Scan and fix multiple WordPress websites from a centralized dashboard, combining the power of Jetpack and MainWP.

This article is only for customers using MainWP alongside Jetpack. If you’re not using MainWP, please see our general documentation about Jetpack Scan.

Manage your WordPress websites with MainWP, and ensure their security by leveraging the power of Jetpack Protect and Jetpack Scan.

Useful Links

• Jetpack Protect Extension for MainWP 
• Jetpack Scan Extension for MainWP 
• MainWP and Jetpack Partnership Announcement

Jetpack Firewall examines incoming traffic to your site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities. 

The Firewall Premium features require a connection to a WordPress.com account and a plan that has a Scan feature, like Jetpack Security, Jetpack Complete, or Jetpack Scan, to allow or block incoming traffic based on various rules.

Activate Jetpack Firewall

1. Install and activate the Jetpack Protect plugin. 

2. Once activated, you can select either a paid or a free plan.

The free plan allows manual rules only to be used, providing the ability to block or allow specific IP addresses from accessing your site. It also includes Brute Force Protection. The paid plan offers automatic firewall rules that identify and block harmful requests. 

3. After choosing a plan, you will be redirected to the Jetpack Protect page and see the first scan started:

4. To access Jetpack Firewall settings, you can click the Firewall tab inside the Protect settings page, or navigate to Jetpack → Protect.

The free plan allows for the use of Jetpack’s Brute Force Attack Prevention and manual rules. The Automatic rules option requires a paid plan.

Upgrading to a paid plan will enable the automatic rules:

To add manual rules, use the toggle to turn on the feature. When enabled, an “Edit manual rules” button will be displayed on the right side. Click the button and a new modal will be displayed where manual rules can be edited. You can add IP addresses to your block / allow list by entering complete IP addresses, separated by commas. Adding IP ranges or IP addresses in CIDR notation is not currently supported. Once you’ve entered IP addresses into your block / allow list, click on Save Settings to save your block / allow list.

Privacy Information

The Jetpack firewall is deactivated by default. You can activate the feature by visiting the Jetpack Protect dashboard and clicking the toggle in the firewall tab.

For general features and FAQs, please see our Jetpack Security features.

Stay ahead of security threats and malware, keeping your site safe with Jetpack Protect. Scan your site and get warned about vulnerabilities.

Protect your reputation and revenue by avoiding a hacked website.

Requirements for Jetpack Protect

• A web host that meets the WordPress host requirements.
• The latest version of WordPress. If your version of WordPress is out of date, you’ll see a prompt to automatically upgrade with a single click, or can upgrade manually.
• A WordPress.com account. Don’t have one yet? Sign up for one here, or create one during the Jetpack connection flow. You only need one WordPress.com account to access all our services (including Akismet, Crowdsignal, Gravatar, and WordPress.com itself). If you use any of these services, you already have a WordPress.com account to connect to Jetpack. You can reset your WordPress.com password if you need to.
• A publicly accessible WordPress site: no password protection or Coming Soon / Maintenance Mode plugin in use. Jetpack Protect will not work on a local environment.
• A publicly accessible XML-RPC file.

Install Jetpack Protect

To install Jetpack Protect via the WP Admin:

1. Start at your WP Admin dashboard.
2. Go to Plugins → Add New.
3. Search for Jetpack Protect. The latest version will show in the search results. The Jetpack Protect plugin has additional features and can be installed alongside the Jetpack plugin without any issues. Click Install Now.

3. Click Activate.
4. Choose a the Paid Plan for one-click threat fixes, automatic protection rules for the web application firewall, and other premium features. Or start for free.
5. Your first scan will start.
6. After a few minutes, your results will show on the Jetpack Protect page.

Check Protect results

Once you’ve activated the plugin and chosen your plan, your first malware scan will begin automatically.

The paid Scan plan sends you notifications any time there is a potential security warning. With the Free version, you will need to proactively check your Protect dashboard.

1. Visit Jetpack → Protect in your WordPress admin panel to see the security threats and malware found by the integrated malware scanner.
2. When the malware scanner finds a security threat, view the recommended actions on the Jetpack Protect dashboard to secure your sites.
3. If you have upgraded to a paid Jetpack Scan plan, use the auto-fixer to resolve any threats. If you are on the Free plan, follow the recommendations given.

Note: Scans run roughly every 24 hours. It is not possible to set a time for the automated daily scans.

For even more tips on how to maintain good WordPress site security, read about How to Secure Your Site from Hackers.

Disable math captcha

To to turn off the math captcha option while still using Jetpack, add a filter to your site’s functions.php file or a custom functionality plugin. Here’s how you can disable the math fallback captcha:

add_filter( 'jpp_use_captcha_when_blocked', '__return_false' );

By adding this code, you’ll turn off the math captcha, but Jetpack Protect’s primary security functions will continue to work as normal.

