors share one failure-counter ladder: 3 fails → 30 s, 5 → 5 min, 10 → 30 min, 15 → 1 h. After the 15th failure the IP is graduated to a real entry in the blocked table through the canonical handle_threshold_exceeded() pipeline, which then fires the progressive escalation ladder and, in Community mode, queues an anonymised report.
Related guides
- Progressive IP blocking: from a 5-minute timeout to a 7-day ban
- Hardening Mode: auto-tightening thresholds under coordinated attack
- Honeypot decoy paths that ban scanners on the first probe
The WordPress plugin documentation covers each sensor’s settings in detail. Browse the full ReportedIP Hive plugin guides, or read the source on GitHub.