Getting Started with the Jetpack Protect Plugin

The Jetpack Protect plugin is a free security plugin for WordPress that scans your site and warns you about vulnerabilities, keeping your site one step ahead of security threats and malware.

What do I need to run Jetpack Protect on my site?

  • A web host that meets the WordPress host requirements.
  • The latest version of WordPress. If your version of WordPress is out of date, you’ll see a prompt to automatically upgrade with a single click, or can upgrade manually.
  • A WordPress.com account. Don’t have one yet? Sign up for one here, or create one during the Jetpack connection flow. You only need one WordPress.com account to access all our services (including Akismet, Crowdsignal, Gravatar, and WordPress.com itself). If you use any of these services, you already have a WordPress.com account to connect to Jetpack. You can reset your WordPress.com password if you need to.
  • A publicly accessible WordPress site: no password protection or Coming Soon / Maintenance Mode plugin in use.
  • A publicly accessible XML-RPC file.

Installing Jetpack Protect

Installing Jetpack Protect can be done from your site’s WP Admin. To install Jetpack Protect via the WP Admin:

  1. Go to Plugins → Add New.
  2. Search for Jetpack Protect. The latest version will show in the search results. 
  3. Click Install Now.
Image showing the Jetpack Protect logo and install now button for the plugin.
  1. Click Activate.
  1. After activating, you will be prompted to select one of two plans:
    • Free: This plan includes checking items against the WPScan database and daily automated scans for threats and vulnerabilities.
    • Jetpack Protect: This plan is a Jetpack Scan plan. With this plan, you will get the same features as the Free plan, plus several premium features.
  2. Once you’ve selected a plan and completed the purchase process (if necessary), Jetpack Protect will begin its first scan.
  3. Once the scan is complete, your results will show in the WP Admin by going to Jetpack → Protect.

Scanning Your Site

Once you’ve installed the plugin, your first malware scan will begin automatically. After the first scan, they will run about every 24 hours. It is not possible to set a time for automated daily scans. 

If you have a paid Jetpack plan that includes Jetpack Scan, you will have the ability to start a scan on demand through the plugin. You can do this by going to your WP Admin and then Jetpack → Protect. From there, click Scan now.

Viewing and Fixing Security Threats

You can visit the Jetpack Protect dashboard in your WordPress admin panel to see the security threats and malware found by the integrated malware scanner. When the malware scanner finds a security threat, you can view the recommended actions on the Jetpack Protect dashboard to secure your sites.

You can view security threats and malware found by Jetpack Protect by going to your WP Admin and then Jetpack → Protect. From there, you can see a list of threats found, and how to fix them. 

Still need help?

Please contact support directly. We’re happy to lend a hand and answer any other questions that you may have.

Privacy Information

This feature is deactivated by default. It can be activated at any time by installing the Jetpack Protect plugin.

Data Used
Site Owners/Users and Visitors
This feature evaluates the incoming HTTP requests and blocks them if they’re considered malicious.
Activity Tracked
Site Owners/Users and Visitors
If the Share data with Jetpack checkbox is selected we track which rules caused a request to be blocked. We don’t track actual request data with this option.
Data Synced (Read More)
Users:Used in the authentication process for some of our APIs.
Themes:Used to get the themes list that we should check against the WPScan API in the free version.
Plugins:Used to get the plugins list that we should check against the WPScan API in the free version.
WordPress version:Used to know which version we should check against the WPScan API in the free version.
Comments Off on Getting Started with the Jetpack Protect Plugin

Use MainWP Extensions for Jetpack Protect and Scan

Scan and fix multiple WordPress websites from a centralized dashboard, combining the power of Jetpack and MainWP.

This article is only for customers using MainWP alongside Jetpack. If you’re not using MainWP, please see our general documentation about Jetpack Scan.

Screenshot of the MainWP dashboard (a third-party plugin). It is connected to Jetpack Protect, and there are several websites listed with details about number of plugins, themes, last check date, and the Jetpack connection.

The Jetpack Protect Extension for MainWP

To use the Jetpack Protect Extension for MainWP, you must have the Jetpack Protect plugin installed on your websites which use MainWP.

  1. From your MainWP Dashboard, navigate to Extensions, and enable “Jetpack Protect”.
  2. Click Jetpack Protect under Extensions; it will show you a list of websites with the Jetpack Protect plugin installed.
  3. Click on a Vulnerability icon; it will take you to the vulnerability details and guide how to fix them.

Note that Jetpack Protect automatically scans your sites once per day. This means that after resolving vulnerability issues, it can take up to 24 hours before the extension reflects changes.

The Jetpack Scan Extension for MainWP

To use the Jetpack Scan Extension for MainWP, you must have the Jetpack plugin installed on your websites on MainWP.

  1. From your MainWP Dashboard, navigate to Extensions, and enable “Jetpack Scan”.
  2. Click Jetpack Scan under Extensions, navigate to Add App and follow the on-screen instructions.
  3. Once done, navigate to Overview to see a list of all Jetpack Scan-connected sites.
  4. The Threats screen shows the Vulnerabilities, related details, and how to fix them.

