Security

Posted on November 4, 2016 by Michelle

Jetpack includes state-of-the-art security tools that keep your site safe and sound, from posts to plugins.

Are you blocked from accessing your dashboard?

Use one of the three methods described here to unblock yourself.

Here are some resources to help get you started:

Getting Started with the Jetpack Protect Plugin - The Jetpack Protect plugin is a free security plugin for WordPress that scans your site and warns you about vulnerabilities, keeping your site one step ahead of security threats and malware. What do I need to run Jetpack Protect on my site? Installing Jetpack Protect Installing Jetpack Protect can be done from your site’s WP […]
Use MainWP Extensions for Jetpack Protect and Scan - Scan and fix multiple WordPress websites from a centralized dashboard, combining the power of Jetpack and MainWP. This article is only for customers using MainWP alongside Jetpack. If you’re not using MainWP, please see our general documentation about Jetpack Scan. The Jetpack Protect Extension for MainWP To use the Jetpack Protect Extension for MainWP, you […]
Jetpack Firewall in the Jetpack Protect Plugin - Jetpack Firewall examines incoming traffic to your site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities. The Firewall Premium features require a connection to a WordPress.com account and a plan that has a Scan feature, […]
Jetpack Protect - Jetpack Protect is a free security plugin for WordPress that scans your site and warns you about vulnerabilities, keeping your site one step ahead of security threats and malware. What do I need to run Jetpack Protect on my site? Installing Jetpack Protect Installing Jetpack Protect can be done from your site’s WP Admin. To […]
Jetpack WAF (Web Application Firewall) - Looking for more information about using the WAF with the Jetpack Protect plugin? See our article about the Jetpack Protect Plugin. Jetpack’s WAF (Web Application Firewall) examines incoming traffic to a WordPress site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly […]
Jetpack Akismet Anti-spam - Jetpack Anti-spam, powered by Akismet, automatically filters spam comments and contact form submissions on your site. Using Jetpack Akismet Anti-spam requires a Jetpack Security, Jetpack Complete, or Jetpack Akismet Anti-spam plan, or a legacy plan that includes anti-spam. Getting Started with Jetpack Akismet Anti-spam Once you’ve purchased your Jetpack Akismet Anti-spam plan and connected your […]
How to Clean Your Hacked WordPress Site - It can be scary and stressful when your website is hacked, but it needn’t be a disaster. If you use Jetpack Scan to monitor your site, it will notify you of any potential threats. In many cases, these can be resolved with the click of a button. However, sometimes a website can get hacked more […]
Protect your site with brute force protection - Jetpack Protect allows you to protect yourself against traditional brute force attacks and distributed brute force attacks that use many servers against your site
Jetpack Scan - Jetpack Scan offers automated malware scanning and one-click threat resolution.
Troubleshoot Jetpack Brute Force Attack Protection - Are you unable to enable the Protect feature on your site? Check these tips to find out why.

Our paid subscriptions offer even more ways to protect and monitor your site — learn more here.

Privacy Information

Comments Off

Security Features

Posted on January 28, 2015 by Kellie Hodgins

Jetpack includes state-of-the-art security tools that keep your site safe and sound, from posts to plugins.

Backups

It’s strongly recommended you back up your site using a tool such as Jetpack Backup. Backups provide a recovery mechanism should a malicious file corrupt your site or become otherwise compromised.

Security Scans

Jetpack Scan will monitor your site for security threats and bad actors, offering a one-click fix for many security issues.

Plugin Updates

Jetpack’s automatic plugin updates make it easy to keep your plugins up to date. By setting your plugins to auto-update, you help ensure any issues that may arise due to plugins with malicious code will not harm your site.

Keeping your plugins and themes updated is one of the most effective ways to keep your self-hosted WordPress sites secure. By using Jetpack’s site management tools, you can keep your plugins up to date from one easy control panel in WordPress.com. Learn more about automatic plugin updates.

Site Monitoring

Jetpack’s downtime monitoring feature will keep tabs on your site and alert you the moment downtime is detected. Monitoring uptime of your site can be an important tool in the security of your site. Learn more about downtime monitoring.

