WordPress Plugin — ReportedIP Hive Light
ReportedIP Hive Light protects WordPress logins against brute-force and password-spray attacks. It is intentionally focused: a per-IP attempt counter, a progressive block ladder, and an optional community lookup. No bloat, no dashboards, no upsell. The plugin works out of the box in Local Shield mode — no configuration required.
Installation
Install from WordPress.org
In your WordPress admin, go to Plugins → Add New, search for "ReportedIP Hive Light", then click Install Now followed by Activate. Alternatively download the ZIP from wordpress.org/plugins/reportedip-hive/ and upload it via Plugins → Add New → Upload Plugin.
Run the Setup Wizard
The four-step wizard launches automatically on first activation. You can also skip it entirely — Hive Light is fully functional out of the box in Local Shield mode.
Stay Updated
Updates ship through the standard WordPress.org channel. New versions appear in Dashboard → Updates within hours of release — no manual reinstall, no third-party update checker.
Setup Wizard (4 steps)
The wizard runs on first activation and can be re-launched from the plugin settings. Every step persists immediately, so you can stop and resume at any point.
| Step | What it configures |
|---|---|
| 1. Welcome | Intro and link to the docs. |
| 2. Operation Mode | Pick Local Shield (default, zero outbound traffic) or Community Network with a free Community Access Key from reportedip.de. |
| 3. Protection | Per-IP login-attempt threshold, time window, fixed vs. progressive block strategy, ladder editor. |
| 4. Done | Summary and a one-click link to the settings page. |
Operating Modes
Two modes, switchable at any time without losing the local attempts data.
| Feature | Local Shield (default) | Community Network |
|---|---|---|
| Per-IP brute-force counter | Yes | Yes |
| Progressive block escalation | Yes | Yes |
| Manual whitelist | Yes | Yes |
| Outbound IP-reputation lookup before login | No | Yes |
| Outbound report on blocked IPs (queued cron, every 15 min) | No | Yes |
| Community Access Key required | No | Yes (free at reportedip.de) |
| Data leaves your server | Never | Only the attacker IP, integer category ID and a SHA-256-hashed username (salted with wp_salt()) |
What you get — and what you don't
Hive Light is intentionally lean. Anything that would require a paid relay, multisite licensing or an upsell flow lives in the Full Edition on GitHub.
| Capability | Hive Light | Hive (Full Edition) |
|---|---|---|
| Brute-force login monitor | Yes | Yes |
| Progressive block ladder (5 min → 7 days) | Yes | Yes |
| Manual whitelist + per-IP unblock | Yes | Yes |
| Optional community IP lookup & reporting | Yes (free key) | Yes (free + paid tiers) |
| Cache-plugin-aware block page (WP Rocket, W3TC, Super Cache, LiteSpeed) | Yes | Yes |
| Cloudflare / reverse-proxy header support | Yes (Trusted Proxy Header) | Yes |
| Comment-spam, XML-RPC, REST-burst sensors | — | Yes |
| 404 / scanner detector with honeypot paths | — | Yes |
| User-enumeration block | — | Yes |
| App-password monitor | — | Yes |
| Geo / ASN anomaly detection | — | Yes |
| Password strength enforcement | — | Yes |
| Hide-login URL | — | Yes |
| Four-method 2FA (TOTP / Email / SMS / WebAuthn) + Recovery Codes + Trusted Devices | — | Yes |
| WooCommerce frontend 2FA + Subscriptions / Memberships audit | — | Yes (PRO+) |
| Multisite (network activation) | — | Yes |
| Managed mail / SMS relay with prepaid bundles | — | Yes (PRO+) |
| Tier-based pricing (Free / Contributor / PRO / Business / Enterprise) | — | Yes |
| WP-CLI 2FA tooling | — | Yes (Business+) |
| Per-role 2FA policies, restrict-login-times, weekly security reports | — | Yes |
Progressive Block Escalation
Hive Light ships with the same default ladder as the Full Edition: 5 min → 15 min → 30 min → 24 h → 48 h → 7 d. After 30 days clean, the counter resets to step 1. Fat-fingered admins, CGNAT addresses and shared mobile-network egresses recover in minutes; persistent attackers escalate quickly. The ladder is editable on the Protection tab, and a fixed-duration mode is available if you prefer a single block length.