Manage your WordPress websites with MainWP, and ensure their security by leveraging the power of Jetpack Protect and Jetpack Scan.

Useful Links

Comments Off on Use MainWP Extensions for Jetpack Protect and Scan

Activating Jetpack Protect & Jetpack Scan via License Key

Jetpack Protect is a free security plugin for WordPress that scans your site and warns you about vulnerabilities keeping your site one step ahead of security threats and malware. Jetpack Scan allows you to review security scan results in one centralized location, fix problems, and restore backups. If Jetpack does notice a problem, you’ll receive an instant email alert. You can repair the majority of security threats with just one click and get back to running your business.

Installing Jetpack Protect via License Key

You do not need a license to install Jetpack Protect – instead you can follow our instructions on how to install Jetpack Protect on your site.

Installing Jetpack Scan via License Key

There are a few ways to obtain your license key for Jetpack Scan

  • Through Jetpack.com Products Scan → Select a Plan
  • Through Jetpack.com PricingScan → Click Get
  • Selecting Scan from the pricing page will bring you through the checkout process.
  • Selecting Scan from the products page will bring you to the Scan page where you can scroll down to select your desired plan.

With either option, proceed through the checkout process until you get to a screen that looks like this:

Note: You will also receive an email with your purchase that holds your license key. Please check your spam or junk folders as these emails sometimes end up there.

License Setup

While on the Thank you page, you’ll have the option to select a site that you’d like to apply your license to OR you can select I don’t see my site. Let me configure it manually.

If you are able to select your site from the dropdown list the license will be applied to your site automatically. If you do not see your site and you’d like to configure the license manually, choose that option.

The next step is to ensure you have the latest version of Jetpack installed. If you do not have Jetpack installed follow the instructions on your screen. Once added to your site OR if you already have Jetpack installed to its latest version click Continue.

From here, you’ll have more instructions on how to activate your license. Go to your WP AdminJetpackMy PlanActivate a Product. Alternatively, you can also go to WP AdminJetpackMy JetpackActivate a License. Both of these directions will take you to the same activation page.

On the next page you’ll have a few options depending on if you’ve purchased additional licenses.

Your license may appear in the dropdown box. Confirm you are using the correct license for your site and select it. You can choose to add your license manually by selecting I want to add my license key manually. Whichever option you choose, make sure to click Activate once you are finished. 

Your license key has been activated. You can now choose to view your plans through Jetpack or get started with Jetpack Scan through your Jetpack menu.

Where to Find Your License Key

Your license key will always be available on your purchases page within your account.

  • Go to WordPress.com
  • Click on your account icon in the top right of your dashboard.
  • Click Purchases
  • Click Jetpack Search

Still need help?

Please contact support directly. We’re happy to advise.

Comments Off on Activating Jetpack Protect & Jetpack Scan via License Key

Jetpack Firewall in the Jetpack Protect Plugin

Jetpack Firewall examines incoming traffic to your site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities. 

The Firewall Premium features require a connection to a WordPress.com account and a plan that has a Scan feature, like Jetpack Security, Jetpack Complete, or Jetpack Scan, to allow or block incoming traffic based on various rules.

Activate Jetpack Firewall

1. Install and activate the Jetpack Protect plugin. 

2. Once activated, you can select either a paid or a free plan.

The free plan allows manual rules only to be used, providing the ability to block or allow specific IP addresses from accessing your site. It also includes Brute Force Protection. The paid plan offers automatic firewall rules that identify and block harmful requests. 

3. After choosing a plan, you will be redirected to the Jetpack Protect page and see the first scan started:

Upon choosing the plan, Jetpack Protect will initiate the initial scan for your website.

4. To access Jetpack Firewall settings, you can click the Firewall tab inside the Protect settings page, or navigate to Jetpack → Protect.

The free plan allows for the use of Jetpack’s Brute Force Attack Prevention and manual rules. The Automatic rules option requires a paid plan.

With the free plan, automatic rules option is not accessible and only manual rules can be applied

Upgrading to a paid plan will enable the automatic rules:

With the paid plan, automatic rules are applied.

To add manual rules, use the toggle to turn on the feature. When enabled, an “Edit manual rules” button will be displayed on the right side. Click the button and a new modal will be displayed where manual rules can be edited. You can add IP addresses to your block / allow list by entering complete IP addresses, separated by commas. Adding IP ranges or IP addresses in CIDR notation is not currently supported. Once you’ve entered IP addresses into your block / allow list, click on Save Settings to save your block / allow list.

Edit manual rules by adding specific IP addresses to the allow or block list.

Privacy Information

This feature is deactivated by default. You can activate the feature by visiting the Jetpack Protect dashboard and clicking the toggle in the firewall tab.

Data Used
Site Owners / Users

This feature evaluates the incoming HTTP requests and blocks them if they’re considered malicious.

User data is used to authenticate some of our APIs. Installed themes and plugins and WordPress version are used to know which versions we should check against the WPScan API in the free version of the WAF.
Site Visitors

None.
Activity Tracked
Site Owners / Users

If the Share data with Jetpack checkbox is selected we track which rules caused a request to be blocked. We don’t track actual request data with this option.

