Frequently Asked Questions

ReportedIP is a community-driven IP reputation service. It collects reports of malicious IP addresses from security plugins, honeypots, and manual submissions, then provides a unified threat database accessible via a REST API.

Anyone can check an IP's reputation for free. Registered users can report malicious IPs and access advanced features like bulk checks and detailed analytics. The service is operated from Germany under GDPR and hosted on Hetzner Cloud in the EU.

Yes. The free tier includes 1,000 IP checks and 50 reports per day, which is sufficient for most small to medium websites. Public lookups (without an API key) are also available with a rate limit of 100 requests per day.

Paid tiers raise the quotas, add bulk operations, multi-site management, and managed 2FA mail / SMS delivery. See the full pricing page.

The Confidence Score (0–100%) indicates how likely an IP address is to be malicious. It is calculated from multiple factors:

• Number of reports — More reports increase the score
• Reporter diversity — Reports from different sources carry more weight
• Recency — Recent reports contribute more than older ones
• Severity — Higher-severity attack categories increase the score
• Honeypot data — Reports from verified honeypots receive a bonus

Reports automatically lose weight over time (30-day half-life), so IPs that stop attacking will eventually be delisted.

Three concrete differences: (1) Hosted in Germany / EU under GDPR, with a clear data-processing agreement available. (2) Open-source clients — the WordPress plugins (Hive and Hive Light), the honeypot server, and the DNS checker are all GPL-2.0 and auditable on GitHub or wp.org. (3) Time-decayed scoring with honeypot weighting — reports lose weight on a 30-day half-life so dormant attackers fall off automatically; verified honeypot reports carry a configurable bonus so synthetic intel is trustworthy.

For a side-by-side breakdown, see our AbuseIPDB alternative comparison.

Five products, one mission:

• Public REST API — the reputation engine, queryable from any language or system.
• Community Blacklist — daily-refreshed feed in TXT / JSON / CSV, drop-in for firewalls.
• ReportedIP Hive (Full Edition, GitHub) — the complete WordPress security suite with 16 sensors, a Web Application Firewall and four-method 2FA.
• ReportedIP Hive Light (WordPress.org) — a focused brute-force login protector for WordPress.
• Honeypot Server — a standalone PHP application that pretends to be WordPress / Drupal / Joomla and feeds clean attacker data back into the network.

See the products page for the overview.

Register for a free account at reportedip.de/register, verify your email, and generate an API key from your Dashboard.

Rate limits depend on your user role:

• Free: 1,000 checks/day, 50 reports/day
• Contributor: 5,000 checks/day, 200 reports/day
• Professional: 25,000 checks/day, 1,000 reports/day, bulk operations
• Business: 100,000 checks/day, 5,000 reports/day, white-label, multi-site (15 domains) per licence — book Business x2–x20 to multiply these limits
• Enterprise: Unlimited, custom contract
• Honeypot: Unlimited, for automated honeypot systems

Public endpoints (no API key) are limited to 100 requests per day per IP.

The API returns JSON by default. Blacklist endpoints additionally support txt (plain text, one IP per line) and csv formats via the format query parameter.

Two batched endpoints are available on Professional and above: POST /v2/bulk-check (up to 200 IPs per call, returns a JSON map of ip -> reputation) and POST /v2/bulk-report (Enterprise-only, accepts an array of report objects). Bulk calls count against your daily quota by the number of IPs in the batch, not by the number of HTTP requests. See the API reference for payload schemas.

Yes — the API returns ETag and Cache-Control headers on every /check response. Send If-None-Match on subsequent requests to receive HTTP 304 when the reputation has not changed. 304 responses do not count against your daily quota. The WordPress plugins already implement this; integrators are strongly encouraged to do the same.

Adding ?verbose=true to /v2/check returns the full confidenceBreakdown object (per-component contribution: report-score, diversity, recency, severity, honeypot bonus) plus debugInfo (report count, unique reporters, honeypot reports, effective report count, time-dampening factor). Useful for understanding why a specific IP scored where it did. Verbose responses are slightly larger but cost the same quota.

Revoke and regenerate the key immediately from your Dashboard → API Keys. The old key stops working within seconds. Update every system that used the old key (WordPress sites, scripts, firewall scrapers). For Professional and above, multiple keys per account are supported so you can rotate without downtime.

ReportedIP Hive ships as two separate WordPress plugins:

• Hive Light — on WordPress.org (slug reportedip-hive). Focused brute-force login protector, free forever, no 2FA, no tiers. Install in one click from Plugins → Add New. Light docs.
• Hive (Full Edition) — on GitHub Releases. The complete security suite: 16 attack sensors, a Web Application Firewall, four-method 2FA (TOTP / Email / SMS / WebAuthn), multisite, WooCommerce integration. Free + paid tiers add managed mail / SMS relay, Priority-Sync firewall rules and higher quotas. Full docs.

