Hardening Mode: Auto-Tightening Defences Under Coordinated Attack
Distributed brute-force is built to stay under per-IP thresholds: many addresses, a few tries each. ReportedIP Hive’s Hardening Mode is the answer to that WordPress coordinated attack pattern — when it sees a botnet forming, it tightens every threshold network-wide for an hour.
This guide explains the trigger, what changes while a hardening window is active, and how to control it.
What is ReportedIP Hive?
ReportedIP Hive is a complete WordPress security plugin: 12 attack sensors, four 2FA methods, progressive blocking and opt-in community threat intelligence. Hardening Mode is part of the Professional plan. The full ReportedIP Hive feature set shows where it fits.
The trigger: 3 IPs, 20 failures, one minute
Added in 2.0.8, Hardening Mode arms when the coordinated-attack sensor spots ≥ 3 distinct IPs producing ≥ 20 failed logins in the same minute. The realtime trigger hooks directly into wp_login_failed with a 60-second debounce, so reaction time is under a minute. An hourly cron sweep stays in place as a safety net in case the realtime path is missed.
What tightens during a hardening window
- Failed-login threshold drops from 5 / 15 min to 2 / 5 min.
- Reputation block threshold drops from 75% to 60%, so borderline community-flagged IPs are refused too.
- The window lasts 60 minutes by default, configurable from 5 to 360 minutes.
The effect is that a distributed brute-force stops mid-flight instead of slipping under the per-IP threshold. Once the window expires, thresholds return to their configured baseline automatically.
Visibility and control
Active hardening surfaces as a red node in the WordPress admin bar with a countdown and a manage link, and every log row captured during the window is tagged with a “Hardening” badge. The events hardening_mode_activated (severity high) and hardening_mode_deactivated (severity low) record each activation and the actor — admin, CLI or natural expiry. From the shell, wp reportedip hardening status|activate|deactivate drives it directly.
Setting it up (Professional plan)
Open the dedicated Settings → Hardening Mode tab, flip the master toggle, and set the duration. The sub-fields are visually disabled while the master is off. On Free and Contributor tiers the tab shows an explicit upsell card; coordinated-attack detection itself depends on Community Network being active, since the reputation threshold is part of what tightens.
Related guides
- The progressive block ladder hardening feeds into
- The 12 sensors that detect the coordinated pattern
- Community Network and the reputation threshold
Configuration detail is in the WordPress plugin documentation. Browse the full ReportedIP Hive plugin guides, or read the hardening class on GitHub.