Please be aware that code snippets are provided as a courtesy and our support team is unable to offer assistance customizing them further.

Jetpack Protect, Jetpack Scan, and WPScan: Understand the difference

Jetpack offers a variety of tools designed to enhance the security of your WordPress site by detecting and reporting on vulnerabilities. Each tool serves a unique function in protecting your digital presence.

Jetpack Protect

Jetpack Protect is a free plugin that checks your site daily for vulnerable plugins and themes. If vulnerable software is found, it will alert you via your WordPress Dashboard. Additionally, Jetpack Protect provides a basic web application firewall (WAF). 

You can run Jetpack Protect on its own or alongside the Jetpack plugin.

Jetpack Scan

Jetpack Scan is a paid upgrade that can be added to the Jetpack Protect plugin or to the Jetpack plugin. In addition to the features provided by Jetpack Protect, it provides real-time malware scanning and an enhanced web application firewall (WAF) while also enabling auto-fixes (where available) for security threats.

Jetpack Scan makes it easy to monitor your site’s security by providing automated email notifications of security threats.

WPScan

Jetpack Protect and Scan are powered by the same data that is available in Automattic’s enterprise-level WPScan.

Privacy Information

Jetpack Protect is deactivated by default. It can be activated at any time by installing the plugin and activating it. For general features and FAQs, please see our Jetpack Security features.

Looking for more information about using the WAF with the Jetpack Protect plugin? See our article about the Jetpack Protect Plugin.

Jetpack’s WAF (Web Application Firewall) examines incoming traffic to a WordPress site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities.

With the WAF, you can configure IP addresses that will never be blocked (even if a rule would normally) or always be blocked (regardless of the rules). To allow or block incoming traffic based on various rules, you will need a plan that includes Jetpack Scan, such as Jetpack Security, Jetpack Complete, or Jetpack Scan, and a connection to your WordPress.com account.

If you previously had a Jetpack plan that includes Jetpack Scan and/or your site becomes disconnected from your WordPress.com account, you will continue to have access to the firewall settings in your Jetpack dashboard. This is to ensure that your IP allow/block lists and previous firewall rules remain functional.

Turning on the firewall

This feature is deactivated by default when you connect Jetpack to your WordPress.com account. It can be activated at any time on your Jetpack Settings page. To enable Jetpack WAF:

1. Select Jetpack → Settings → Security → Firewall in your site’s WP Admin
2. Enable Protect your site with Jetpack’s Web Application Firewall

How do I update the firewall options?

To add IP addresses to a block/allow list:

1. Select Jetpack → Settings → Security → Firewall in your site’s WP Admin
2. Enable Allow / Block list – Block or allow a specific request IP

You can add IP addresses to your block / allow list by entering complete IP addresses, separated by commas. Adding IP ranges or IP addresses in CIDR notation is not supported at the moment.

Once you’ve entered IP addresses to your block / allow list, click on Save Settings to save your block / allow list.

These are the firewall options:

• Allow / Block list – Block or allow a specific request IP: This option allows you to add an IP blocklist and IP allowlist to your site.
• Share data with Jetpack: This option allows Jetpack to collect data to improve the firewall protection and rules. You can check Jetpack Privacy before you set this option.
• Enhance Protection:
• You don’t need to activate Enhance Protection; however, if you want the firewall feature to be able to inspect all requests and run them before WordPress initializes, this is how:

In case you want to activate the Enhance protection, you need to contact your hosting support to make the changes on the server level.

Upgrade notification

If you don’t have a Scan subscription yet, a notification will show on your firewall options. After upgrading, the notification disappears.

Troubleshooting

What happens if I don’t renew my subscription?

Any rules delivered to the site will remain functional after the subscription lapses or is removed.

Can I use the IP allow and block lists behind a reverse proxy (like Cloudflare)?

The IP allowlists/blocklists currently have no way to configure trusted proxies and trusted headers and thus won’t work behind any sort of reverse proxy or load balancer setup.

My site went down after I activated the Firewall feature.

If you need to deactivate the firewall without access to the Jetpack settings screen, you can:

• Modify your wp-config.php: add the line define( 'DISABLE_JETPACK_WAF', true ); to your wp-config.php file
• Use WP-CLI: if you have WP-CLI installed, use the command wp jetpack-waf teardown

Privacy Information

This feature is deactivated by default. It can be activated at any time at Jetpack → Settings → Security → Firewall and by clicking on Protect your site with Jetpack’s Web Application Firewall.

