Bug fixes: restores the design-system header\/footer on the Settings, Blocked IPs and Whitelist sub-pages (regression from 1.3.2) and stops the API report queue from filling with duplicates during a sustained brute-force.<\/p>","1.3.3":"
Hygiene fix: stops the GitHub-Actions deployment from copying the Renames the user-facing plugin title to ReportedIP Hive Light. Slug, text domain, options and database tables are unchanged \u2014 no migration required.<\/p>","1.3.1":" Removes the DONOTCACHE* defines from the block-response path and fixes three legal-notice URLs in the readme.<\/p>","1.3.0":" Adds long-term defended-attacks statistics (24 h \/ 7 d \/ 30 d \/ all time) to the dashboard.<\/p>","1.2.0":" Adds a dashboard with stats, queue status, and a per-hour API quota tracker.<\/p>","1.1.0":" Adds an IP whitelist, a setup wizard, and design-system polish. Schema\nmigrates automatically on activation.<\/p>","1.0.0":" Initial release.<\/p>"},"ratings":[],"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.3.2","1.3.3","1.3.4"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Connection tab \u2014 operation mode, access key, reverse-proxy header.","2":"Protection tab \u2014 thresholds and the progressive block ladder.","3":"Privacy tab \u2014 cache durations, queue retention, uninstall behaviour.","4":"Blocked IPs \u2014 admin list table with bulk-unblock action.","5":"Empty state \u2014 what new installs see before any IPs are blocked."},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[2439,1174,1192,602,600],"plugin_category":[38,54],"plugin_contributors":[263280],"plugin_business_model":[],"class_list":["post-309318","plugin","type-plugin","status-publish","hentry","plugin_tags-brute-force","plugin_tags-firewall","plugin_tags-ip-blocking","plugin_tags-login","plugin_tags-security","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-reportedip","plugin_committers-reportedip"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/reportedip-hive.svg","icon_2x":false,"generated":true},"screenshots":[],"raw_content":"\n ReportedIP Hive Light protects WordPress logins against brute-force and password-spray attacks. It is intentionally focused: a per-IP attempt counter, a progressive block ladder, and an optional community lookup. No bloat, no dashboards, no upsell.<\/p>\n\n Two operating modes<\/strong><\/p>\n\n How it works<\/strong><\/p>\n\n Privacy<\/strong><\/p>\n\n For developers<\/strong><\/p>\n\n A free Community Access Key is available at reportedip.de. The plugin works without one in Local Shield mode.<\/p>\n\n This plugin can connect to the ReportedIP API at When a brute-force attempt is detected and the failing username is recorded\nlocally, the plugin stores You can switch back to Local Shield mode at any time in Settings \u2192 ReportedIP\nHive \u2192 Connection<\/em>. Doing so stops all external traffic immediately.<\/p>\n\n This plugin ships every stylesheet and script it needs inside the plugin\nfolder. No CDN, no Google Fonts, no remote stylesheets, no remote scripts\nare loaded<\/strong> \u2014 every asset URL begins with the plugin's own\n wp-content\/plugins\/reportedip-hive\/ path.<\/p>\n\n The full list of bundled, locally-served assets:<\/p>\n\n The complete list of files distributed in the WordPress.org ZIP is\nvisible at Plugins \u2192 Plugin File Editor<\/em> once the plugin is installed.<\/p>\n\n ReportedIP Hive Light is provided \"as is\", without warranty of any kind, express or\nimplied, including but not limited to warranties of merchantability, fitness\nfor a particular purpose, and non-infringement. The author shall not be liable\nfor any claim, damages, or other liability arising from the use of this\nsoftware (this is the standard GPLv2-or-later disclaimer; see the LICENSE\nfile for the full text).