ReportedIP Hive Light
| 开发者 | reportedip |
|---|---|
| 更新时间 | 2026年5月20日 19:33 |
| PHP版本: | 8.1 及以上 |
| WordPress版本: | 6.9 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
ReportedIP Hive Light protects WordPress logins against brute-force and password-spray attacks. It is intentionally focused: a per-IP attempt counter, a progressive block ladder, and an optional community lookup. No bloat, no dashboards, no upsell.
Two operating modes
- Local Shield (default). Counts failed logins per IP and blocks attackers based on configurable thresholds. The plugin makes zero outbound network requests in this mode — all data stays on your server.
- Community Network (optional). When you enter a free Community Access Key from reportedip.de, the plugin additionally checks the source IP against the reportedip.de community database during login attempts and shares blocked IPs back to the community. Both calls are clearly disclosed in the settings UI.
wp_login_failedincrements a per-IP counter using an atomic upsert (no race conditions under concurrent attacks).- When the counter exceeds your threshold, the IP is blocked for a duration drawn from a progressive ladder (5 min → 15 min → 30 min → 24 h → 48 h → 7 days).
wp_authenticate_usershort-circuits known-bad IPs before the WordPress core authentication runs.- Cache plugins (WP Rocket, W3 Total Cache, WP Super Cache, LiteSpeed) are honoured via the HTTP 403 status plus explicit
Cache-Control: no-store, no-cache, must-revalidate, max-age=0andPragma: no-cacheheaders on the block page.
- IP addresses are processed for the legitimate purpose of network security (GDPR Art. 6(1)(f)).
- Usernames are stored only as a SHA-256 hash, salted with
wp_salt(). Plain-text usernames are never persisted or transmitted. - In Local Shield mode, no data leaves your server. In Community Network mode, only the IP, hashed username, event type, and timestamp are sent — no domain, no contact details, no traffic data.
- Filters:
reportedip_hive_is_whitelisted,reportedip_hive_get_client_ip,reportedip_hive_event_category_map,reportedip_hive_api_endpoint. - Actions:
reportedip_hive_log,reportedip_hive_ip_blocked,reportedip_hive_report_queued.
安装:
- Upload the
reportedip-hivefolder to/wp-content/plugins/, or install via Plugins → Add New. - Activate the plugin from the WordPress Plugins screen.
- Go to ReportedIP Hive Light → Settings and review the Connection / Protection / Privacy tabs.
屏幕截图:
常见问题:
How do I get a Community Access Key?
Register at reportedip.de. The Community Access Key tier is free.
Can I use the plugin without an access key?
Yes. The default mode is Local Shield, which uses only your site's data and does not contact any external service. The plugin remains fully functional.
Will the plugin lock me out of my own site?
It might, if you fail logins repeatedly from your own IP. To recover, either wait until the block expires or delete the row from the wp_reportedip_hive_blocked database table (e.g. via phpMyAdmin or WP-CLI: wp db query "DELETE FROM wp_reportedip_hive_blocked WHERE ip_address = 'YOUR_IP'").
How do I unblock my own IP from the admin UI?
Visit ReportedIP Hive Light → Blocked IPs, select the row, and choose "Unblock selected" from the bulk actions menu.
What data does the plugin send to reportedip.de?
In Community Network mode only: the IP address, a SHA-256 hash of the submitted username (salted with wp_salt()), an integer category ID for the event type, and an optional comment. Plain-text usernames, passwords, domains, or contact details are never transmitted. See the "External services" section for full details.
Does the plugin protect Application Passwords?
No. This release protects standard wp-login.php logins. Application Passwords use a separate authentication path that is not currently monitored.
Does it work with WooCommerce login forms?
Yes. WooCommerce uses the standard wp_login_failed action, which the plugin listens to. WooCommerce login attempts are counted alongside regular login attempts.
My site is behind Cloudflare. Are real IPs detected?
Set Trusted Proxy Header in Settings → Connection to CF-Connecting-IP. Only enable this when your reverse proxy reliably overrides the header on every incoming request — otherwise the header can be spoofed.
更新日志:
1.3.5
- Add wp.org plugin-directory listing assets: 128x128 + 256x256 icons (static PNG and animated GIF with a heartbeat-pulse loop), 1544x500
- 772x250 hero banners, and five 1280x720 screenshots covering the Connection, Protection and Privacy tabs, the Blocked IPs list view and the empty state. No code change in this release.
- Restore the design-system CSS frame on the Settings, Blocked IPs and
Whitelist sub-pages. The 1.3.2 display rename changed the WordPress
submenu hook suffix from
reportedip-hive_page_*toreportedip-hive-light_page_*, but the enqueue gate still matched the old prefix and silently skipped the asset enqueue. Hook suffixes are now captured from the menu-API return values so the gate stays correct regardless of the menu title. - Stop the API report queue from filling with duplicates during a
sustained brute-force.
wp_login_failednow short-circuits when the source IP is already blocked, andqueue_api_reportdeduplicates against any open (pendingorprocessing) report for the same IP. One incident yields exactly one outbound community report instead of one per retry; the block-escalation ladder no longer steps on every attempt against an already-locked door.
- Add
.gitto.distignoreso the GitHub-Actions deployment no longer copies the repository's Git metadata directory into the wp.org SVN. The 1.3.2 release accidentally shipped atrunk/.git/andtags/1.3.2/.git/; both have been removed from SVN.
- Rename the user-facing plugin title to ReportedIP Hive Light in the WordPress plugin listing, the wp.org listing, the admin menu, the setup wizard, the welcome notice, and the privacy-policy suggestion. Plugin slug, text domain, class prefix, option keys and database tables are unchanged — display-name only, no migration.
- Add a GitHub source-code link to the
Service providersection of the readme and convert the existing reportedip.de URLs to Markdown links so the wp.org renderer turns them into clickable anchors.
- Remove the
DONOTCACHEPAGE/DONOTCACHEDB/DONOTCACHEOBJECTdefines from the block-response path. The HTTP 403 status plus explicitCache-Control: no-storeandPragma: no-cacheheaders continue to instruct WP Rocket, W3 Total Cache, WP Super Cache and LiteSpeed not to cache the block page. - Fix the legal-notice URLs in
readme.txtto point at the canonical Impressum, Nutzungsbedingungen and Datenschutzerklaerung pages on reportedip.de.
- Add long-term "Defended attacks" statistics to the dashboard with rolling-window block counts for the last 24 hours, last 7 days, last 30 days, and all time.
- Add a Dashboard landing page (Settings → ReportedIP Hive) with 4 stat cards (active blocks, blocks last 24 h, attempts last 24 h, whitelist size), an operation-mode summary, the report-queue status (pending / processing / completed / failed), and a recent-activity list.
- Track outbound API calls per rolling 1-hour window and visualise the quota with a progress bar on the dashboard. When the configured maximum is reached, IP-reputation lookups are skipped (login still proceeds — fail-open) until the window resets.
- Settings, Blocked IPs and Whitelist are now sub-pages of the new Dashboard.
- Add an IP whitelist with optional CIDR ranges, expiry, and a dedicated admin page (Settings → ReportedIP Hive → Whitelist).
- Add a 4-step setup wizard that runs on first activation (Welcome → Operation mode → Protection → Done).
- Replace the WordPress default "Settings saved" notice with a design-system alert rendered immediately under the page header.
- Polish admin chrome — branded shield logo, three iconed trust badges (Security Focused / GDPR Compliant / Made in Germany), better contrast on the welcome notice.
- Hide the Community Access Key card unless the operation mode is set to Community Network.
- Schema bumped to v1.1.0 (idempotent migration on activation).
- Initial release.