For general features and FAQs, please see our Jetpack Security features.

Keep your website free of spam, improving the experience for everyone. (Except the spammers!)

Akismet uses state of the art algorithms and methods to block spam submissions. To date, Akismet has blocked more than 500 billion pieces of spam, averaging about 7.5 million per hour.

Activate Jetpack Akismet Anti-spam

Akismet is included in the following Jetpack plans:

• Jetpack Complete
• Jetpack Security
• Jetpack Akismet
• Legacy plans: Jetpack Personal, Jetpack Premium, Jetpack Professional

To start protecting your site from spam, please follow these steps;

1. Purchase a plan that includes Akismet.
2. Connect your site to Jetpack.
3. Confirm that Akismet is active on your site by going to Jetpack → Dashboard in WP Admin and scrolling to the Security section of the page.
4. Click on Moderate Comments to view comments in WP Admin.
5. If you don’t see the message about Jetpack Akismet Anti-spam monitoring comments, Upgrade or Activate Akismet.
6. Confirm Akismet is working.

Configure Jetpack Akismet Anti-spam

To adjust Akismet settings, follow these steps:

1. Navigate to Jetpack → Anti-spam in WP Admin.
2. API Key: The API key should be pre-filled when you purchase your Jetpack Akismet Anti-spam plan. If your API ever changes, you could adjust it here.
3. Comments: Check this box to allow the number of approved comments to appear next to each comment author when viewing Comments in WP Admin.
4. Strictness: Choose how you want to manage your spam. You can ask Jetpack Akismet Anti-spam to automatically discard spam or put in the spam folder for you to review.
5. Privacy: To help comply with privacy laws like the GDPR, choose to display a privacy notice under your comment forms.

Set up Jetpack Akismet Anti-spam for contact forms

If you use Jetpack’s contact form (either the Form block, or the classic editor version), all of your contact form submissions are automatically checked for spam by Akismet. You can also manually mark comments as spam/not spam via the Feedback section of WP Admin.

For more information on using Jetpack Akismet Anti-spam with other form plugins, please see this support article from Akismet about how to use Akismet with your contact forms.

Turn off captchas

Jetpack Akismet Anti-spam filters comment and contact form submissions automatically, so you can remove any captchas that you are using.

Check usage

To see how Akismet is working, follow these steps:

1. Start at WP Admin.
2. Navigate to Jetpack → Anti-spam.
3. Review the stats cards showing the number of spammy comments and submissions blocked on your site by Akismet.

Anti-spam comes with 10,000 checks for spam per month (API calls), which should be more than enough for a small business. If you need more API calls, you can upgrade to one of Akismet’s Enterprise Plans.

Teach Akismet

Anything that Jetpack Akismet Anti-spam thinks is spam is automatically moved to your site’s spam section. On the off chance that some spam does get through, please mark it as spam which will help Jetpack Akismet recognize similar submissions as spam in the future.

Resolve a hack without losing your website.

If you use Jetpack Scan to monitor your site, it will notify you of any potential threats. In many cases, these can be resolved with the click of a button. However, a one-click fix may not be possible when:

• A website gets hacked too severely
• Jetpack Scan is installed after the hack occurs

Jetpack Scan is not intended to be a service to clean up already hacked or malware-infected sites. We rely on the site being uninfected at the time of purchase and having a clean version to compare any changed files to.

This article will help guide you through the process of identifying and cleaning up a hacked site, as well as strengthening the site’s security to help prevent future hacks. Assistance with manual restores and site cleaning is outside the scope of support we can offer.

Detect if your site has been hacked

The following signs are a good indication that your site has been hacked:

• Your site is redirecting to another website with malicious or spammy content
• Your site contains links to spam sites, which you did not add, and you can’t remove them
• You find pages on your site that you don’t recognize via a Google search
• Google shows warnings for your site, such as “This site may be hacked,” “Deceptive site ahead,” “The site ahead contains malware,” etc.
• You scan your site with a tool such as Jetpack Scan, and it detects security threats which can’t be resolved automatically
• You can check if Google currently lists your site as unsafe with their Safe Browsing Site Status tool

Clean a hacked site

If you’re sure your site has been hacked, follow these steps to resolve the issue:

1. Contact your hosting provider

Your host should be the first port of call, as they may be aware of a wider issue, especially if you are on shared hosting. In most cases, your host may be able to deal with the issue for you, saving you a lot of work.

2. Restore from a backup

If you have a backup of your site from before it was hacked, either from your host or with a dedicated backup service like Jetpack Backup, then restoring to that point may do the trick.

However, if the hack lies within files that aren’t included in the backup, then the issue may remain even after restoring.

You could lose content added after the point you’re restoring to, so this may not be an ideal option.