Important: never install both on the same site — they share the same text domain (reportedip-hive) and class prefix (ReportedIP_Hive) and would clash immediately. Pick one.

Hive Light: WordPress admin → Plugins → Add New → search "ReportedIP Hive Light" → Install Now → Activate. The four-step wizard launches automatically. Light docs.

Hive (Full Edition): Download reportedip-hive.zip from GitHub Releases, then Plugins → Add New → Upload Plugin, select the ZIP, Install Now, Activate. The ten-step setup wizard runs on first activation. The built-in Plugin-Update-Checker (PUC v5.6+) polls GitHub every 12 hours; updates appear inside Plugins like any wp.org plugin. Full docs.

Local Shield runs entirely on your server. It tracks failed logins and blocks repeat offenders locally, but does not share data or check the community database. Zero outbound network requests.

Community Network connects to the ReportedIP API. Your site benefits from threat intelligence reported by thousands of other sites, and attacks detected on your site are shared back to protect others. An API key is required (free tier available). Both editions support both modes; mode is switchable any time without losing local data.

Yes — since 2.1.2 the Full Edition ships a request-inspecting Web Application Firewall that matches incoming URIs, query strings, bodies and user-agents against a signature ruleset (SQLi, XSS, path traversal, command injection, LFI wrappers, SSRF, Log4Shell, PHP object injection, NoSQL, XXE, web-shell uploads and more). The engine and the OWASP-Top-10 Paranoia-Level-1 baseline are free on every plan; Professional adds the deeper, frequently-updated, Ed25519-signed Paranoia-Level-2/3 ruleset through Priority Sync. The rules are delivered from the reportedip.de Rule API (versioned, signed, tier-staggered) with a bundled offline baseline, so a tampered or unreachable feed can never poison your rules. An optional pre-WordPress drop-in (Apache / PHP-FPM auto-config, nginx snippet) can block before WordPress even loads. The WAF is ReDoS-hardened and fail-open — a malformed rule never takes the site down.

Alongside the WAF, version 2.1.x added, all free on every plan: verified-bot detection (confirms Googlebot, Bingbot and other crawlers via their official IP ranges and forward-confirmed reverse DNS — spoofers are flagged or blocked, genuine crawlers never are), disposable-email blocking at registration (WordPress + WooCommerce; privacy relays like Apple Hide My Email pass through), an invisible comment honeypot, basic security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy), a dashboard protection & hardening score (0–100 with an A+–F grade), correlatable block-page reference codes (also emitted as the X-RIP-Ref header) and MainWP integration for remote management. Professional adds advanced security headers (HSTS, Permissions-Policy, Content-Security-Policy, cross-origin isolation); Business adds the audit event trail (append-only user-lifecycle log with CSV/JSON export and GDPR integration).

No. The blocking check is a single indexed query on wp_reportedip_hive_blocked per request, hooked at init priority 1. The whitelist is cached in memory per request. Reputation lookups are async: the page is rendered first, the report is enqueued and shipped on the next cron tick. Reputation responses cache locally with ETag support (24 h default for positive, 2 h for negative lookups) so repeated checks for the same IP cost zero API quota.

Yes. Deactivate Hive Light, install the Full Edition ZIP from GitHub, then activate. Both editions use the same wp_reportedip_hive_* table prefix and the same option keys. The Full Edition extends the schema idempotently (adds logs, stats and trusted_devices tables) and preserves your existing attempts, blocked IPs, whitelist, queue and the API key. Going the other way (Full → Light) is also possible but the Light Edition will simply ignore the additional tables and options.

Yes — fully, since 2.0.0. The Full Edition declares Network: true and is network-only: per-site activation is hidden by WordPress so the security configuration stays uniform across the network. All tables live under $wpdb->base_prefix, so a single threat decision applies network-wide — cross-site brute-force attempts aggregate into one central counter and one block locks the IP out of every sub-site. Network Admins get the full settings and an all-sites Logs view; Site Admins on a sub-site get a read-only Status / Logs UI plus a couple of writable per-site overrides. Cron runs only on the main site. A multi-site licence (Professional = 3 domains, Business = 15 per licence, Enterprise = unlimited) controls how many domains can use the managed relays. Hive Light does not support multisite.

