A free public REST API, a community blacklist you can pull as a feed or query over DNS, security tools, and a WordPress plugin — all powered by a real-time community network. Hosted in Germany, fully GDPR compliant, free tier across the board.
Free, no signup required. See the current confidence score, threat categories, recent reports, and geolocation in seconds.
Every IP that gets reported is scored, weighted, and made available through the public API and blacklist feed. These numbers update in real time.
The 10 most recent IPs flagged by the community network. Refreshes every 30 seconds.
FR6,068 reports
NL510 reports
TR960 reports
DE15 reports
MY14 reports TR759 reports
US858 reports
BG3,598 reports DE20,713 reports US2,746 reportsPick what you need. Query the API directly, drop the blacklist into your firewall or query it over DNS, install the WordPress plugin, or run a honeypot — everything talks to the same community-powered reputation database.
Public REST API · Free Tier
The reputation engine behind everything. Query individual IPs, submit reports, pull the community blacklist, run bulk operations from any language or system — fail2ban, SIEM, custom firewalls, hosting panels.
Community Blacklist · Free Tier
Community-driven blacklist, automatically scored from real-time reports. Plain text, JSON, and CSV — ready to drop into fail2ban, iptables, nginx, Postfix, or any blocklist consumer.
DNS Blocklist (RBL) · Paid add-on
Query the community blacklist as a DNSBL straight from your mail server or firewall. A private, token-authenticated zone (bl.reportedip.de) answers reverse-IP lookups with 127.0.0.x codes — no API client, no integration code.
WordPress Plugin · Two Editions
Real-time WordPress security from the hive. Pick the Full Edition (GitHub) for sixteen sensors incl. a Web Application Firewall, four-method 2FA and multisite, or grab the Light Edition from WordPress.org for focused brute-force protection. Free and open source either way.
DNS Diagnostics · Free
Domain health diagnostics from 76 DNS servers across 6 continents. Validate SPF, DKIM, DMARC, and DNSSEC, run DNSBL lookups, and track DNS propagation during migrations.
Standalone PHP App · Free
A standalone PHP application that pretends to be WordPress, Drupal, or Joomla. 36 built-in threat analyzers detect SQLi, XSS, brute force, credential stuffing, plugin exploits, and feed clean data back into the network.
Aggregated, anonymised attack origins from honeypots, sensors, and contributors worldwide. Refreshed every 30 minutes.
Whatever your role, we have a free entry point. Use one product or chain several together.
Install Hive in 5 minutes. The Full Edition (GitHub) ships 16 sensors and four-method 2FA; the Light Edition on WordPress.org keeps it lean with brute-force protection only. Both stay free forever, both open source.
Bulk-check incoming IPs via the API before they hit your customers. Pull the community blacklist into your edge firewall daily. Higher quotas on Pro+.
Drop the blacklist into fail2ban, iptables, nginx, or Postfix. Plain text, JSON, hourly refresh. Free tier covers most use cases out of the box.
Run our standalone PHP honeypot on any VPS — 36 threat analyzers, all detections feed back into the public reputation engine. You contribute, the whole community benefits.
Release notes, threat-intelligence reports, and practical security guidance from the team that runs the network.
The Hive plugin is free and open source forever. Paid plans add managed 2FA mail and SMS relay, multi-site management, and higher API quotas.
Local protection, free forever
Solo developers and small sites
14-day money-back guarantee. Cancel anytime.
Agencies, WooCommerce, white-label
14-day money-back guarantee. Cancel anytime.
Includes Contributor and Enterprise tiers plus the full feature comparison table.
Common questions about the API, blacklist, and the platform as a whole. Plugin-specific questions live on the plugin page; the full FAQ is at /faq/.
Two paths, depending on how fresh you need the data. For broad coverage, pull the community blacklist feed directly — an hourly-refreshed text file you can drop into an ipset with a single cron job, no API key required. For per-IP scoring at the moment of a request — for example inside a fail2ban action or a custom firewall rule — call the REST API with a free account (1,000 checks per day). We publish working fail2ban filter examples and a ready-to-run iptables ipset script in the documentation, plus nginx and Postfix snippets. Most operators combine both: the feed for bulk blocking, the API for real-time decisions on traffic that is not yet on the list.
