GDPR-First WordPress Security: Privacy by Default
Most security plugins log everything and ask questions later. For a WordPress GDPR security plugin that is the wrong default. ReportedIP Hive is built in Germany with privacy as a design principle: minimal data, short retention, encryption at rest, and offline operation by choice.
This guide covers what Hive collects, how long it keeps it, and the lawful basis behind the processing.
What is ReportedIP Hive?
ReportedIP Hive is a complete WordPress security plugin — 12 attack sensors, four 2FA methods, progressive blocking and opt-in community threat intelligence. Privacy is not a paid add-on; the data-minimal defaults apply in every mode. The full ReportedIP Hive feature set is on the product hub.
Minimal data collection by default
No usernames, no comment content and no full user-agents land in any report; user-agents are truncated to 50 characters even in local logs. The cleanup job runs daily with a 30-day retention default, and records are automatically anonymised after 7 days. That keeps the logs useful for spotting a pattern without turning them into a long-term profile of your visitors.
Offline by choice, sharing by opt-in
Local Shield mode works 100% offline — nothing leaves your site. Community Network sharing is strictly opt-in, and even then only the IP and attack category are sent. There is no telemetry running in the background you did not switch on. A delete-on-uninstall option removes all plugin data when you are done.
Encryption at rest for every secret
All secrets — TOTP seeds, SMS provider credentials and phone numbers — are sealed with libsodium (OpenSSL as a fallback). Plain user-meta storage is never used for credentials, so a database leak does not hand over working second factors.
Documented lawful basis
Processing rests on Art. 6(1)(f) GDPR — legitimate interest in preventing unauthorised access — and that basis is documented in the setup wizard and the admin UI, not buried in a policy nobody reads. On the Business plan a GDPR data-export tool helps you answer Art. 15 access requests. Retention, anonymisation and detail level are all configurable, with a one-click “GDPR Minimal” preset.
Related guides
- The setup wizard and its privacy-first defaults
- What opt-in community sharing actually sends
- How phone numbers are handled in the relay
The WordPress plugin documentation covers retention and anonymisation settings. Browse the full ReportedIP Hive plugin guides, or read the lawful basis text at EUR-Lex (GDPR).