Scan and fix multiple WordPress websites from a centralized dashboard, combining the power of Jetpack and MainWP.

This article is only for customers using MainWP alongside Jetpack. If you’re not using MainWP, please see our general documentation about Jetpack Scan.

Manage your WordPress websites with MainWP, and ensure their security by leveraging the power of Jetpack Protect and Jetpack Scan.

Useful Links

• Jetpack Protect Extension for MainWP 
• Jetpack Scan Extension for MainWP 
• MainWP and Jetpack Partnership Announcement

Jetpack Firewall examines incoming traffic to your site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities. 

The Firewall Premium features require a connection to a WordPress.com account and a plan that has a Scan feature, like Jetpack Security, Jetpack Complete, or Jetpack Scan, to allow or block incoming traffic based on various rules.

Activate Jetpack Firewall

1. Install and activate the Jetpack Protect plugin. 

2. Once activated, you can select either a paid or a free plan.

The free plan allows manual rules only to be used, providing the ability to block or allow specific IP addresses from accessing your site. It also includes Brute Force Protection. The paid plan offers automatic firewall rules that identify and block harmful requests. 

3. After choosing a plan, you will be redirected to the Jetpack Protect page and see the first scan started:

4. To access Jetpack Firewall settings, you can click the Firewall tab inside the Protect settings page, or navigate to Jetpack → Protect.

The free plan allows for the use of Jetpack’s Brute Force Attack Prevention and manual rules. The Automatic rules option requires a paid plan.

Upgrading to a paid plan will enable the automatic rules:

To add manual rules, use the toggle to turn on the feature. When enabled, an “Edit manual rules” button will be displayed on the right side. Click the button and a new modal will be displayed where manual rules can be edited. You can add IP addresses to your block / allow list by entering complete IP addresses, separated by commas. Adding IP ranges or IP addresses in CIDR notation is not currently supported. Once you’ve entered IP addresses into your block / allow list, click on Save Settings to save your block / allow list.

Privacy Information

This feature is deactivated by default. You can activate the feature by visiting the Jetpack Protect dashboard and clicking the toggle in the firewall tab.

Data Used
Site Owners / Users This feature evaluates the incoming HTTP requests and blocks them if they’re considered malicious. User data is used to authenticate some of our APIs. Installed themes and plugins and WordPress version are used to know which versions we should check against the WPScan API in the free version of the WAF.	Site Visitors None.
Activity Tracked
Site Owners / Users If the Share data with Jetpack checkbox is selected we track which rules caused a request to be blocked. We don’t track actual request data with this option. Jetpack Firewall also tracks when settings in the Firewall settings are turned on or off.	Site Visitors None.
Data Synced (Read More)
Site Owners / Users Information about users/admins, installed themes and plugins, and WordPress version.	Site Visitors None.

For general features and FAQs, please see our Jetpack Security features.

Jetpack Protect is a free security plugin for WordPress that scans your site and warns you about vulnerabilities, keeping your site one step ahead of security threats and malware.

What do I need to run Jetpack Protect on my site?

• A web host that meets the WordPress host requirements.
• The latest version of WordPress. If your version of WordPress is out of date, you’ll see a prompt to automatically upgrade with a single click, or can upgrade manually.
• A WordPress.com account. Don’t have one yet? Sign up for one here, or create one during the Jetpack connection flow. You only need one WordPress.com account to access all our services (including Akismet, Crowdsignal, Gravatar, and WordPress.com itself). If you use any of these services, you already have a WordPress.com account to connect to Jetpack. You can reset your WordPress.com password if you need to.
• A publicly accessible WordPress site: no password protection or Coming Soon / Maintenance Mode plugin in use.
• A publicly accessible XML-RPC file.

Installing Jetpack Protect

Installing Jetpack Protect can be done from your site’s WP Admin. To install Jetpack Protect via the WP Admin:

1. Go to Plugins → Add New.
2. Search for Jetpack Protect. The latest version will show in the search results. Click Install Now.

3. Click Activate.

4. After activating, you will be prompted to run Jetpack Protect.

4. After some minutes, your results will show on the Jetpack Protect page.

Starting Your First Scan

Once you’ve installed the plugin, your first malware scan will begin automatically.

