Progressive IP Blocking: Stopping Brute-Force Without False Positives
To block brute-force attacks on WordPress without locking out real people, the duration of the block matters as much as the trigger. ReportedIP Hive uses a progressive ladder: a first offence costs 5 minutes, a persistent attacker climbs to 7 days.
This guide explains the ladder, the 30-day reset window, and why manual blocks are never overridden.
What is ReportedIP Hive?
ReportedIP Hive is a complete WordPress security plugin — 12 attack sensors, four 2FA methods and progressive IP blocking in one free, GPL-2.0 drop-in. Blocking works fully offline in Local Shield mode. See the full ReportedIP Hive feature set for the wider picture.
The default escalation ladder
When a sensor threshold is crossed, the IP enters the ladder implemented in ReportedIP_Hive_Block_Escalation (added in 1.5.0). Each new offence moves it one rung up:
- 1st offence — 5 minutes
- 2nd — 15 minutes
- 3rd — 30 minutes
- 4th — 24 hours
- 5th — 48 hours
- 6th and beyond — 7 days (cap)
The ladder is fully editable as a comma-separated minute list under Settings → Blocking. A toggle keeps the legacy single-duration mode available for sites that prefer a flat block length.
Why a typo never costs 24 hours
A first-time tripping visitor — a fat-fingered admin, or a legitimate user behind a shared CGNAT address — gets a 5-minute timeout and moves on. Only an IP that keeps coming back climbs toward the longer bans. After 30 days without a new offence, the IP resets to step 1, so a one-off mistake never leaves a permanent mark.
Manual blocks always win
When you click “Block this IP” or import a CSV of known-bad ranges, that block honours the duration you chose and is never overridden by the ladder. The automatic escalation only governs IPs the sensors catch on their own.
Test before you enforce
Use Report-Only mode under Settings → Blocking to watch the ladder decisions in the logs without rejecting anyone. The 403 block page itself is cache-safe — it sets DONOTCACHEPAGE and Cache-Control: no-store, so WP Rocket, W3TC, WP Super Cache and LiteSpeed never serve a cached block to a legitimate visitor.
Related guides
- The 12 sensors that feed the block ladder
- Hardening Mode tightens the thresholds under attack
- Community Network: refuse attackers other sites already saw
Full configuration is in the WordPress plugin documentation. Browse the rest of the ReportedIP Hive plugin guides or audit the escalation class on GitHub.