Every IP carries a confidence score from 0 to 100 that estimates how likely it is to be malicious. Five weighted components feed it: the number of reports, reporter diversity (independent sources count for more than one noisy reporter), recency (reports under 24 hours old weigh most), the severity of the threat category, and a bonus for reports confirmed by verified honeypots. Reports decay exponentially on a 30-day half-life — after 30 days a report carries half its weight, after 60 days a quarter — so an IP that stops attacking is delisted automatically. An IP needs at least five reports to exceed 50 and ten to pass 75. Add verbose=true to any check to see the full breakdown.
Plain-text and JSON exports are served from /wp-json/reportedip/v2/blacklist; add ?format=txt for one IP per line or ?format=csv for spreadsheets and SIEM imports. The same data is mirrored to Git at github.com/reportedip/reportedip-blacklist with a diff-friendly commit history, so you can track exactly which IPs were added or removed each day and pin a specific revision if you need reproducible builds. The feed is free for any use and attribution is appreciated. Entries are scored by the same confidence engine as the API, so a single threshold keeps your block list both current and low on false positives.
Yes. The DNS / RBL Zone add-on gives you a private, token-authenticated zone — <token>.bl.reportedip.de — that any mail server, firewall or spam filter can query exactly like Spamhaus or any other DNSBL. It follows RFC 5782, covers both IPv4 and IPv6, and returns the usual 127.0.0.x response codes so existing Postfix, Exim or rspamd configurations work without custom glue. Because lookups happen over DNS they are cached by your resolver and add almost no latency to mail flow. The zone is rebuilt from the same scored dataset as the public feed, and each token has its own daily query quota.
Yes. ReportedIP is operated by a German company (CMS ADMINS, Munich) and all processing runs on German infrastructure under EU data-protection law (GDPR). Every sub-processor is EU-based: the managed reportedIP mail / SMS relay, Stripe Payments Europe (Ireland) for billing, and sevDesk (Germany) for invoicing. No personal data leaves the EU, and a data-processing agreement is available for business customers. IP addresses in reports are handled as the minimum necessary for the security purpose and aged out over time. For teams with a compliance requirement to keep threat-intelligence data inside the EU, this is the core reason they pick ReportedIP over US-hosted alternatives.
No. The IP check at the top of this page is open to everyone and needs no signup; it is rate-limited to 100 lookups per IP per day to keep it free and abuse-resistant. That is enough for occasional manual checks when you spot a suspicious address in your logs. For programmatic access — scripting, fail2ban actions, bulk work or anything that runs on a schedule — create a free account, which raises the limit to 1,000 checks and 50 reports per day and gives you an API key plus a usage dashboard. Higher tiers lift the quotas further and add bulk endpoints and multi-site management.
Three concrete differences. First, ReportedIP is EU-hosted with explicit GDPR compliance and EU-only sub-processors, with a data-processing agreement on offer. Second, the scoring is fully transparent: add verbose=true to any check and you see every component of the confidence score — report count, diversity, recency, severity, honeypot bonus — rather than an opaque number. Third, the clients are open source where they can be: the WordPress plugins (Hive and Hive Light), the honeypot server and the DNS checker are GPL-2.0 and auditable on GitHub or wp.org. Scoring is time-decayed on a 30-day half-life with a configurable honeypot weighting, so dormant attackers fall off automatically and synthetic intel stays trustworthy. See the full ReportedIP vs. AbuseIPDB comparison.
Yes. Any system can submit reports via POST /reportedip/v2/report with a free API key — a fail2ban-style automated reporter running on your own server is exactly the kind of contribution the network is built on. Honeypot operators get a special badge and their reports carry extra weight, because honeypot traffic is unsolicited and therefore high-signal, but you do not need one to take part. Reporter diversity is itself a scoring factor, so every independent source you add makes the whole dataset more reliable. Just register a free account, generate a key, and point your existing log-watching tooling at the report endpoint.
Pick your entry point: grab a free API key, install the WordPress plugin, or browse the documentation. No credit card required, no commitment.