<\/p>\n\n The plugin provides defense-in-depth against brute-force and password-spray\nlogin attacks. It does not<\/strong> replace strong passwords, two-factor\nauthentication, server-level firewalls, or web-application firewalls. No\nsingle security measure offers a 100 % guarantee against compromise. You\nremain responsible for the overall security posture of your WordPress site.<\/p>\n\n The optional Community Network mode forwards data to the third-party service\noperated at https:\/\/reportedip.de \u2014 see the \"External services\" section\nabove for the full data flow. Site operators that enable Community Network\nmode are responsible for assessing the lawful basis under their applicable\ndata-protection regime (in the EU, GDPR Art. 6(1)(f) \u2014 legitimate interest\nin network security \u2014 typically applies) and for updating their own privacy\npolicy accordingly.<\/p>\n\n\n The plugin is functional out of the box in Local Shield mode \u2014 no configuration required.<\/p>\n\n\n Register at reportedip.de. The Community Access Key tier is free.<\/p><\/dd>\n Yes. The default mode is Local Shield, which uses only your site's data and does not contact any external service. The plugin remains fully functional.<\/p><\/dd>\n It might, if you fail logins repeatedly from your own IP. To recover, either wait until the block expires or delete the row from the Visit ReportedIP Hive Light \u2192 Blocked IPs<\/em>, select the row, and choose \"Unblock selected\" from the bulk actions menu.<\/p><\/dd>\n In Community Network mode only: the IP address, a SHA-256 hash of the submitted username (salted with No. This release protects standard Yes. WooCommerce uses the standard Set Trusted Proxy Header<\/em> in Settings \u2192 Connection<\/em> to .git<\/code> directory into the wp.org SVN. No functional changes.<\/p>","1.3.2":"\n
\n
wp_login_failed<\/code> increments a per-IP counter using an atomic upsert (no race conditions under concurrent attacks).<\/li>\nwp_authenticate_user<\/code> short-circuits known-bad IPs before the WordPress core authentication runs.<\/li>\nCache-Control: no-store, no-cache, must-revalidate, max-age=0<\/code> and Pragma: no-cache<\/code> headers on the block page.<\/li>\n<\/ul>\n\n\n
wp_salt()<\/code>. Plain-text usernames are never persisted or transmitted.<\/li>\n\n
reportedip_hive_is_whitelisted<\/code>, reportedip_hive_get_client_ip<\/code>, reportedip_hive_event_category_map<\/code>, reportedip_hive_api_endpoint<\/code>.<\/li>\nreportedip_hive_log<\/code>, reportedip_hive_ip_blocked<\/code>, reportedip_hive_report_queued<\/code>.<\/li>\n<\/ul>\n\nExternal services<\/h3>\n\n
https:\/\/reportedip.de<\/code>. All\nexternal requests are opt-in only<\/strong> \u2014 they are made exclusively when (a) a\n\"Community Access Key\" has been entered in the plugin settings and (b) the\n\"Operation Mode\" is set to \"Community Network\". The default mode is \"Local\nShield\", which performs zero external requests.<\/p>\n\nEndpoint 1: IP-reputation lookup<\/h4>\n\n
\n
https:\/\/reportedip.de\/wp-json\/reportedip\/v2\/check?ip={ip}<\/code><\/li>\nX-Key: {your-access-key}<\/code><\/li>\nwp_authenticate_user<\/code><\/li>\nEndpoint 2: Blocked-IP report<\/h4>\n\n
\n
https:\/\/reportedip.de\/wp-json\/reportedip\/v2\/report<\/code><\/li>\nX-Key: {your-access-key}<\/code><\/li>\nEndpoint 3: Access-key verification<\/h4>\n\n
\n
https:\/\/reportedip.de\/wp-json\/reportedip\/v2\/verify-key<\/code><\/li>\nX-Key: {entered-key}<\/code><\/li>\nHashing of submitted usernames<\/h4>\n\n
sha256( username + wp_salt() )<\/code> only \u2014 never the\nplain text. The salted hash is also what would be transmitted with a report,\npreventing recipients from recovering the original username.<\/p>\n\nService provider<\/h4>\n\n
\n
Bundled assets<\/h3>\n\n
\n
assets\/css\/design-system.css<\/code> \u2014 design tokens and components used on\nevery plugin admin page.<\/li>\nassets\/css\/admin.css<\/code> \u2014 admin-page overrides on top of the design\nsystem.<\/li>\nassets\/css\/wizard.css<\/code> \u2014 standalone styles for the first-run setup\nwizard.<\/li>\nassets\/js\/admin.js<\/code> \u2014 handles tab switching and the AJAX\n\"Test connection\" button. Its only network call is fetch()<\/code> against\nWordPress' own admin-ajax.php<\/code> (same origin); no third-party endpoint\nis contacted.<\/li>\nwp_kses()<\/code> with an explicit allow-list\n\u2014 no <img><\/code> element points at an external host.<\/li>\n<\/ul>\n\nThird-party services and licences<\/h3>\n\n