Jetpack Firewall also tracks when settings in the Firewall settings are turned on or off.
Site Visitors

None.
Data Synced (Read More)
Site Owners / Users

Information about users/admins, installed themes and plugins, and WordPress version.
Site Visitors

None.

For general features and FAQs, please see our Jetpack Security features.

Comments Off on Jetpack Firewall in the Jetpack Protect Plugin

Jetpack Protect

Jetpack Protect is a free security plugin for WordPress that scans your site and warns you about vulnerabilities, keeping your site one step ahead of security threats and malware.

What do I need to run Jetpack Protect on my site?

  • A web host that meets the WordPress host requirements.
  • The latest version of WordPress. If your version of WordPress is out of date, you’ll see a prompt to automatically upgrade with a single click, or can upgrade manually.
  • A WordPress.com account. Don’t have one yet? Sign up for one here, or create one during the Jetpack connection flow. You only need one WordPress.com account to access all our services (including Akismet, Crowdsignal, Gravatar, and WordPress.com itself). If you use any of these services, you already have a WordPress.com account to connect to Jetpack. You can reset your WordPress.com password if you need to.
  • A publicly accessible WordPress site: no password protection or Coming Soon / Maintenance Mode plugin in use.
  • A publicly accessible XML-RPC file.

Installing Jetpack Protect

Installing Jetpack Protect can be done from your site’s WP Admin. To install Jetpack Protect via the WP Admin:

  1. Go to Plugins → Add New.
  2. Search for Jetpack Protect. The latest version will show in the search results. Click Install Now.
  1. Click Activate.
  1. After activating, you will be prompted to run Jetpack Protect.
  1. After some minutes, your results will show on the Jetpack Protect page.

Starting Your First Scan

Once you’ve installed the plugin, your first malware scan will begin automatically.

You can visit the Jetpack Protect dashboard in your WordPress admin panel to see the security threats and malware found by the integrated malware scanner.

When the malware scanner finds a security threat, you can view the recommended actions on the Jetpack Protect dashboard to secure your sites.

Note: It is not possible to set a time for the automated daily scans. They will run roughly every 24 hours.

FAQ

Is Jetpack Protect the same thing as the Protect feature in the Jetpack plugin?

The new Jetpack Protect plugin is different from the Jetpack feature formerly known as Protect (now renamed Brute Force Attack Protection). 

The features of the new Jetpack Protect plugin are not included in the Jetpack plugin, and both plugins can be installed together without any issues.

Can I set the time of the daily security scan?

It is not possible to set a time for the automated daily scans run by the integrated malware scanner.

Will Jetpack Protect work on my local site?

Jetpack Protect requires a publicly accessible site to perform the vulnerability scan.

What are the differences between Jetpack Protect, Jetpack Scan, and WPScan plugins?

Jetpack Protect and Scan do not have any limit on the number of plugins and themes you can scan. WPScan has a daily cap based on your API usage.

For now, in Jetpack Protect, you can track your scan results only through the plugin’s dashboard. Jetpack Scan and WPScan have additional notifications such as email.

Jetpack Protect runs daily automated scans. Jetpack Scan and WPScan provide on-demand scan options on top of automatic scans. 

Jetpack Scan has one-click fixers for most vulnerabilities. Protect does not have any fixers at this time, but it provides “how-to-fix” guides so that you can fix vulnerabilities manually. 

Jetpack Protect and WPScans are standalone plugins that don’t need additional plugins to run, while Jetpack Scan needs the Jetpack plugin to work.

Jetpack Protect is a free plugin, and WPScan has free and paid options. On the other hand, Jetpack Scan is a paid plugin that you can purchase with a 14-day money-back guarantee. As with other paid Jetpack plugins, Scan users also have access to our priority support.

How will I know if Jetpack Protect has found WordPress security vulnerabilities and malware?

You can visit Jetpack Protect dashboard in your WordPress admin panel to see the security threats and malware found by the integrated malware scanner.

What do I do if Jetpack Protect finds a security threat?

When the malware scanner finds a security threat, you can view the recommended actions on the Jetpack Protect dashboard to secure your sites.

Can I set the time of the daily security scan?

It is not possible to set a time for the automated daily scans run by the integrated malware scanner.

Why do I need WordPress security and malware scan?

A hacked WordPress site can cause serious damage to your business revenue and reputation. Jetpack Protect scans your site and lets you know possible malware and security threats on your installed plugins, themes, and core files.

Where can I learn more about WordPress security and malware threats?

To learn how to achieve better WordPress security, see this guide. On the Jetpack Blog, you can find many more articles written by the top WordPress security experts.

Still need help?

Please contact support directly. We’re happy to advise.

Privacy Information

This feature is deactivated by default. It can be activated at any time by installing the plugin and activating it. For general features and FAQs, please see our Jetpack Security features.