You can visit the Jetpack Protect dashboard in your WordPress admin panel to see the security threats and malware found by the integrated malware scanner.

When the malware scanner finds a security threat, you can view the recommended actions on the Jetpack Protect dashboard to secure your sites.

Note: It is not possible to set a time for the automated daily scans. They will run roughly every 24 hours.

FAQ

Is Jetpack Protect the same thing as the Protect feature in the Jetpack plugin?

The new Jetpack Protect plugin is different from the Jetpack feature formerly known as Protect (now renamed Brute Force Attack Protection). 

The features of the new Jetpack Protect plugin are not included in the Jetpack plugin, and both plugins can be installed together without any issues.

Can I set the time of the daily security scan?

It is not possible to set a time for the automated daily scans run by the integrated malware scanner.

Will Jetpack Protect work on my local site?

Jetpack Protect requires a publicly accessible site to perform the vulnerability scan.

What are the differences between Jetpack Protect, Jetpack Scan, and WPScan plugins?

Jetpack Protect and Scan do not have any limit on the number of plugins and themes you can scan. WPScan has a daily cap based on your API usage.

For now, in Jetpack Protect, you can track your scan results only through the plugin’s dashboard. Jetpack Scan and WPScan have additional notifications such as email.

Jetpack Protect runs daily automated scans. Jetpack Scan and WPScan provide on-demand scan options on top of automatic scans. 

Jetpack Scan has one-click fixers for most vulnerabilities. Protect does not have any fixers at this time, but it provides “how-to-fix” guides so that you can fix vulnerabilities manually. 

Jetpack Protect and WPScans are standalone plugins that don’t need additional plugins to run, while Jetpack Scan needs the Jetpack plugin to work.

Jetpack Protect is a free plugin, and WPScan has free and paid options. On the other hand, Jetpack Scan is a paid plugin that you can purchase with a 14-day money-back guarantee. As with other paid Jetpack plugins, Scan users also have access to our priority support.

How will I know if Jetpack Protect has found WordPress security vulnerabilities and malware?

You can visit Jetpack Protect dashboard in your WordPress admin panel to see the security threats and malware found by the integrated malware scanner.

What do I do if Jetpack Protect finds a security threat?

When the malware scanner finds a security threat, you can view the recommended actions on the Jetpack Protect dashboard to secure your sites.

Can I set the time of the daily security scan?

It is not possible to set a time for the automated daily scans run by the integrated malware scanner.

Why do I need WordPress security and malware scan?

A hacked WordPress site can cause serious damage to your business revenue and reputation. Jetpack Protect scans your site and lets you know possible malware and security threats on your installed plugins, themes, and core files.

Where can I learn more about WordPress security and malware threats?

To learn how to achieve better WordPress security, see this guide. On the Jetpack Blog, you can find many more articles written by the top WordPress security experts.

Privacy Information

This feature is deactivated by default. It can be activated at any time by installing the plugin and activating it. For general features and FAQs, please see our Jetpack Security features.

Data Used
Site Owners / Users We use the data synced for authentication of some APIs, to check themes, plugins, and WordPress version against the WPScan API in the free version of the plugin.	Site Visitors None.
Activity Tracked
Site Owners / Users We track pageviews and clicks on pricing pages, clicks on upgrade prompts, and interactions with the application (example: what kinds of threats are clicked on).	Site Visitors None.
Data Synced (Read More)
Site Owners / Users We sync data related to installed plugins and themes, and WordPress version.	Site Visitors None.

Looking for more information about using the WAF with the Jetpack Protect plugin? See our article about the Jetpack Protect Plugin.

Jetpack’s WAF (Web Application Firewall) examines incoming traffic to a WordPress site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities.

With the WAF, you can configure IP addresses that will never be blocked (even if a rule would normally) or always be blocked (regardless of the rules). To allow or block incoming traffic based on various rules, you will need a plan that includes Jetpack Scan, such as Jetpack Security, Jetpack Complete, or Jetpack Scan, and a connection to your WordPress.com account.

If you previously had a Jetpack plan that includes Jetpack Scan and/or your site becomes disconnected from your WordPress.com account, you will continue to have access to the firewall settings in your Jetpack dashboard. This is to ensure that your IP allow/block lists and previous firewall rules remain functional.