3. Clean hacked files

If your host is unable to assist, and restoring the site is not an option, then it’s time to do some detective work to find the source of the problem. Make sure you have a full backup of your site before starting this, as removing/editing your site’s files can result in even more work if something goes wrong.

First, check the results of any malware plugins or services you’re using. They may provide a list of suspicious files, which is a good starting point.

Cleaning hacked WordPress core files

If the affected file(s) are part of WordPress core, you can compare the code to a clean download from WordPress.org and remove any code that doesn’t belong there.

Another option is to completely reinstall WordPress to ensure all core files are clean. You can do that via Dashboard > Updates, by clicking ‘Re-install now.’ It sounds scary, but this will only replace the files at the very core of WordPress and will not remove or replace any of your content, media, themes, or plugins.

Cleaning hacked Themes

If the infection is a part of a theme, you can install a fresh copy if you’re using it or uninstall the theme completely if you’re not using it. If you’re unable to clear the threat through this method, you should contact your theme’s developer for guidance.

Cleaning hacked Plugins

If the problem lies within a plugin, you can also install a fresh copy or delete it if you’re not using it as with the theme process above. Or advanced users can follow these steps:

1. If you’re an advanced user and have the appropriate technical knowledge, check which plugin file is affected by the threat.
2. Click “Edit this file” to see that plugin’s code
3. Copy the URL slug of plugin (e.g. “code-snippets”)
4. Search for that plugin’s slug on WordPress.org
5. Go to Plugin > Development > Browse the code
6. Find “Tags”
7. Open tag matching your installed plugin version
8. Locate the correct file and download it
9. Open the file in a text editor
10. Use “Find” and copy/paste the entire code from step 2 and search
11. If the code matches the plugin’s code from the WordPress.org Plugin Repository, you have a false positive and the plugin is working as intended! If not, we recommend consulting with an expert who can clean the site safely.

If the plugin is not in the Repository, you can contact the plugin’s developer and have them check the code identified as malicious by Jetpack Scan.

Feeling Unsure About Cleaning Hacked Files?

Understanding and modifying your site’s files can be daunting, especially if you’re unsure about the affected files’ purpose. In such cases, you may consider consulting an expert who can help you clean the site safely.

This is particularly relevant if your site suffered a security breach before installing Jetpack Scan and now requires an intervention.

If you need a recommendation, we trust our partners at Codeable to provide you with the reliable and quality services of their highly vetted security experts. They offer free initial consultations to help you identify the full extent of security cleanup work required. After you post the project, Codeable’s experts will respond with clarifying questions so they can provide an accurate no-obligation estimate for your specific requirements.

Tighten security after cleaning your hacked site

Once your site is free from malware, it’s important to follow these steps to secure your site, as failing to do so may leave your site open to another hack from the same point of vulnerability.

1. Make sure WordPress and all of your themes and plugins are kept updated

Outdated plugins, themes, and WordPress files are an extremely common source of vulnerability. Keeping them all updated to the latest version is one of the best ways to protect your site and keep it running efficiently. Also, be sure to fully uninstall any themes or plugins you are not using.

2. Reset all passwords

In case any of your passwords have been compromised, you should change your password for everything you can think of, including your:

• Hosting account
• Email accounts
• Website’s admin accounts
• FTP/SFTP/SSH credentials
• Database passwords
• The password to unlock any device you’ve edited your site with

Make sure you use a strong and unique password for each site, device, or program to avoid a domino effect if one is ever compromised.

3. Enable Two-Step Authentication (2FA)

For enhanced security, we strongly advise enabling two-step authentication (2FA) for all sign-ins to your WP Admin area. Jetpack offers an easy-to-implement 2FA solution through WordPress.com Secure Sign On. For detailed instructions on activating this feature, visit Requiring Two-Step Authentication.

4. Audit your site’s user accounts

Check your user list via Users > All Users inside your site’s dashboard and make sure there aren’t any administrator accounts that you don’t recognize. Remove any suspicious user accounts.

5. Update your WordPress secret keys

Your site’s wp-config.php file contains secret keys/”salts” which are used for encryption. You should generate new secret keys and replace the old ones in that file. Your webhost may have an automatic tool on their side to do this.

6. Scan your site regularly

The measures above will help keep your site safe, but nothing is 100% guaranteed, so you should use an automated scanning service such as Jetpack Scan to make sure you are alerted of any future security threats so you can deal with them quickly.

Remove your site from “unsafe” lists

If your site is listed as unsafe by Google or McAfee, then you will likely still see warnings on your site even after the hacked files have been cleaned or even removed.

To get that warning lifted, request a review of your site from Google, or submit a dispute request from McAfee.