Jetpack’s full range of security features include:

WordPress.com Secure Sign On - Using the same log-in credentials you use for WordPress.com, you’ll now be able to register for and sign in to self-hosted WordPress.org sites quickly and securely.
Security Features - Jetpack’s security features allow you to secure your self-hosted WordPress sites from a single dashboard on WordPress.com.
Security - Jetpack includes state-of-the-art security tools that keep your site safe and sound, from posts to plugins. Protection from brute force attacks24/7 downtime monitoringSecure Sign-OnAutomatic plugin updatesAnd more Are you blocked from accessing your dashboard? Use one of the three methods described here to unblock yourself. Here are some resources to help get you started: Our […]
Troubleshoot Jetpack Brute Force Attack Protection - Are you unable to enable the Protect feature on your site? Check these tips to find out why.
Jetpack Scan - Jetpack Scan offers automated malware scanning and one-click threat resolution.
Protect your site with brute force protection - Jetpack Protect allows you to protect yourself against traditional brute force attacks and distributed brute force attacks that use many servers against your site
How to Clean Your Hacked WordPress Site - It can be scary and stressful when your website is hacked, but it needn’t be a disaster. If you use Jetpack Scan to monitor your site, it will notify you of any potential threats. In many cases, these can be resolved with the click of a button. However, sometimes a website can get hacked more […]
Jetpack Akismet Anti-spam - Jetpack Anti-spam, powered by Akismet, automatically filters spam comments and contact form submissions on your site. Using Jetpack Akismet Anti-spam requires a Jetpack Security, Jetpack Complete, or Jetpack Akismet Anti-spam plan, or a legacy plan that includes anti-spam. Getting Started with Jetpack Akismet Anti-spam Once you’ve purchased your Jetpack Akismet Anti-spam plan and connected your […]
Jetpack WAF (Web Application Firewall) - Looking for more information about using the WAF with the Jetpack Protect plugin? See our article about the Jetpack Protect Plugin. Jetpack’s WAF (Web Application Firewall) examines incoming traffic to a WordPress site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly […]
Jetpack Protect - Jetpack Protect is a free security plugin for WordPress that scans your site and warns you about vulnerabilities, keeping your site one step ahead of security threats and malware. What do I need to run Jetpack Protect on my site? Installing Jetpack Protect Installing Jetpack Protect can be done from your site’s WP Admin. To […]
Jetpack Firewall in the Jetpack Protect Plugin - Jetpack Firewall examines incoming traffic to your site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities. The Firewall Premium features require a connection to a WordPress.com account and a plan that has a Scan feature, […]
Use MainWP Extensions for Jetpack Protect and Scan - Scan and fix multiple WordPress websites from a centralized dashboard, combining the power of Jetpack and MainWP. This article is only for customers using MainWP alongside Jetpack. If you’re not using MainWP, please see our general documentation about Jetpack Scan. The Jetpack Protect Extension for MainWP To use the Jetpack Protect Extension for MainWP, you […]
Getting Started with the Jetpack Protect Plugin - The Jetpack Protect plugin is a free security plugin for WordPress that scans your site and warns you about vulnerabilities, keeping your site one step ahead of security threats and malware. What do I need to run Jetpack Protect on my site? Installing Jetpack Protect Installing Jetpack Protect can be done from your site’s WP […]

Are you blocked from accessing your dashboard?

Use one of the three methods described here to unblock yourself.

Troubleshooting

Still need help?

Please contact support directly. We’re happy to advise.

Comments Off

WordPress.com Secure Sign On

Posted on November 26, 2013 by paulinahetman

Using the same log-in credentials you use for WordPress.com, you’ll now be able to register for and sign in to self-hosted WordPress.org sites quickly and securely.

Benefits

Millions of users: By adding WordPress.com Secure Sign On, you’ll become part of a large family that makes it easy for WordPress.com users to explore new sites thanks to the Reader.
Compatible with your existing sign-in system: WordPress.com Secure Sign On is used as a complementary sign-in option to your existing registration system. Once a user connects, they’ll have a user account on your site.
Respects your Registration Settings: WordPress.com Secure Sign On follow the directives in Settings → General, with respect to whether or not you enable new user registrations. If you don’t, existing users can still use it to log in.
Trusted relationship: Allow users to sign in with the same credentials they use every day on WordPress.com. This takes the pain out of having to remember and manage a new log-in for another service.

Enabling this Feature

To enable this feature, you can do so at any time by toggling the Allow users to log in to this site using WordPress.com accounts setting in the WordPress.com log-in section from Jetpack → Settings → Security in your dashboard.

Once you’ve activated this feature in Jetpack, you’re done! All the back-end authentication requests use your site’s already-established link to WordPress.com.

Matching Accounts by Email

If there isn’t already a local account linked to the WordPress.com account, Secure Sign On can automatically link the verified WordPress.com account to a pre-existing local account with a matching email address and log the user in.

