How to add Jetpack IPs to an Allowlist

Posted on December 7, 2021 by Jen Swisher

Allowing IP addresses in WordPress enables you to control who can (or cannot) access your website.

This article covers how to allowlist IPs for Jetpack, Jetpack VaultPress Backup, and the older VaultPress, and shows our hosting requirements.

An allowlist lists IP addresses or domains that are provided privileged access or treatment. It is the opposite of a blocklist intended to block or restrict access. Some hosting could use other words to identify the allowed IPs list on their systems. If you have questions, the recommendation is to contact your host support for more information.

Allow all Communications Between Jetpack and WordPress.com

Some hosts and plugins believe that blocking access to xmlrpc.php will stop various hacking attempts. However, XML-RPC support has been built into WordPress core since version 3.5 and is a stable tool. Jetpack, like other plugins, services, and mobile apps, relies on the XML-RPC file to communicate with WordPress.com. If this is blocked, your Jetpack connection will stop working properly.

You should be able to protect a site’s XML-RPC file without having to allow specific IP ranges. The most popular hosts use tools like fail2ban or ModSecurity, for example.

If you’d prefer to use an allowlist, you’ll need to allow these IP ranges:

[ip_ranges service=jetpack format=html version=ipv4]

Important: These IP addresses are subject to change. If you are writing IP-based firewall rules, you’ll need to update those rules any time the addresses change. We also have machine-readable versions of these IP ranges in JSON and plain text format that you can use to automate configuration changes on your systems.

Using Jetpack with Cloudflare and/or Sucuri

By default, Cloudflare and Jetpack should require no additional configuration to operate together if there are no additional security configurations specified with Cloudflare.

If you are using Cloudflare (with additional security rules) or Sucuri, these are the ranges they accept:

  • 192.0.64.0/24
  • 192.0.65.0/24
  • 192.0.66.0/24
  • 192.0.67.0/24
  • 192.0.68.0/24
  • 192.0.69.0/24
  • 192.0.70.0/24
  • 192.0.71.0/24
  • 192.0.72.0/24
  • 192.0.73.0/24
  • 192.0.74.0/24
  • 192.0.75.0/24
  • 192.0.76.0/24
  • 192.0.77.0/24
  • 192.0.78.0/24
  • 192.0.79.0/24
  • 192.0.80.0/24
  • 192.0.81.0/24
  • 192.0.82.0/24
  • 192.0.83.0/24
  • 192.0.84.0/24
  • 192.0.85.0/24
  • 192.0.86.0/24
  • 192.0.87.0/24
  • 192.0.88.0/24
  • 192.0.89.0/24
  • 192.0.90.0/24
  • 192.0.91.0/24
  • 192.0.92.0/24
  • 192.0.93.0/24
  • 192.0.94.0/24
  • 192.0.95.0/24
  • 192.0.96.0/24
  • 192.0.97.0/24
  • 192.0.98.0/24
  • 192.0.99.0/24
  • 192.0.100.0/24
  • 192.0.101.0/24
  • 192.0.102.0/24
  • 192.0.103.0/24
  • 192.0.104.0/24
  • 192.0.105.0/24
  • 192.0.106.0/24
  • 192.0.107.0/24
  • 192.0.108.0/24
  • 192.0.109.0/24
  • 192.0.110.0/24
  • 192.0.111.0/24
  • 192.0.112.0/24
  • 192.0.113.0/24
  • 192.0.114.0/24
  • 192.0.115.0/24
  • 192.0.116.0/24
  • 192.0.117.0/24
  • 192.0.118.0/24
  • 192.0.119.0/24
  • 192.0.120.0/24
  • 192.0.121.0/24
  • 192.0.122.0/24
  • 192.0.123.0/24
  • 192.0.124.0/24
  • 192.0.125.0/24
  • 192.0.126.0/24
  • 192.0.127.0/24

If you are using Cloudflare they also support only allowing traffic coming from servers with a specific ASN (autonomous system number). To configure that, you can allow access to 2635.