Data Used
Site Owners / Users

We use the data synced for authentication of some APIs, to check themes, plugins, and WordPress version against the WPScan API in the free version of the plugin.
Site Visitors

None.
Activity Tracked
Site Owners / Users

We track pageviews and clicks on pricing pages, clicks on upgrade prompts, and interactions with the application (example: what kinds of threats are clicked on).
Site Visitors

None.
Data Synced (Read More)
Site Owners / Users

We sync data related to installed plugins and themes, and WordPress version.
Site Visitors

None.
Comments Off on Jetpack Protect

Jetpack WAF (Web Application Firewall)

Looking for more information about using the WAF with the Jetpack Protect plugin? See our article about the Jetpack Protect Plugin.

Jetpack’s WAF (Web Application Firewall) examines incoming traffic to a WordPress site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities.

With the WAF, you can configure IP addresses that will never be blocked (even if a rule would normally) or always be blocked (regardless of the rules). To allow or block incoming traffic based on various rules, you will need a plan that includes Jetpack Scan, such as Jetpack Security, Jetpack Complete, or Jetpack Scan, and a connection to your WordPress.com account.

If you previously had a Jetpack plan that includes Jetpack Scan and/or your site becomes disconnected from your WordPress.com account, you will continue to have access to the firewall settings in your Jetpack dashboard. This is to ensure that your IP allow/block lists and previous firewall rules remain functional.

Turning on the firewall

This feature is deactivated by default when you connect Jetpack to your WordPress.com account. It can be activated at any time on your Jetpack Settings page. To enable Jetpack WAF:

  1. Select Jetpack → Settings → Security → Firewall in your site’s WP Admin
  2. Enable Protect your site with Jetpack’s Web Application Firewall

How do I update the firewall options?

To add IP addresses to a block/allow list:

  1. Select Jetpack → Settings → Security → Firewall in your site’s WP Admin
  2. Enable Allow / Block list – Block or allow a specific request IP

You can add IP addresses to your block / allow list by entering complete IP addresses, separated by commas. Adding IP ranges or IP addresses in CIDR notation is not supported at the moment.

Once you’ve entered IP addresses to your block / allow list, click on Save Settings to save your block / allow list.

These are the firewall options:

  • Allow / Block list – Block or allow a specific request IP: This option allows you to add an IP blocklist and IP allowlist to your site.
  • Share data with Jetpack: This option allows Jetpack to collect data to improve the firewall protection and rules. You can check Jetpack Privacy before you set this option.
  • Enhance Protection:
  • You don’t need to activate Enhance Protection; however, if you want the firewall feature to be able to inspect all requests and run them before WordPress initializes, this is how:

In case you want to activate the Enhance protection, you need to contact your hosting support to make the changes on the server level.

Upgrade notification

If you don’t have a Scan subscription yet, a notification will show on your firewall options. After upgrading, the notification disappears.

Troubleshooting

What happens if I don’t renew my subscription?

Any rules delivered to the site will remain functional after the subscription lapses or is removed.

Can I use the IP allow and block lists behind a reverse proxy (like Cloudflare)?

The IP allowlists/blocklists currently have no way to configure trusted proxies and trusted headers and thus won’t work behind any sort of reverse proxy or load balancer setup.

My site went down after I activated the Firewall feature.

If you need to deactivate the firewall without access to the Jetpack settings screen, you can:

  • Modify your wp-config.php: add the line define( 'DISABLE_JETPACK_WAF', true ); to your wp-config.php file
  • Use WP-CLI: if you have WP-CLI installed, use the command wp jetpack-waf teardown

Still need help?

Please contact support directly. We’re happy to advise.

Privacy Information

This feature is deactivated by default. It can be activated at any time at Jetpack → Settings → Security → Firewall and by clicking on Protect your site with Jetpack’s Web Application Firewall.

Data Used
Site Owners / Users

This feature evaluates the incoming HTTP requests and blocks them if they’re considered malicious.

User data is used to authenticate some of our APIs. Installed themes and plugins and WordPress version are used to know which versions we should check against the WPScan API in the free version of the WAF.
Site Visitors

None.
Activity Tracked
Site Owners / Users

If the Share data with Jetpack checkbox is selected we track which rules caused a request to be blocked. We don’t track actual request data with this option.

Jetpack Firewall also tracks when settings in the Firewall settings are turned on or off.
Site Visitors

None.
Data Synced (Read More)
Site Owners / Users

Information about users/admins, installed themes and plugins, and WordPress version.
Site Visitors

None.

For general features and FAQs, please see our Jetpack Security features.

Comments Off on Jetpack WAF (Web Application Firewall)

Jetpack Akismet Anti-spam

Jetpack Anti-spam, powered by Akismet, automatically filters spam comments and contact form submissions on your site. Using Jetpack Akismet Anti-spam requires a Jetpack Security, Jetpack Complete, or Jetpack Akismet Anti-spam plan, or a legacy plan that includes anti-spam.

Getting Started with Jetpack Akismet Anti-spam

Once you’ve purchased your Jetpack Akismet Anti-spam plan and connected your site to Jetpack, your site should be all set to start blocking comment and contact form spam. You can confirm that Jetpack Akismet Anti-spam is active on your site by going to Jetpack → Dashboard in WP Admin and scrolling to the Security section of the page.