Turning on the firewall

This feature is deactivated by default when you connect Jetpack to your WordPress.com account. It can be activated at any time on your Jetpack Settings page. To enable Jetpack WAF:

1. Select Jetpack → Settings → Security → Firewall in your site’s WP Admin
2. Enable Protect your site with Jetpack’s Web Application Firewall

How do I update the firewall options?

To add IP addresses to a block/allow list:

1. Select Jetpack → Settings → Security → Firewall in your site’s WP Admin
2. Enable Allow / Block list – Block or allow a specific request IP

You can add IP addresses to your block / allow list by entering complete IP addresses, separated by commas. Adding IP ranges or IP addresses in CIDR notation is not supported at the moment.

Once you’ve entered IP addresses to your block / allow list, click on Save Settings to save your block / allow list.

These are the firewall options:

• Allow / Block list – Block or allow a specific request IP: This option allows you to add an IP blocklist and IP allowlist to your site.
• Share data with Jetpack: This option allows Jetpack to collect data to improve the firewall protection and rules. You can check Jetpack Privacy before you set this option.
• Enhance Protection:
• You don’t need to activate Enhance Protection; however, if you want the firewall feature to be able to inspect all requests and run them before WordPress initializes, this is how:

In case you want to activate the Enhance protection, you need to contact your hosting support to make the changes on the server level.

Upgrade notification

If you don’t have a Scan subscription yet, a notification will show on your firewall options. After upgrading, the notification disappears.

Troubleshooting

What happens if I don’t renew my subscription?

Any rules delivered to the site will remain functional after the subscription lapses or is removed.

Can I use the IP allow and block lists behind a reverse proxy (like Cloudflare)?

The IP allowlists/blocklists currently have no way to configure trusted proxies and trusted headers and thus won’t work behind any sort of reverse proxy or load balancer setup.

My site went down after I activated the Firewall feature.

If you need to deactivate the firewall without access to the Jetpack settings screen, you can:

• Modify your wp-config.php: add the line define( 'DISABLE_JETPACK_WAF', true ); to your wp-config.php file
• Use WP-CLI: if you have WP-CLI installed, use the command wp jetpack-waf teardown

Privacy Information

This feature is deactivated by default. It can be activated at any time at Jetpack → Settings → Security → Firewall and by clicking on Protect your site with Jetpack’s Web Application Firewall.

Data Used
Site Owners / Users This feature evaluates the incoming HTTP requests and blocks them if they’re considered malicious. User data is used to authenticate some of our APIs. Installed themes and plugins and WordPress version are used to know which versions we should check against the WPScan API in the free version of the WAF.	Site Visitors None.
Activity Tracked
Site Owners / Users If the Share data with Jetpack checkbox is selected we track which rules caused a request to be blocked. We don’t track actual request data with this option. Jetpack Firewall also tracks when settings in the Firewall settings are turned on or off.	Site Visitors None.
Data Synced (Read More)
Site Owners / Users Information about users/admins, installed themes and plugins, and WordPress version.	Site Visitors None.

For general features and FAQs, please see our Jetpack Security features.

Jetpack Anti-spam, powered by Akismet, automatically filters spam comments and contact form submissions on your site. Using Jetpack Akismet Anti-spam requires a Jetpack Security, Jetpack Complete, or Jetpack Akismet Anti-spam plan, or a legacy plan that includes anti-spam.

Getting Started with Jetpack Akismet Anti-spam

Once you’ve purchased your Jetpack Akismet Anti-spam plan and connected your site to Jetpack, your site should be all set to start blocking comment and contact form spam. You can confirm that Jetpack Akismet Anti-spam is active on your site by going to Jetpack → Dashboard in WP Admin and scrolling to the Security section of the page.

There will be a section titled Anti-spam. In that section, you should see a message that lets you know that Jetpack Akismet Anti-spam is monitoring comments on your site. From here, you can also click Moderate comments to go to Comments in WP Admin.

If you don’t see the message about Jetpack Akismet Anti-spam monitoring comments, you’ll see a notice asking you to Upgrade or Activate Akismet. If you haven’t purchased a Jetpack Akismet Anti-spam plan, Upgrade will take you through the process of purchasing the plan.