By default, this feature is disabled, and users are required to log in to their pre-existing local accounts to manually link the accounts. When a user logs in with their WordPress.com account, if there is no pre-existing local account that has been connected to WordPress.com, the login will not go through. Here’s the error the user will see:

If you’d like to enable this functionality for automatic matching and linking with email addresses of pre-existing local accounts on the site, you can toggle the Match accounts using email addresses option to turn it on.

Requiring Two-Step Authentication

If you’d like to improve the security of Secure Sign On, you can choose to force Two-Step Authentication when users log in via WordPress.com. To do so, toggle the Require accounts to use WordPress.com Two-Step Authentication to turn it on.

Note: This setting only requires that logging in via WordPress.com requires Two-Step Authentication. If you turn it on without disabling the default login form, then a user could still log in via the default form. If you would like to enforce Two-Step Authentication for your site, you could combine turning this on with the jetpack_remove_login_form filter described below to force users to log in with WordPress.com and use an account with Two-Step Authentication.

Additional Custom Settings

Secure Sign On is designed to work out of the box with little to no configuration. But, for users that would like to further customize Secure Sign On, these filters may come in handy. To use these filters, you can add any of the following snippets of code to your theme’s functions.php file, or to a functionality plugin.

As a note, you can mix and match these filters to get the desired functionality that you need.

New User Override

The WordPress.com Secure Sign On feature will respect your default settings with regard to New User Registration. If you have registration disabled, then Secure Sign On will not create a new user account if someone is trying to log in with an unrecognized email. If you have registration turned on, though, it will automatically create a new user for them, and log them in. If you would like to allow users to register for your site with a WordPress.com account, even though you disallow normal registrations you can use the following line of code:

add_filter( 'jetpack_sso_new_user_override', '__return_true' );

Bypass Default Login Form

If you’d like all registered users to log in via WordPress.com instead of the account they created on your site, you can use the following line of code. It will forward all users to the WordPress.com SSO page, thus bypassing your local log in screen:

add_filter( 'jetpack_sso_bypass_login_forward_wpcom', '__return_true' );

Disable Default Login Form

If you’d like to completely disable and hide the default login form, and force users to log in via WordPress.com, you can use the following line of code:

add_filter( 'jetpack_remove_login_form', '__return_true' );

Please be aware that these snippets are provided as a courtesy and our support team is unable to offer assistance customizing them further.

Privacy Information

WordPress.com Secure Sign On is deactivated by default. You activate/deactivate it form your WP Admin. To do so:

Go to Jetpack → Settings.
Click the Security tab.
Toggle the Allow users to log in to this site using WordPress.com accounts setting in the WordPress.com login section.

More information about the data usage on your site

Data Used
Site Owners / Users This feature requires the usage of the following pieces of data relating to users logging in via this method: user ID (local and WordPress.com), role (e.g. administrator), email address, username and display name. The following pieces of data relating to the site are also used: WordPress.com-connected site ID, Jetpack active/inactive status, Jetpack version, locale/language, title, URL, and icon. Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code.	Site Visitors None.
Activity Tracked
Site Owners / Users We track when, and by which user, the feature is activated and deactivated. Additionally, the following usage events are recorded: starting the login process, completing the login process, failing the login process, successfully being redirected after login, and failing to be redirected after login. Several functionality cookies are also set, and these are detailed explicitly in our Cookie documentation.	Site Visitors None.
Data Synced (Read More)
Site Owners / Users We sync options that identify whether or not the feature is activated and how its available settings are configured. We also sync the user ID and role of any user who successfully signed in via this feature.	Site Visitors None.

Data Used

Site Owners / Users

This feature requires the usage of the following pieces of data relating to users logging in via this method: user ID (local and WordPress.com), role (e.g. administrator), email address, username and display name. The following pieces of data relating to the site are also used: WordPress.com-connected site ID, Jetpack active/inactive status, Jetpack version, locale/language, title, URL, and icon.

Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code.

Site Visitors

None.

Activity Tracked

Site Owners / Users

We track when, and by which user, the feature is activated and deactivated.

Additionally, the following usage events are recorded: starting the login process, completing the login process, failing the login process, successfully being redirected after login, and failing to be redirected after login.

Several functionality cookies are also set, and these are detailed explicitly in our Cookie documentation.

Site Visitors

None.

Data Synced (Read More)

Site Owners / Users

We sync options that identify whether or not the feature is activated and how its available settings are configured. We also sync the user ID and role of any user who successfully signed in via this feature.

Site Visitors

None.

Comments Off