The Full Edition supports four methods, combinable per user: TOTP (Google Authenticator, Authy, 1Password, Bitwarden, …), Email OTP, SMS OTP (via the managed reportedIP SMS relay, Professional plan and up), and WebAuthn (passkeys, YubiKey, Touch ID / Face ID / Windows Hello). Plus single-use recovery codes and trusted-device tokens (30-day default expiry). Hive Light has no 2FA — that is one of the defining differences between the two editions.

Use one of the ten recovery codes saved during 2FA setup. If those are lost, an administrator can reset 2FA for any user under Users → Two-Factor. As a last-resort over SSH: wp reportedip 2fa reset <user_id> via WP-CLI (Business+) or directly in the database: delete the row from wp_usermeta where meta_key starts with reportedip_hive_2fa_ for that user.

Yes — on the Full Edition. Two layers: (1) the free WooCommerce login-failure sensors (woocommerce_login_failed and woocommerce_checkout_login_form_failed_login) count toward the brute-force counter on every plan, including Free and Contributor. (2) The themed Frontend 2FA (a 2FA challenge inside your active storefront on My Account / Checkout / Cart / Checkout-Block) is available on Professional and above. Business adds white-label templates plus a Subscriptions / Memberships audit. Hive Light does not include WooCommerce-specific code.

Hive Light updates through the standard WordPress.org channel like any wp.org plugin — new versions appear in Dashboard → Updates within hours. Hive (Full Edition) ships with the Plugin Update Checker (PUC v5.6+). The plugin polls GitHub Releases every 12 hours; a tag in the format vX.Y.Z on GitHub triggers a build action that produces the update ZIP. The WordPress Plugins page surfaces the update like any other.

Blacklists are available in three formats:

• JSON — Full metadata including confidence scores, categories and last-seen timestamps
• TXT — Plain text, one IP per line (ideal for firewalls)
• CSV — Comma-separated with IP, score, and category columns

The blacklist is updated in real-time as new reports are processed. When you fetch the blacklist via the API, you always receive the most current data. A daily mirror is also pushed to a public Git repository so you can git pull and audit the diff. For automated firewall consumers, we recommend polling the API every 15–60 minutes.

The default blacklist contains IPs with a Confidence Score of 75 % or higher and at least two independent reporters. A 48-hour false-positive cool-down is applied: when an IP is flagged as a false positive, it is suppressed from the feed for two days while the score recalibrates. Custom thresholds are available via the min_confidence query parameter on the /blacklist endpoint.

Yes — pass ?category=<id> to the /v2/blacklist endpoint. See the Threat Categories page for the full ID list. The public Git mirror additionally publishes thematic lists for the most common categories (brute-force, comment-spam, scanners, XML-RPC, …) as separate files so you can drop only what is relevant to your stack.

Yes. The TXT format is designed for direct firewall integration. See the Blacklist documentation for integration guides for Nginx, Apache, iptables, fail2ban and Cloudflare Custom Rules.

First, check your IP's reputation on the ReportedIP homepage to see why it was reported. If the listing is a false positive, you can request delisting by emailing [email protected] with your IP address and an explanation. See the IP Delisting guide for details.

Reports automatically lose weight over time using exponential decay with a 30-day half-life. After 30 days, a report contributes 50 % of its original weight. After 90 days, only 12.5 %. If no new reports are filed, the IP will naturally fall below the blocking threshold within weeks. There is no "permanent ban" for community-driven entries.

False positives can occur, especially for shared hosting IPs or VPN exit nodes. You can report a false positive directly from the IP detail page on the ReportedIP website, or email [email protected]. Our team reviews all reports within 48 hours and, when valid, applies a cool-down window during which the IP is suppressed from the feed while the score recalibrates.

Tor exit nodes and known VPN ranges that consistently behave well are tagged with reduced weight on the score. If your VPN range is misclassified, send a delisting request with proof of ownership (BGP route, ARIN / RIPE record, or DNS PTR record under your domain) to [email protected]. We add validated ranges to an internal whitelist that suppresses re-listing for legitimate operators.

Reports remain in the database for the integrity of the community feed, but you can request a per-row redaction via [email protected]. Full account deletion removes the reporter linkage but does not retroactively pull individual reports out of historical aggregates — the time-decay machinery will phase them out within 90 days regardless.

Business is 39.00 € / month (or 389 € / year, save 17 %). On top of everything in Professional you get: 100,000 API checks and 5,000 reports per day, 15 domains under one licence, 2,500 included 2FA mails and 75 included 2FA SMS per month, white-label setup wizard and 2FA pages with your branding, WooCommerce complete integration (white-label templates + Subscriptions / Memberships audit), restrict-login-times per role, full WP-CLI, GDPR data-export tool, daily security reports (PDF) and priority support with 12 h response SLA. Need more capacity? You can book Business x2, x5, x10 or x20 — every figure above scales with your licence count and a volume discount applies. See the pricing page for the full feature comparison.