Clicking Activate Akismet will take you to a page where you can activate Akismet with your API key or by connecting to Jetpack. If you have already activated Akismet, you will see various configuration settings.

Configuring Jetpack Akismet Anti-spam

By navigating to Jetpack → Anti-spam in WP Admin, you can configure a number of different settings.

• API Key: This API key should be pre-filled when you purchase your Jetpack Akismet Anti-spam plan.
• Comments: Checking this box will allow the number of approved comments to appear next to each comment author when viewing Comments in WP Admin.
• Strictness: This setting allows you to decide how you want to manage your spam. You can allow Jetpack Akismet Anti-spam to automatically discard spam or put in the spam folder for you to review.
• Privacy: This setting allows you to display a privacy notice under your comment forms.

Frequently Asked Questions

Does Jetpack Akismet Anti-spam work with form submissions?

If you use Jetpack’s contact form (either the Form block, or the classic editor version), then all of your contact form submissions are automatically checked for spam by Akismet. You can also manually mark comments as spam/not spam via the Feedback section of WP Admin.

For more information on using Jetpack Akismet Anti-spam with other form plugins, please see this support article from Akismet about how to use Akismet with your contact forms.

How do I confirm if Jetpack Akismet Anti-spam is working?

Please see this support article from Akismet about how to confirm Akismet is working.

How does Jetpack Akismet Anti-spam block spam submissions on comments and forms?

Jetpack Akismet Anti-spam is powered by Akismet, which uses state of the art algorithms and methods to block spam submissions. To date, Akismet has blocked more than 500 billion pieces of spam, averaging about 7.5 million per hour.

Do I need to use a captcha with Jetpack Akismet Anti-spam?

No. With Jetpack Akismet Anti-spam enabled, spam submissions are filtered automatically, which makes it easier for legitimate visitors on your site to engage with your comments section or to submit a form.

Do I need to manually review comments and form submissions when using Jetpack Akismet Anti-spam?

No. Anything that Jetpack Akismet Anti-spam thinks is spam is automatically moved to your site’s spam section. On the off chance that some spam does get through, you can mark it as spam which will make Anti-spam recognize submissions like that as spam in the future.

How many API calls do I get per month with Jetpack Akismet Anti-spam?

Anti-spam comes with 10k API calls per month, which should be more than enough for a small business. If you need more API calls, you can upgrade to one of Akismet’s higher tier plans.

Does Jetpack Akismet Anti-spam report the amount of blocked spam?

Yes. On the Jetpack Dashboard (WP Admin > Jetpack > Dashboard) there is a stats card that shows the number of spam comments and submissions blocked on your site from Anti-spam.

It can be scary and stressful when your website is hacked, but it needn’t be a disaster.

If you use Jetpack Scan to monitor your site, it will notify you of any potential threats. In many cases, these can be resolved with the click of a button. However, sometimes a website can get hacked more severely, meaning a “one-click” fix is not possible.

Jetpack Scan is not intended to be a service to clean up already hacked or malware-infected sites. While we can possibly fix some already hacked files after a plan is bought, we do rely on the site not being infected at the time of purchase and having a clean version to compare any changed files to.

This article will help guide you through the process of identifying and cleaning up a hacked site, as well as strengthening the site’s security to help prevent future hacks.

How to tell if your site has been hacked

The first step is confirming that your site has really been hacked, and isn’t just experiencing a more easily resolved error. The following issues are a good indication that your site has been hacked:

• Your site is redirecting to another website with malicious or spammy content
• Your site contains links to spam sites, which you did not add, and you can’t remove them
• You find pages on your site that you don’t recognize via a Google search
• Google shows warnings for your site, such as “This site may be hacked,” “Deceptive site ahead,” “The site ahead contains malware,” etc.
• You scan your site with a tool such as Jetpack Scan, and it detects security threats which can’t be resolved automatically
• You can check if Google currently lists your site as unsafe with their Safe Browsing Site Status tool

Cleaning a hacked site

If you’re sure your site has been hacked, you can follow these steps to resolve the issue:

1. Contact your hosting provider

Your host should be the first port of call, as they may be aware of a wider issue, especially if you are on shared hosting. In most cases, your host may be able to deal with the issue for you, saving you a lot of work.