There will be a section titled Anti-spam. In that section, you should see a message that lets you know that Jetpack Akismet Anti-spam is monitoring comments on your site. From here, you can also click Moderate comments to go to Comments in WP Admin.

If you don’t see the message about Jetpack Akismet Anti-spam monitoring comments, you’ll see a notice asking you to Upgrade or Activate Akismet. If you haven’t purchased a Jetpack Akismet Anti-spam plan, Upgrade will take you through the process of purchasing the plan.

Clicking Activate Akismet will take you to a page where you can activate Akismet with your API key or by connecting to Jetpack. If you have already activated Akismet, you will see various configuration settings.

Configuring Jetpack Akismet Anti-spam

By navigating to Jetpack → Anti-spam in WP Admin, you can configure a number of different settings.

  • API Key: This API key should be pre-filled when you purchase your Jetpack Akismet Anti-spam plan.
  • Comments: Checking this box will allow the number of approved comments to appear next to each comment author when viewing Comments in WP Admin.
  • Strictness: This setting allows you to decide how you want to manage your spam. You can allow Jetpack Akismet Anti-spam to automatically discard spam or put in the spam folder for you to review.
  • Privacy: This setting allows you to display a privacy notice under your comment forms.

Frequently Asked Questions

Does Jetpack Akismet Anti-spam work with form submissions?

If you use Jetpack’s contact form (either the Form block, or the classic editor version), then all of your contact form submissions are automatically checked for spam by Akismet. You can also manually mark comments as spam/not spam via the Feedback section of WP Admin.

For more information on using Jetpack Akismet Anti-spam with other form plugins, please see this support article from Akismet about how to use Akismet with your contact forms.

How do I confirm if Jetpack Akismet Anti-spam is working?

Please see this support article from Akismet about how to confirm Akismet is working.

How does Jetpack Akismet Anti-spam block spam submissions on comments and forms?

Jetpack Akismet Anti-spam is powered by Akismet, which uses state of the art algorithms and methods to block spam submissions. To date, Akismet has blocked more than 500 billion pieces of spam, averaging about 7.5 million per hour.

Do I need to use a captcha with Jetpack Akismet Anti-spam?

No. With Jetpack Akismet Anti-spam enabled, spam submissions are filtered automatically, which makes it easier for legitimate visitors on your site to engage with your comments section or to submit a form.

Do I need to manually review comments and form submissions when using Jetpack Akismet Anti-spam?

No. Anything that Jetpack Akismet Anti-spam thinks is spam is automatically moved to your site’s spam section. On the off chance that some spam does get through, you can mark it as spam which will make Anti-spam recognize submissions like that as spam in the future.

How many API calls do I get per month with Jetpack Akismet Anti-spam?

Anti-spam comes with 10k API calls per month, which should be more than enough for a small business. If you need more API calls, you can upgrade to one of Akismet’s higher tier plans.

Does Jetpack Akismet Anti-spam report the amount of blocked spam?

Yes. On the Jetpack Dashboard (WP Admin > Jetpack > Dashboard) there is a stats card that shows the number of spam comments and submissions blocked on your site from Anti-spam.

Still need help?

Please contact support directly. We’re happy to advise.

Comments Off on Jetpack Akismet Anti-spam

How to Clean Your Hacked WordPress Site

It can be scary and stressful when your website is hacked, but it needn’t be a disaster.

If you use Jetpack Scan to monitor your site, it will notify you of any potential threats. In many cases, these can be resolved with the click of a button. However, sometimes a website can get hacked more severely, meaning a “one-click” fix is not possible.

Jetpack Scan is not intended to be a service to clean up already hacked or malware-infected sites. While we can possibly fix some already hacked files after a plan is bought, we do rely on the site not being infected at the time of purchase and having a clean version to compare any changed files to.

This article will help guide you through the process of identifying and cleaning up a hacked site, as well as strengthening the site’s security to help prevent future hacks.

How to tell if your site has been hacked

The first step is confirming that your site has really been hacked, and isn’t just experiencing a more easily resolved error. The following issues are a good indication that your site has been hacked:

  • Your site is redirecting to another website with malicious or spammy content
  • Your site contains links to spam sites, which you did not add, and you can’t remove them
  • You find pages on your site that you don’t recognize via a Google search
  • Google shows warnings for your site, such as “This site may be hacked,” “Deceptive site ahead,” “The site ahead contains malware,” etc.
  • You scan your site with a tool such as Jetpack Scan, and it detects security threats which can’t be resolved automatically
  • You can check if Google currently lists your site as unsafe with their Safe Browsing Site Status tool

Cleaning a hacked site

If you’re sure your site has been hacked, you can follow these steps to resolve the issue:

1. Contact your hosting provider

Your host should be the first port of call, as they may be aware of a wider issue, especially if you are on shared hosting. In most cases, your host may be able to deal with the issue for you, saving you a lot of work.

2. Restore from a backup

If you have a backup of your site from before it was hacked, either from your host or with a dedicated backup service like Jetpack Backup, then restoring to that point may do the trick.

However, if the hack lies within files that aren’t included in the backup, then the issue may remain even after restoring the site.

