外掛標籤
開發者團隊
原文外掛簡介
ReportedIP Hive Light protects WordPress logins against brute-force and password-spray attacks. It is intentionally focused: a per-IP attempt counter, a progressive block ladder, and an optional community lookup. No bloat, no dashboards, no upsell.
Two operating modes
Local Shield (default). Counts failed logins per IP and blocks attackers based on configurable thresholds. The plugin makes zero outbound network requests in this mode — all data stays on your server.
Community Network (optional). When you enter a free Community Access Key from reportedip.de, the plugin additionally checks the source IP against the reportedip.de community database during login attempts and shares blocked IPs back to the community. Both calls are clearly disclosed in the settings UI.
How it works
wp_login_failed increments a per-IP counter using an atomic upsert (no race conditions under concurrent attacks).
When the counter exceeds your threshold, the IP is blocked for a duration drawn from a progressive ladder (5 min → 15 min → 30 min → 24 h → 48 h → 7 days).
wp_authenticate_user short-circuits known-bad IPs before the WordPress core authentication runs.
Cache plugins (WP Rocket, W3 Total Cache, WP Super Cache, LiteSpeed) are honoured via the HTTP 403 status plus explicit Cache-Control: no-store, no-cache, must-revalidate, max-age=0 and Pragma: no-cache headers on the block page.
Privacy
IP addresses are processed for the legitimate purpose of network security (GDPR Art. 6(1)(f)).
Usernames are stored only as a SHA-256 hash, salted with wp_salt(). Plain-text usernames are never persisted or transmitted.
In Local Shield mode, no data leaves your server. In Community Network mode, only the IP, hashed username, event type, and timestamp are sent — no domain, no contact details, no traffic data.
For developers
Filters: reportedip_hive_is_whitelisted, reportedip_hive_get_client_ip, reportedip_hive_event_category_map, reportedip_hive_api_endpoint.
Actions: reportedip_hive_log, reportedip_hive_ip_blocked, reportedip_hive_report_queued.
A free Community Access Key is available at reportedip.de. The plugin works without one in Local Shield mode.
External services
This plugin can connect to the ReportedIP API at https://reportedip.de. All
external requests are opt-in only — they are made exclusively when (a) a
“Community Access Key” has been entered in the plugin settings and (b) the
“Operation Mode” is set to “Community Network”. The default mode is “Local
Shield”, which performs zero external requests.
Endpoint 1: IP-reputation lookup
URL: https://reportedip.de/wp-json/reportedip/v2/check?ip={ip}
HTTP verb: GET
Auth header: X-Key: {your-access-key}
Trigger: a login attempt reaches wp_authenticate_user
Timeout: 2 seconds (fail-open — login proceeds when the API does not respond)
Data sent: only the source IP address of the current login attempt
Data NOT sent: usernames, passwords, cookies, server identifiers, domain name
Endpoint 2: Blocked-IP report
URL: https://reportedip.de/wp-json/reportedip/v2/report
HTTP verb: POST (JSON body)
Auth header: X-Key: {your-access-key}
Trigger: a brute-force / spray threshold has been exceeded; the report is
queued in the database and dispatched by a 15-minute cron job
Data sent: the offending IP, an integer category ID for the threat type,
and a short human-readable comment (e.g. “5 failed logins in 15 minutes”)
Data NOT sent: usernames in plain text, passwords, full request bodies,
domain name, contact information
Endpoint 3: Access-key verification
URL: https://reportedip.de/wp-json/reportedip/v2/verify-key
HTTP verb: GET
Auth header: X-Key: {entered-key}
Trigger: an administrator clicks “Test connection” in the plugin settings
Data sent: only the access key under verification
Hashing of submitted usernames
When a brute-force attempt is detected and the failing username is recorded
locally, the plugin stores sha256( username + wp_salt() ) only — never the
plain text. The salted hash is also what would be transmitted with a report,
preventing recipients from recovering the original username.
Service provider
Operator: Patrick Schlesinger, Germany
Service URL: reportedip.de
Legal notice (Impressum): reportedip.de/impressum
Terms of use: reportedip.de/nutzungsbedingungen
Privacy policy: reportedip.de/datenschutzerklaerung
Source code: github.com/reportedip/reportedip-hive-light
Contact: [email protected]
You can switch back to Local Shield mode at any time in Settings → ReportedIP
Hive → Connection. Doing so stops all external traffic immediately.
Bundled assets
This plugin ships every stylesheet and script it needs inside the plugin
folder. No CDN, no Google Fonts, no remote stylesheets, no remote scripts
are loaded — every asset URL begins with the plugin’s own
wp-content/plugins/reportedip-hive/ path.
The full list of bundled, locally-served assets:
assets/css/design-system.css — design tokens and components used on
every plugin admin page.
assets/css/admin.css — admin-page overrides on top of the design
system.
assets/css/wizard.css — standalone styles for the first-run setup
wizard.
assets/js/admin.js — handles tab switching and the AJAX
“Test connection” button. Its only network call is fetch() against
WordPress’ own admin-ajax.php (same origin); no third-party endpoint
is contacted.
Inline SVG icons (the shield logo, the menu icon, and trust-badge
glyphs) are emitted from PHP via wp_kses() with an explicit allow-list
— no element points at an external host.
The complete list of files distributed in the WordPress.org ZIP is
visible at Plugins → Plugin File Editor once the plugin is installed.
Third-party services and licences
GPLv2 (or later) licence text is bundled with the plugin in the
LICENSE file at the plugin root and is also referenced from the
plugin header (License URI: https://www.gnu.org/licenses/gpl-2.0.html).
No third-party PHP, JavaScript, or CSS libraries are bundled with
the plugin. There is no Composer vendor/ directory, no jQuery copy,
no minified third-party bundle. WordPress itself supplies any global
scripts (jquery, wp-list-table, etc.) and the plugin only depends
on WordPress core APIs.
The only external HTTP service the plugin can talk to is the
https://reportedip.de/wp-json/reportedip/v2/ API, and only when the
administrator has explicitly enabled Community Network mode — see
the “External services” section above for the full data flow.
Privacy
IP addresses are processed under GDPR Art. 6(1)(f) (legitimate interest in network security).
Usernames are stored as a salted SHA-256 hash; plain-text values are never persisted or transmitted.
In Local Shield mode (default) no data leaves your server.
In Community Network mode the data listed above is sent to reportedip.de.
Data retention is configurable in Settings → Privacy. The default attempt window is 15 minutes; the API queue retention is 7 days.
Activate “Delete all data on uninstall” in Settings → Privacy to remove all plugin tables and options when the plugin is deleted.
Disclaimer
ReportedIP Hive Light is provided “as is”, without warranty of any kind, express or
implied, including but not limited to warranties of merchantability, fitness
for a particular purpose, and non-infringement. The author shall not be liable
for any claim, damages, or other liability arising from the use of this
software (this is the standard GPLv2-or-later disclaimer; see the LICENSE
file for the full text).
The plugin provides defense-in-depth against brute-force and password-spray
login attacks. It does not replace strong passwords, two-factor
authentication, server-level firewalls, or web-application firewalls. No
single security measure offers a 100 % guarantee against compromise. You
remain responsible for the overall security posture of your WordPress site.
The optional Community Network mode forwards data to the third-party service
operated at https://reportedip.de — see the “External services” section
above for the full data flow. Site operators that enable Community Network
mode are responsible for assessing the lawful basis under their applicable
data-protection regime (in the EU, GDPR Art. 6(1)(f) — legitimate interest
in network security — typically applies) and for updating their own privacy
policy accordingly.