Configuration Overview
All settings live under ReportedIP Hive Light → Settings. The most important defaults:
| Setting | Default | Description |
|---|---|---|
operation_mode | Local Shield | Local Shield or Community Network. Local Shield makes zero outbound requests. |
access_key | (empty) | Optional Community Access Key from reportedip.de. |
login_threshold / login_timeframe_minutes | 5 / 15 | Failed login attempts per IP before auto-block. |
block_duration_minutes | 1,440 (24 h) | Fixed-length block (used when the ladder is off). |
block_escalation_enabled + block_ladder_minutes | On — 5, 15, 30, 1,440, 2,880, 10,080 | Progressive ladder (minutes per step). |
block_escalation_reset_days | 30 | Days clean before the IP starts back at step 1. |
trusted_proxy_header | (off) | Set to CF-Connecting-IP behind Cloudflare or to X-Forwarded-For behind another trusted reverse proxy. Only enable when your proxy reliably rewrites the header on every request. |
api_endpoint | https://reportedip.de/wp-json/reportedip/v2/ | Filterable via reportedip_hive_api_endpoint. |
api_timeout | 2 s | Lookups fail open — login proceeds when the API does not respond. |
queue_retention_days | 14 | How long failed-to-dispatch report rows are kept before pruning. |
uninstall_drops_tables | Off | When on, uninstall removes all wp_reportedip_hive_* tables and options. |
Database Tables
Created on activation, prefixed wp_reportedip_hive_ (single-site prefix — Hive Light does not support multisite network activation). Four tables only:
attempts— per-IP / per-type / per-hashed-username counter with first/last timestamps.blocked— active blocks (manual / automatic / reputation), reason, block-type andblocked_until.whitelist— trusted IPs / CIDR ranges; optional expiry.api_queue— pending and failed reports to reportedip.de; retried by cron every 15 minutes.
What is not stored: raw usernames, passwords, request bodies, user-agents, comment content or domain identifiers. Usernames are stored as sha256(username + wp_salt()) only.
External Services & GDPR
In Local Shield mode the plugin makes zero outbound network requests. In Community Network mode the plugin talks to three reportedip.de endpoints (all transmissions are listed in the WordPress.org readme.txt as required by wp.org guidelines):
| Endpoint | Trigger | Data sent |
|---|---|---|
GET /wp-json/reportedip/v2/check?ip=… | A login attempt reaches wp_authenticate_user. | Only the source IP of the login attempt. Header X-Key with the access key. Timeout 2 s, fail-open. |
POST /wp-json/reportedip/v2/report | A brute-force threshold was exceeded; the report is queued and dispatched by the 15-minute cron. | Offending IP, integer category ID, a short human-readable comment ("5 failed logins in 15 minutes"). No usernames in plain text, no passwords, no domain name, no request body. |
GET /wp-json/reportedip/v2/verify-key | An administrator clicks "Test connection" in the settings. | Only the access key under verification. |
Lawful basis (GDPR Art. 6 (1)(f)): network and information security — log retention, automatic cleanup and per-IP hashing protect both your users and unrelated visitors. The full data-processing breakdown is in the privacy policy on this site.
Filters and Action Hooks
apply_filters('reportedip_hive_is_whitelisted', $is_whitelisted, $ip)— short-circuit the whitelist check (use sparingly).apply_filters('reportedip_hive_get_client_ip', $ip)— override the IP detection logic (useful behind non-standard reverse proxies).apply_filters('reportedip_hive_event_category_map', $map)— map your event names to threat-category IDs.apply_filters('reportedip_hive_api_endpoint', $url)— point the plugin at a different ReportedIP service installation.do_action('reportedip_hive_log', $event, $data)— fired on every recorded event.do_action('reportedip_hive_ip_blocked', $ip, $reason)— fired when an IP is blocked.do_action('reportedip_hive_report_queued', $ip, $category)— fired when a report is enqueued.