It’s also worth noting that you could lose content added after the point you’re restoring to, so this may not be an ideal option and should be a last resort.

3. Cleaning hacked files

If your host is unable to assist, and restoring the site is not an option, then it’s time to do some detective work to find the source of the problem. Make sure you have a full backup of your site before starting this, as removing/editing your site’s files can make for even more work if something goes wrong.

First, check the results of any malware plugins or services you’re using. They may provide a list of suspicious files, which is a good starting point.

WordPress core files

If the affected file(s) are part of WordPress core, you can compare the code to a clean download from WordPress.org and remove any code that doesn’t belong there.

Another option is to completely reinstall WordPress to ensure all core files are clean. You can do that via Dashboard > Updates, by clicking ‘Re-install now.’ It sounds scary, but this will only replace the files at the very core of WordPress and will not remove or replace any of your content, media, themes, or plugins.

Themes

If the infection is a part of a theme, you can install a fresh copy if you’re using it or uninstall the theme completely if you’re not using it. If you’re unable to clear the threat through this method, you should contact your theme’s developer for guidance.

Plugins

If the problem lies within a plugin, you can also install a fresh copy or delete it if you’re not using it as with the theme process above. For advanced users, you can determine if a plugin installed or downloaded from the WordPress.org Plugin Repository has a threat in it by following these instructions:

  1. Check which file is affected
  2. Click “Edit this file” to see that plugin’s code
  3. Copy the URL slug of plugin (e.g. “code-snippets”)
  4. Search for that plugin’s slug on WordPress.org
  5. Go to Plugin > Development > Browse the code
  6. Find “Tags”
  7. Open tag matching your installed plugin version
  8. Locate the correct file and download it
  9. Open the file in a text editor
  10. Use “Find” and copy/paste the entire code from step 2 and search
  11. If the code matches the plugin’s code from the WordPress.org Plugin Repository, you have a false positive and the plugin is working as intended! If not, we recommend consulting with an expert who can clean the site safely.

If the plugin is not in the Repository, you can contact the plugin’s developer and have them check the code identified as malicious by Jetpack Scan.

Not sure what the file is?

If you don’t understand the purpose of the affected files, you may need to consult an expert who can help you clean the site safely.

If you want to explore further and learn how to clean up various types of hacks, Google has an in-depth guide to cleaning hacked sites.

Tightening security after cleaning your hacked site

Once your site is free from malware, it’s important to follow these steps to secure your site, as failing to do so may leave your site open to another hack from the same point of vulnerability.

1. Make sure WordPress and all of your themes and plugins are kept updated

Outdated plugins, themes, and WordPress files are an extremely common source of vulnerability. Keeping them all updated to the latest version is one of the best ways to protect your site and keep it running efficiently. Also, be sure to fully uninstall any themes or plugins you are not using.

2. Reset all passwords

In case any of your passwords have been compromised, you should change your password for everything you can think of, including your:

  • Hosting account
  • Email accounts
  • Website’s admin accounts
  • FTP/SFTP/SSH credentials
  • Database passwords
  • The password to unlock any device you’ve edited your site with

Make sure you use a strong and unique password for each site, device, or program to avoid a domino effect if one is ever compromised.

3. Audit your site’s user accounts

Check your user list via Users > All Users inside your site’s dashboard and make sure there aren’t any administrator accounts that you don’t recognize. Remove any suspicious user accounts.

4. Update your WordPress secret keys

Your site’s wp-config.php file contains secret keys/”salts” which are used for encryption. You should generate new secret keys and replace the old ones in that file. Your webhost may have an automatic tool on their side to do this.

5. Scan your site regularly

The measures above will help keep your site safe, but nothing is 100% guaranteed, so you should use an automated scanning service such as Jetpack Scan to make sure you are alerted of any future security threats so you can deal with them quickly.

Removing your site from “unsafe” lists

If your site is listed as unsafe by Google or McAfee, then you will likely still see warnings on your site even after the hacked files have been cleaned or even removed.

To get that warning lifted, you’ll need to request a review of your site from Google, or submit a dispute request from McAfree.

Comments Off on How to Clean Your Hacked WordPress Site

Protect your site with brute force protection

Protect yourself against unwanted login attempts with brute force protection. (Formerly known as Jetpack Protect.)

Activate

Screenshot of Brutce force protection setting, with it toggled ON.

To protect your website immediately, this feature is activated by default when you connect Jetpack to your WordPress.com account. You can deactivate and reactivate either from:

If this feature has locked your site’s login page and you cannot access your WP Admin, you can temporarily deactivate the brute force protection via your WordPress.com dashboard under Settings > Security.

Settings

With brute force protection activated, you can allowlist IP addresses. Allowlisting may be necessary if you’ve made too many failed login attempts to your site or Jetpack has detected unusual behavior from your current IP address.

  1. Start by navigating to:
  • WP Admin: Jetpack → Settings → Security

or

  1. Enter the IP list you wish to add into the Always allowed IP addresses field.
  2. Separate multiple IP addresses with a comma.
  3. To specify a range, enter the low value and high value separated by a dash. Example: 12.12.12.1-12.12.12.100.