\n
License URI: https:\/\/www.gnu.org\/licenses\/gpl-2.0.html<\/code>).<\/li>\nvendor\/<\/code> directory, no jQuery copy,\nno minified third-party bundle. WordPress itself supplies any global\nscripts (jquery<\/code>, wp-list-table<\/code>, etc.) and the plugin only depends\non WordPress core APIs.<\/li>\nPrivacy<\/h3>\n\n
\n
Disclaimer<\/h3>\n\n
\n
reportedip-hive<\/code> folder to \/wp-content\/plugins\/<\/code>, or install via Plugins \u2192 Add New<\/em>.<\/li>\n\n
How do I get a Community Access Key?<\/h3><\/dt>\n
Can I use the plugin without an access key?<\/h3><\/dt>\n
Will the plugin lock me out of my own site?<\/h3><\/dt>\n
wp_reportedip_hive_blocked<\/code> database table (e.g. via phpMyAdmin or WP-CLI: wp db query \"DELETE FROM wp_reportedip_hive_blocked WHERE ip_address = 'YOUR_IP'\"<\/code>).<\/p><\/dd>\nHow do I unblock my own IP from the admin UI?<\/h3><\/dt>\n
What data does the plugin send to reportedip.de?<\/h3><\/dt>\n
wp_salt()<\/code>), an integer category ID for the event type, and an optional comment. Plain-text usernames, passwords, domains, or contact details are never transmitted. See the \"External services\" section for full details.<\/p><\/dd>\nDoes the plugin protect Application Passwords?<\/h3><\/dt>\n
wp-login.php<\/code> logins. Application Passwords use a separate authentication path that is not currently monitored.<\/p><\/dd>\nDoes it work with WooCommerce login forms?<\/h3><\/dt>\n
wp_login_failed<\/code> action, which the plugin listens to. WooCommerce login attempts are counted alongside regular login attempts.<\/p><\/dd>\nMy site is behind Cloudflare. Are real IPs detected?<\/h3><\/dt>\n
CF-Connecting-IP<\/code>. Only enable this when your reverse proxy reliably overrides the header on every incoming request \u2014 otherwise the header can be spoofed.<\/p><\/dd>\n\n<\/dl>\n\n\n1.3.4<\/h4>\n\n
\n
reportedip-hive_page_*<\/code> to\n reportedip-hive-light_page_*, but the enqueue gate still matched the\nold prefix and silently skipped the asset enqueue. Hook suffixes are\nnow captured from the menu-API return values so the gate stays\ncorrect regardless of the menu title.<\/li>\nwp_login_failed<\/code> now short-circuits when the\nsource IP is already blocked, and queue_api_report<\/code> deduplicates\nagainst any open (pending<\/code> or processing<\/code>) report for the same IP.\nOne incident yields exactly one outbound community report instead of\none per retry; the block-escalation ladder no longer steps on every\nattempt against an already-locked door.<\/li>\n<\/ul>\n\n1.3.3<\/h4>\n\n
\n
.git<\/code> to .distignore<\/code> so the GitHub-Actions deployment no longer\ncopies the repository's Git metadata directory into the wp.org SVN.\nThe 1.3.2 release accidentally shipped a trunk\/.git\/<\/code> and\n tags\/1.3.2\/.git\/; both have been removed from SVN.<\/li>\n<\/ul>\n\n1.3.2<\/h4>\n\n
\n
Service provider<\/code> section of the\nreadme and convert the existing reportedip.de URLs to Markdown links so\nthe wp.org renderer turns them into clickable anchors.<\/li>\n<\/ul>\n\n1.3.1<\/h4>\n\n
\n
DONOTCACHEPAGE<\/code> \/ DONOTCACHEDB<\/code> \/ DONOTCACHEOBJECT<\/code> defines\nfrom the block-response path. The HTTP 403 status plus explicit\n Cache-Control: no-store and Pragma: no-cache<\/code> headers continue to\ninstruct WP Rocket, W3 Total Cache, WP Super Cache and LiteSpeed not to\ncache the block page.<\/li>\nreadme.txt<\/code> to point at the canonical\nImpressum, Nutzungsbedingungen and Datenschutzerklaerung pages on\nreportedip.de.<\/li>\n<\/ul>\n\n1.3.0<\/h4>\n\n
\n
1.2.0<\/h4>\n\n
\n
1.1.0<\/h4>\n\n
\n
1.0.0<\/h4>\n\n
\n