2. Restore from a backup

If you have a backup of your site from before it was hacked, either from your host or with a dedicated backup service like Jetpack Backup, then restoring to that point may do the trick.

However, if the hack lies within files that aren’t included in the backup, then the issue may remain even after restoring the site.

It’s also worth noting that you could lose content added after the point you’re restoring to, so this may not be an ideal option and should be a last resort.

3. Cleaning hacked files

If your host is unable to assist, and restoring the site is not an option, then it’s time to do some detective work to find the source of the problem. Make sure you have a full backup of your site before starting this, as removing/editing your site’s files can make for even more work if something goes wrong.

First, check the results of any malware plugins or services you’re using. They may provide a list of suspicious files, which is a good starting point.

WordPress core files

If the affected file(s) are part of WordPress core, you can compare the code to a clean download from WordPress.org and remove any code that doesn’t belong there.

Another option is to completely reinstall WordPress to ensure all core files are clean. You can do that via Dashboard > Updates, by clicking ‘Re-install now.’ It sounds scary, but this will only replace the files at the very core of WordPress and will not remove or replace any of your content, media, themes, or plugins.

Themes

If the infection is a part of a theme, you can install a fresh copy if you’re using it or uninstall the theme completely if you’re not using it. If you’re unable to clear the threat through this method, you should contact your theme’s developer for guidance.

Plugins

If the problem lies within a plugin, you can also install a fresh copy or delete it if you’re not using it as with the theme process above. For advanced users, you can determine if a plugin installed or downloaded from the WordPress.org Plugin Repository has a threat in it by following these instructions:

1. Check which file is affected
2. Click “Edit this file” to see that plugin’s code
3. Copy the URL slug of plugin (e.g. “code-snippets”)
4. Search for that plugin’s slug on WordPress.org
5. Go to Plugin > Development > Browse the code
6. Find “Tags”
7. Open tag matching your installed plugin version
8. Locate the correct file and download it
9. Open the file in a text editor
10. Use “Find” and copy/paste the entire code from step 2 and search
11. If the code matches the plugin’s code from the WordPress.org Plugin Repository, you have a false positive and the plugin is working as intended! If not, we recommend consulting with an expert who can clean the site safely.

If the plugin is not in the Repository, you can contact the plugin’s developer and have them check the code identified as malicious by Jetpack Scan.

Not sure what the file is?

If you don’t understand the purpose of the affected files, you may need to consult an expert who can help you clean the site safely.

If you want to explore further and learn how to clean up various types of hacks, Google has an in-depth guide to cleaning hacked sites.

Tightening security after cleaning your hacked site

Once your site is free from malware, it’s important to follow these steps to secure your site, as failing to do so may leave your site open to another hack from the same point of vulnerability.

1. Make sure WordPress and all of your themes and plugins are kept updated

Outdated plugins, themes, and WordPress files are an extremely common source of vulnerability. Keeping them all updated to the latest version is one of the best ways to protect your site and keep it running efficiently. Also, be sure to fully uninstall any themes or plugins you are not using.

2. Reset all passwords

In case any of your passwords have been compromised, you should change your password for everything you can think of, including your:

• Hosting account
• Email accounts
• Website’s admin accounts
• FTP/SFTP/SSH credentials
• Database passwords
• The password to unlock any device you’ve edited your site with

Make sure you use a strong and unique password for each site, device, or program to avoid a domino effect if one is ever compromised.

3. Audit your site’s user accounts

Check your user list via Users > All Users inside your site’s dashboard and make sure there aren’t any administrator accounts that you don’t recognize. Remove any suspicious user accounts.

4. Update your WordPress secret keys

Your site’s wp-config.php file contains secret keys/”salts” which are used for encryption. You should generate new secret keys and replace the old ones in that file. Your webhost may have an automatic tool on their side to do this.

5. Scan your site regularly

The measures above will help keep your site safe, but nothing is 100% guaranteed, so you should use an automated scanning service such as Jetpack Scan to make sure you are alerted of any future security threats so you can deal with them quickly.

Removing your site from “unsafe” lists

If your site is listed as unsafe by Google or McAfee, then you will likely still see warnings on your site even after the hacked files have been cleaned or even removed.

To get that warning lifted, you’ll need to request a review of your site from Google, or submit a dispute request from McAfree.