Your current IP address is also shown on the page, so you can easily add it to your allowlist.

Both IPv4 and IPv6 addresses are accepted.

Advanced Tip: You can also allowlist one IP address by setting it as the JETPACK_IP_ADDRESS_OK constant in your wp-config.php file like this: define('JETPACK_IP_ADDRESS_OK', 'X.X.X.X');

Dashboards

View a count of the “total malicious attacks blocked on your site” under the Security section of your Jetpack dashboard: WP Admin: Jetpack → Dashboard → Security → Brute force protection

Screenshot of the Jetpack dashboard in the WP Admin area. The Security section lists VaultPress Backups, Activity, Scan, Akismet Anti-spam, Brute force protection, and Downtime monitoring.

How it works

The length of time is based on a number of factors and is not a set amount of time.

Getting locked out of your own website

If Jetpack has flagged your IP address for any reason, it may block you from logging in. If you do get locked out, you’ll see a message “Jetpack has locked your site’s login page. Your IP has been flagged for potential security violations.”

To resolve this:

  1. Enter your email address and hit Send.
  2. You will receive an email with a special link you can click to regain access to the login form.
  3. If you get an error when clicking the link in the email, you can allowlist your IP address to unblock yourself.
  4. If you are still blocked, it’s likely due to a configuration issue on your server. You can disable Brute Force Protection to regain access to your site, then contact us for help with further troubleshooting.

Math captcha on your login page

The math captcha is used as a fallback for the brute force protection feature. If your IP has been blocked due to too many failed login attempts, you may still access your site by correctly filling out the math captcha along with the correct login credentials. In very rare cases, you might see the captcha if you’ve not obtained an API key, or during times of very heavy attacks.

Error: server is misconfigured

Whenever someone tries to log in to your site, Jetpack’s brute force protection feature looks at that person’s IP address and compares it with our global database of malicious IP addresses.

For this to work properly, we rely on IP addresses stored and provided by your server. Unfortunately in some cases your server may not return any IP address, thus blocking brute force protection from working properly. When this happens, the feature will be disabled and we will let you know.

If that happens, do not hesitate to send a link to this page to your hosting provider, so they can take a look and fix the issue for you. They can also contact us directly via this contact form if they need more information.

Brute force protection on Multisite

In a WordPress Multisite installation, you can log into any account that exists on the network through any login page on the network. As a result, if you have Jetpack’s Brute force protection active on some sites but not all, then no site is truly being protected.

To address this, please network enable Jetpack on your multisite installation and activate the brute force protection feature on the network’s primary site.  Once completed, Jetpack’s brute force protection feature will be activated on every site on your network, even if Jetpack isn’t connected on those sites.

Multiple blocked malicious login attempts

You may worry if you see a high number of blocked suspicious login attempts. But rest assured this means the feature is working as expected!

There are thousands of “bots” out there trying to gain access to sites all over the internet. No matter what size your site is, there’s always someone or something trying to “break in”. WordPress is very secure and usually the weakest point is someone’s password. Bots consequently try to guess people’s passwords to get in.

Jetpack’s brute force protection feature collects information from failed attempts from millions of sites and protects you from these attacks. For example, if a bot tried to gain access to site A, and then went to site B, Jetpack’s brute force protection would already know who this bot is and before it even tries to get into site B, it would be blocked.

Along with that, it’s also really important to have strong secure passwords.

Information about the blocked attacks

For example, you might be wondering:

  • Which usernames need more securing?
  • Is this via wp-login, or via XMLRPC?
  • From which IP addresses do these arrive?
  • When did these occur? Is there a pattern?
  • If these were found, how many more are there that were not detected?

We don’t have access to this information. Jetpack’s brute force protection was built to be lean and simple. It’s built in such a way that you don’t have to think about these questions or make any decisions. As such, the only data we store is the total number of attacks blocked.

Still need help?

Please contact support directly. We’re happy to advise.

Privacy Information

This feature is activated by default. It can be deactivated at any time by toggling the Brute force protection setting under Jetpack → Settings → Security on your WP Admin dashboard.

For general features and FAQs, please see our Jetpack Security features.

More information about the data usage on your site
Data Used
Site Owners / Users

In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.

Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code.

Site Visitors

In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.

Activity Tracked
Site Owners / Users

Failed login attempts.

We track when, and by which user, the feature is activated and deactivated. We also set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.

Site Visitors

Failed login attempts.

We set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.

Data Synced (Read More)
Site Owners / Users

Options that identify whether or not the feature is activated and how its available settings are configured. We also sync the site’s allowlisted entries (as configured by the site owners), the Protect-specific API key used for login checking, and any failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information.

Site Visitors

Failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information.

Comments Off on Protect your site with brute force protection

Jetpack Scan

You can review security scan results in one centralized location, fix problems, and restore backups. If Jetpack does notice a problem, you’ll receive an instant email alert. You can repair the majority of security threats with just one click and get back to running your business.

Take a look at all the security features Jetpack offers.