Jetpack VaultPress Backup / Older VaultPress

The entire IP range from 192.0.64.1 ~ 192.0.127.254 needs to be added to the allowlist.

  • CIDR Notation: 192.0.64.0/18
  • GoDaddy Firewall & Sucuri use CIDR Notation.
  • Wordfence: 192.0.[64-127].[1-254]

Hosting Requirements

Generally, Jetpack works with any server that meets the requirements for WordPress itself, but some specific functionality is used more in Jetpack than WordPress itself.

  • XML: The Jetpack connection and various features use PHP’s XML manipulation libraries. While this is part of PHP by default, it can be built without it, and increasingly, we’re seeing some server environments needing a specific package installed.
    • Please install PHP’s XML module if you see an error message related to PHP XML functionality. Depending on your operating system, this can be done with a package manager: sudo apt-get install php-xml or sudo apt-get install php7.0-xml, sudo yum -y install php-xml or by building PHP without the --disable-xml flag.
    • If you are not skilled or confident to proceed, please ask your hosting support to install it for you.
  • Ability to perform outbound HTTPS requests to jetpack.wordpress.com and dashboard.jetpack.com.

Find more information that can be useful to server administrators and hosting providers on our Hosting Reference Documentation page.

Comments Off on How to add Jetpack IPs to an Allowlist

Hosting Reference Documentation

Posted on March 7, 2016 by Jen Swisher

This page provides some technical information and guidelines about using our products for network administrators, server admins, and web hosts. 

Here are helpful Jetpack troubleshooting links particularly relevant for hosting providers:

Jetpack Basics

Troubleshooting

Find Help

Download a printable PDF of these Jetpack links.

Jetpack-Specific System Requirements

Read more about Jetpack’s Server Requirements. Don’t worry—it is virtually the same as what WordPress expects.

XML-RPC Support: WordPress.com and Jetpack

XML-RPC is used by Jetpack to connect sites to WordPress.com. Some hosts and plugin developers believe that blocking access to /xmlrpc.php will stop various hacking attempts. However, XML-RPC support has been built into WordPress core since version 3.5 and is a stable tool.

Jetpack, much like other plugins, services, and apps (like our mobile apps), relies on the XML-RPC API to communicate with WordPress.com. If this is blocked, your Jetpack connection will not work correctly. To learn more about how Jetpack uses XML-RPC, see our support article about Jetpack and XML-RPC.

Allowlist IPs

You should be able to protect a site’s XML-RPC file without having to allowlist specific IP ranges. The most popular hosts out there use tools like fail2ban or ModSecurity, for example. If you opt to allowlist our IP addresses, please see our instructions on how to add our IPs to an allowlist for Jetpack and VaultPress.

Akismet

In order for a blog or forum to use Akismet to check spam, it needs to be able to make outgoing TCP connections to servers at Akismet.com. If your network normally blocks outgoing connections from your public web servers, you’ll need to add a firewall rule permitting connections to Akismet.

If your security filters allow exceptions based on hostnames, you should permit connections on port 80 to these:

  • rest.akismet.com
  • *.rest.akismet.com

Most Akismet API calls will be made to a hostname of the form api_key.rest.akismet.com, where api_key is an alphanumeric string that is different for each website owner.

If your security filters only allow IP-based rules, please refer to the Akismet Hosting FAQ for the list of current IP addresses.

Akismet Specific System Requirements

Akismet is a spam filtering service. It’s most commonly used with WordPress but is often used with other blog platforms, forum applications, contact forms, and similar web apps. It’s a centralized service, so TCP connectivity to servers at Akismet.com is required for it to work.

System requirements for the WordPress plugin are the same as for WordPress, plus:

  • PHP’s fsockopen and gethostbynamel functions must not be disabled (they are enabled by default in PHP).
  • TCP connectivity to akismet.com

System requirements for other Akismet plugins and implementations vary, but TCP connectivity is always required.

Comments Off on Hosting Reference Documentation

  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 111,669 other subscribers

  • Browse by Topic