If your monthly included SMS quota is exhausted (25 on PRO, 75 on Business), you can buy a one-time SMS bundle from your dashboard: 50 SMS for 14.90 €, 200 SMS for 49.90 €, or 500 SMS for 99.90 €. All prices include 19 % VAT. Bundles never expire. Bundle SMS are consumed only after your monthly included quota is fully used. Other 2FA methods (TOTP, email, WebAuthn) keep working even if SMS is exhausted.

Yes — same logic as SMS. 1,000 mails for 4.90 €, 5,000 mails for 14.90 €, or 25,000 mails for 49.90 € (all including 19 % VAT). Bundles never expire and kick in only after the monthly included quota (500 on PRO, 2,500 on Business) is exhausted. Heavy mail users typically notice that upgrading from PRO to Business is cheaper than buying repeated mail bundles, which is exactly the signal the tiering is designed to provide.

Pick yearly billing in Stripe Checkout to save approximately 17 %: PRO 149 € / year instead of 12 × 14.90 € = 178.80 €; Business 389 € / year instead of 12 × 39.00 € = 468 €. Switching between monthly and yearly is possible at any time from the dashboard; Stripe handles proration. Enterprise contracts are individually quoted.

Yes — Professional supports 3 protected domains, Business supports 15 per licence, Enterprise is unlimited. Each Hive plugin instance registers its domain when you enter the same API key. The dashboard shows a unified view across all of your sites: blocks, reports, queue health, 2FA usage. Free and Contributor are limited to 1 domain.

Yes. Business is the multi-bookable tier: choose 2×, 5×, 10× or 20× the whole plan at checkout (or change it later from the Stripe Customer Portal). It is not a per-site add-on — booking several licences multiplies the entire Business plan. Every figure scales with the licence count: the daily API checks and reports, the included 2FA mails and SMS per month, and the domain allowance. For example, 5× Business gives you 500,000 checks/day, 25,000 reports/day, 12,500 included mails and 375 included SMS per month, and up to 75 domains. A volume discount applies automatically from 2× upwards; the exact total is shown before you confirm. PRO stays single-licence. 20× is the maximum multiplier — once you need more than that, Enterprise picks up from there (from 663 € / month, unlimited fair-use quotas, custom contract).

For mail: Hive seamlessly falls back to local wp_mail() on your own server. The 2FA challenge keeps working, just without the deliverability of our managed SMTP.

For SMS: the user can either use a different 2FA method (TOTP, email, WebAuthn) or you can buy a prepaid bundle. SMS authentication never silently fails — it tells the user explicitly when SMS is unavailable.

The Hive setup wizard, all 2FA pages (login challenge, recovery, trusted-device prompt) and all email templates can be themed with your logo, brand colour, sender name and reply-to. Business covers the basics out of the box; Enterprise additionally supports custom domains for the 2FA mail flow and per-site theme overrides for agencies managing multiple brands.

All self-service tiers (PRO, Business and the prepaid bundles) are priced gross with 19 % German VAT included (PAngV-compliant). Stripe Tax handles the rest:

• DE customer: 19 % VAT shown on the invoice.
• EU B2B with a valid VAT ID (validated against VIES): 0 % VAT, Reverse-Charge note on the invoice ("Steuerschuldnerschaft des Leistungsempfängers").
• EU B2C outside DE: the destination-country rate via OSS / One-Stop-Shop.
• Third-country B2B: 0 %, export.

Enterprise pricing is quoted net; the same rules apply when the invoice is issued. Stripe generates compliant invoices automatically; PDFs are available from your Dashboard → Billing.

Monthly subscriptions can be cancelled at any time from the Stripe Customer Portal; you keep service until the end of the current billing period and there is no further charge. Yearly subscriptions follow the same path but a proportional refund of unused time is paid back via Stripe, minus a small fee for already-consumed managed mail / SMS quota. Prepaid bundle credits become non-refundable on first consumption; a refund of an unused bundle reverses the gross amount and resets the balance.

Consumer withdrawal under §§ 312g, 355 BGB is honoured for 14 days when applicable; for business contracts (Enterprise, accounts with a validated VAT ID) the right of withdrawal is excluded by default. See our terms for the formal version.

ReportedIP stores IP addresses, attack categories, timestamps, and reporter IDs. No personal information such as usernames, email addresses, or user agents is collected by default. The service is designed around the principle of data minimization (GDPR Art. 5).