Upgrading to ReportedIP Hive (Full Edition)
Hive Light is deliberately limited to the brute-force login scenario. If your site needs any of the following, switch to the Full Edition:
- Four-method 2FA with WebAuthn / TOTP / Email / SMS, plus recovery codes and trusted devices.
- Sensors beyond login — XML-RPC, comment spam, REST-burst, 404 / scanner detector, user-enumeration block, app-password monitor, geo / ASN anomaly.
- Multisite network activation (
Network: true). - WooCommerce frontend 2FA (themed challenge inside the My-Account / Checkout flow).
- Managed mail / SMS relay with prepaid bundles (no SMTP / SMS gateway of your own to maintain).
- Per-role 2FA policies, restrict-login-times, weekly PDF security reports, GDPR data-export tool.
Migration is one-way: deactivate Hive Light, install Hive (Full Edition), reactivate. Both plugins use the same wp_reportedip_hive_* table prefix and an idempotent schema migration; the Full Edition extends the schema with three additional tables (logs, stats, trusted_devices) and detects existing Light data on first boot. Never run both plugins side-by-side — same text domain, same class prefix, immediate function-redeclaration fatal.
See the product page for pricing and the feature comparison.
Frequently Asked Questions
What is the difference between Hive Light and Hive (Full Edition)?
Hive Light is a single-purpose brute-force login protector on WordPress.org, free forever, no upsell, no tiers. Hive (Full Edition) is the complete security suite distributed via GitHub: twelve sensors, four-method 2FA, multisite, WooCommerce integration, tier-based pricing with managed mail / SMS relay. Two different plugins, two distribution channels, same underlying author and community.
Can I run Hive Light and Hive (Full Edition) on the same site?
No. Both plugins use the same text domain (reportedip-hive) and class prefix (ReportedIP_Hive). Running both leads to immediate function-redeclaration fatal errors. Pick one. To move from Light to Full: deactivate Light, install Full, reactivate. The database tables are reused.
Do I need an account on reportedip.de?
No — Local Shield works without any account. You only need a free Community Access Key if you want to enable Community Network, which adds reputation lookups against the hive and shares anonymised attack reports back. The key is available at reportedip.de/register/ in seconds.
Why is the wp.org plugin called "ReportedIP Hive" — not "Hive Light"?
The WordPress.org plugin slug is reportedip-hive (the package name), but the display name shown in the plugin admin is "ReportedIP Hive Light". The slug stays stable across releases — only the human-readable name changes. The Full Edition uses the same text domain so future migrations preserve the option keys and database tables.
Will the plugin lock me out of my own site?
It might, if you fail logins repeatedly from your own IP. To recover, either wait until the block expires, add your IP to the whitelist in advance, or delete the row from the wp_reportedip_hive_blocked table via phpMyAdmin or WP-CLI: wp db query "DELETE FROM wp_reportedip_hive_blocked WHERE ip_address = 'YOUR_IP'".
Does Hive Light protect Application Passwords?
No. The current release protects standard wp-login.php logins. Application Passwords use a separate authentication path that is not monitored here. The Full Edition includes an app-password monitor that throttles application_password_failed_authentication events.
Does it work with WooCommerce login forms?
Yes — WooCommerce uses the standard wp_login_failed action, which Hive Light listens to. WooCommerce login attempts are counted alongside regular logins. WooCommerce frontend 2FA (in-storefront challenge) is a Full Edition feature.
My site is behind Cloudflare — are real IPs detected?
Yes — set Trusted Proxy Header in Settings → Connection to CF-Connecting-IP. Only enable this when your reverse proxy reliably overrides the header on every incoming request, otherwise the header can be spoofed. The same logic supports X-Forwarded-For for non-Cloudflare proxies.
Where is the source code?
The plugin lives in the official WordPress.org SVN repository under the slug reportedip-hive. A GitHub mirror is maintained for issue tracking; the canonical distribution channel is wordpress.org/plugins/reportedip-hive/.
What happens to my data if I uninstall?
By default the option keys remain so re-installing keeps your settings. If you enable uninstall_drops_tables first, the uninstall hook drops all wp_reportedip_hive_* tables and removes all reportedip_hive_* options. Reports already in the community database remain — they are not personally identifiable to your site.