Important: Jetpack Scan is not intended to be a service to clean up already hacked or malware-infected sites. While we can fix some hacked files after purchase, we do rely on the site not being infected at the time of purchase and having a clean version to compare any changed files to. In that case, we suggest following this guide to cleaning a hacked site.

How do I get Jetpack Scan?

Jetpack Scan is available to users who have purchased the Jetpack Scan, Jetpack Security, or Jetpack Complete plans. It is also the scan solution for any new Jetpack Security or Jetpack Complete purchase.

Note: Once the site is connected to Jetpack Scan, your site will remain on the Jetpack Scan solution, even if you change or add a Jetpack plan or move your site to a new host.

Getting Started

Jetpack Scan is activated as soon as your purchase is complete, and your first scan is kicked off immediately.

Note: In order for Jetpack Scan to scan a website, it needs to be able to create files in the /jetpack-temp/ directory (which is located in the root of the site alongside /wp-content/ and /wp-includes/. It writes a temporary helper file to this directory during the scan and removes it after the scan is complete.

If your site is hosted on a server that prevents files from being changed, you will need to work with your host to ensure that Jetpack is able to write files to the /jetpack-temp/ directory.

Adding Server Credentials

Jetpack can scan your site without any server credentials, but server credentials are required to use one-click fixes. The server credentials can also help make the scans faster and more reliable.

Read more on how to add remote access/server credentials.

Navigating the dashboard

Clicking on Scan under the Jetpack options in WP Admin will take you to the Jetpack.com dashboard.

Make sure to authorize your WordPress.com account if you see an authorization prompt.

After opening the Scan page, you will see two interfaces: Scanner and History.

The scanner page provides an at-a-glance reference of the site’s current state. It will either show that the site is looking great or list the currently active threats.

Clicking the Scan now button will start a new scan.

On the history page, you’ll see a list of all threats the site suffered from in the past. They can be filtered by their fix/ignore status, and ignored threats can be fixed.

Peace of Mind

Once a scan completes, you will receive a notification if any threats are found. These notifications will be in WP Admin, via email, and on your WordPress.com dashboard.

What data is scanned?

  • All files in the pluginsmu-pluginsthemes, and uploads directories.
  • Select files from your WordPress root directory, like wp-config.php.
  • Other select files inside the wp-content directory.

How often do scans occur?

Scans occur daily or when manually triggered.

How do I fix threats?

When a threat is detected, and you’re notified, we offer a one-click fix for most problems.

You will find the “Auto-fix all” button to handle all the threats at once.

Clicking on the threat will provide more information about the problem and what can be fixed. You will also see the buttons to “Ignore threat” or “Fix threat”.

Ignoring or fixing the threat will create a history of scan threats you can view that you can view in the History tab.

However, sometimes a website can get hacked more severely, meaning a one-click fix is impossible. In that case, we suggest following this guide to cleaning a hacked site. It will help guide you through identifying and cleaning up a hacked site and strengthening the site’s security to help prevent future hacks.

Examples of threats

Changes to Core WordPress Files

We check your WordPress installation to see if any core files have been changed or deleted. Generally, these files should never be changed, so please remember when working on your site. WordPress functionality can and should be altered by using plugins and themes instead.

If you didn’t make the changes to your core files, you should consider the files suspicious and consider replacing them. You can always contact us if you’re unsure of the changes you see.

Other Vulnerabilities

Web-based shells give an attacker full access to your server — allowing them to execute malicious code, delete files, make changes to your database, and many more dangerous things.

Shells are usually found in files, and they can be removed by deleting any infected files from your server and replacing them with a clean version from your backup.

Outdated or insecure plugins

Plugins that have known security vulnerabilities will be detected by Jetpack Scan. If a newer version has patched the threat, you can update the plugin with one click. We allow you to delete the plugin from your site if there is no newer version with a fix.

You’re always welcome to contact us if you have any questions about security threats or suspicious codes.

Multisite

Currently, Jetpack Scan does not support multisite.

Still need help?

Please contact support directly. We’re happy to advise.

Privacy Information

This feature is deactivated by default and requires an upgrade to a paid solution (Jetpack Scan, Jetpack Security, or Jetpack Complete) to unlock/activate.

Data Used
Site Owners / Users

We currently scan the following data: files in your plugins, themes, and uploads directories, and select files from your WordPress root directory and `wp-content` directory. This includes all WordPress’s unique and irreplaceable data and everything properly integrated into the WordPress installation.

In addition to the data we scan, we also use (and store) your server access credentials (if provided): SSH and/or FTP/SFTP. These credentials are explicitly provided by you when activating Jetpack Scan.

For feature usage tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID, user agent, referring URL, timestamp of event, browser language, country code, and user site count.
We may also use scanned content to improve our performance but do not otherwise store it long-term.
Site Visitors

None.
Activity Tracked
Site Owners / Users

We track several events around the usage of this feature: requests to view threats, fix threats, run a scan, and click on the header of a threat (in the scan scanner and in the scan history).
Site Visitors

None.
Data Synced (Read More)
Site Owners / Users

None.
Site Visitors

None.
Comments Off on Jetpack Scan
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 112.3K other subscribers
  • Browse by Topic