The WordPress plugins additionally store hashed usernames (sha256(username + wp_salt())) for local rate-limiting purposes — plain text usernames are never persisted or transmitted to the central service.

IP reputation data is retained as long as reports are active. Reports automatically lose weight over time (30-day half-life) and are eventually removed during routine cleanup. Free / Contributor accounts keep 30 days of log history; Professional 90 days; Business 1 year; Enterprise configurable.

Yes. Under GDPR Art. 17 you have the right to request deletion of your data. Contact [email protected] with your request. For API users, account deletion is available from your Dashboard. Account deletion removes the reporter linkage but does not retroactively pull individual reports out of historical aggregates — the time-decay machinery will phase them out within 90 days regardless.

Yes. A standard data-processing agreement under GDPR Art. 28 is available for Business customers on request, and as a custom-tailored AVV for Enterprise. PRO and below operate as a controller-to-controller relationship since the data shared (attacker IPs, threat category, timestamp) is not personal data of the reporter's end-users.

Hosted on Hetzner Cloud in Falkenstein, Germany (EU). Sub-processors:

• Stripe Payments Europe Ltd. (Ireland) — payment processing.
• Cloudflare Inc. (US, with EU Data Localisation Suite) — CDN and DDoS protection in front of reportedip.de.
• reportedIP managed mail / SMS relay — EU-based delivery for 2FA codes; the full sub-processor chain is listed in our privacy policy.

A current sub-processor list is maintained in our privacy policy.

No third-party tracking, no advertising trackers, no analytics that build user profiles. The only first-party cookies set on reportedip.de are functional: WordPress login session, consent storage (if the consent banner is shown), and Stripe checkout state during a purchase. The Hive plugins themselves never set cookies on visitor sites except a single trusted-device token in Hive (Full) when 2FA is enabled and the user opts in.

A standalone PHP application (PHP 8.2+ with SQLite) that imitates WordPress, Drupal and Joomla login pages. 36 built-in threat analyzers detect SQL injection, XSS, brute force, credential stuffing, plugin exploits and scan signatures. Detected attackers are batched and reported to the ReportedIP API every minute. Open source under GPL-2.0 at github.com/reportedip/honeypot-server. See the Honeypot Server docs for the full deployment guide.

Two reasons: (1) Defence value — attackers that spend cycles probing your honeypot are not probing real systems. (2) Status upgrade — honeypot operators get the reportedip_honeypot role on their ReportedIP account with unlimited reports and a confidence bonus on their submissions. Honeypot data is weighted higher than community reports because it is by definition synthetic and unambiguous.

Yes — it has to be reachable from the open internet for attackers to find it. Deploy it on an unused subdomain (e.g. old-admin.example.com) or a separate small VPS. The Honeypot Server runs comfortably on the smallest cloud-VM tier (1 vCPU, 1 GB RAM). Docker Compose is provided.

Yes. Since v1.3.0 every detection can fire a webhook, and each webhook defines its own HTTP method, headers, and body — so it can target any API, not just ReportedIP. Set the method (POST/PUT/PATCH/GET), add auth headers line by line, and build the body from placeholders such as {{ip}}, {{categories}}, {{severity}} and {{timestamp}}. A dedicated {{abuseipdb_categories}} placeholder maps ReportedIP categories to AbuseIPDB IDs, and built-in presets for AbuseIPDB, Slack, Discord and generic JSON get you started in one click. Test deliveries use the loopback IP 127.0.0.1 so they never file a real report. See the Honeypot Server docs for the full webhook reference.

Optionally, yes. Set a secret on a webhook and every request carries an X-ReportedIP-Signature header containing an HMAC-SHA256 of the raw body (sha256=<hmac>). Recompute it on your side with the same secret and compare in constant time before trusting the payload — the same pattern GitHub and Stripe use. Delivery happens after the trap response is sent, so adding a webhook never slows the honeypot down.

A free domain-health diagnostics tool that queries 76 DNS servers across six continents and validates SPF, DKIM, DMARC and DNSSEC. Use cases: troubleshooting mail deliverability, tracking DNS propagation during a migration, running DNSBL lookups, comparing answers across resolvers. Available at reportedip.de/dnschecker/. The shortcode [ridns_dns_checker] is open source under GPL-2.0 inside the reportedip-dnschecker WordPress plugin.

Anonymous use is throttled at 30 lookups per IP per hour to keep the tool free for everyone. Registered users get higher limits tied to their tier. The tool is independent of the IP-reputation service — you can use one without the other.