Protect your site with brute force protection

Posted on August 29, 2019 by shaylynnm

Protect yourself against unwanted login attempts with brute force protection. (Formerly known as Jetpack Protect.)

Activate brute force protection

To protect your website immediately, Brute force protection is activated by default when you connect Jetpack to your WordPress.com account. You can deactivate and reactivate either from:

  • WP Admin: Jetpack → Settings → Security.
  • WP AdminJetpack → Protect in the Firewall tab – this option requires the Jetpack Protect plugin to be active.
  • WordPress.com Dashboard: Settings Security.

If this feature has locked your site’s login page and you cannot access your WP Admin, you can temporarily deactivate the brute force protection via your WordPress.com Dashboard under Settings > Security.

Configure Brute force protection

With Brute force protection activated, you can allowlist IP addresses. Allowlisting may be necessary if you’ve made too many failed login attempts to your site, or Jetpack has detected unusual behavior from your current IP address.

If you have lost access to your WP Admin due to too many failed login attempts, you can configure Brute force protection from the WordPress.com dashboard. Here is how:

  1. Navigate to WordPress.com Dashboard and go to Settings → Security
  2. Enter the IP list you wish to add into the Always allowed IP addresses / Trusted IP addresses field.
  3. Separate multiple IP addresses with a comma.
  4. To specify a range, enter the low value and high value separated by a dash. Example: 12.12.12.1-12.12.12.100.

Your current IP address is also shown on the page, so you can add it to your allowlist.

Both IPv4 and IPv6 addresses are accepted.

If you have access to your WP Admin, you can configure the Always allowed IP addresses / Trusted IP addresses from there at Jetpack → Settings → Security or (if you have the Jetpack Protect plugin active) at Jetpack → Protect → Firewall.

You can also allowlist one IP address by setting it as the JETPACK_IP_ADDRESS_OK constant in your wp-config.php file like this:

define('JETPACK_IP_ADDRESS_OK', 'X.X.X.X');

Dashboards

You can check the count of the total malicious attacks blocked on your site by following these steps:

  1. Go to Jetpack → My Jetpack in your WP Admin
  2. Locate the Protect section
  3. If any malicious login attempts have been blocked, the total will be displayed under Logins Blocked.

How brute force protection works

The length of time a block lasts is based on a number of factors and is not a set amount of time.

Math captcha on your login page

The math captcha is used as a fallback for the brute force protection feature. If your IP has been blocked due to too many failed login attempts, you may still access your site by correctly filling out the math captcha along with the correct login credentials. In very rare cases, you might see the captcha if you’ve not obtained an API key, or during times of very heavy attacks.

Brute force protection on Multisite

In a WordPress Multisite installation, you can log into any account that exists on the network through any login page on the network. As a result, if you have Jetpack’s Brute force protection active on some sites but not all, then no site is truly being protected.

To address this, please network enable Jetpack on your multisite installation and activate the brute force protection feature on the network’s primary site.  Once completed, Jetpack’s brute force protection feature will be activated on every site on your network, even if Jetpack isn’t connected on those sites.

Multiple blocked malicious login attempts

You may worry if you see a high number of blocked suspicious login attempts. But rest assured this means the feature is working as expected!

There are thousands of “bots” out there trying to gain access to sites all over the internet. No matter what size your site is, there’s always someone or something trying to “break in”. WordPress is very secure and usually the weakest point is someone’s password. Bots consequently try to guess people’s passwords to get in.

Jetpack’s brute force protection feature collects information from failed attempts from millions of sites and protects you from these attacks. For example, if a bot tried to gain access to site A, and then went to site B, Jetpack’s brute force protection would already know who this bot is and before it even tries to get into site B, it would be blocked.

Along with that, it’s also really important to have strong secure passwords.

Information about the blocked attacks

For example, you might be wondering:

  • Which usernames need more securing?
  • Is this via wp-login, or via XMLRPC?
  • From which IP addresses do these arrive?
  • When did these occur? Is there a pattern?
  • If these were found, how many more are there that were not detected?

We don’t have access to this information. Jetpack’s brute force protection was built to be lean and simple. It’s built in such a way that you don’t have to think about these questions or make any decisions. As such, the only data we store is the total number of attacks blocked.

Troubleshoot Jetpack brute force protection

Please read our brute force protection troubleshooting article for tips.

Still need help?

Please contact support. We’re happy to advise.

Privacy Information

Jetpack brute force protection is activated by default. It can be deactivated at any time by toggling the Brute force protection setting under Jetpack → Settings → Security on your WP Admin dashboard.

For general features and FAQs, please see our Jetpack Security features.

More information about the data usage on your site
Data Used
Site Owners / Users

In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.

Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code.

 Site Visitors

In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.
Activity Tracked
Site Owners / Users

Failed login attempts.

We track when, and by which user, the feature is activated and deactivated. We also set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.

 Site Visitors

Failed login attempts.

We set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.
Data Synced (Read More)
Site Owners / Users

Options that identify whether or not the feature is activated and how its available settings are configured. We also sync the site’s allowlisted entries (as configured by the site owners), the Protect-specific API key used for login checking, and any failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information.

 Site Visitors

Failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information.
Comments Off on Protect your site with brute force protection

Troubleshoot Jetpack Brute Force Attack Protection

Posted on December 13, 2016 by bob matyas

Having problems with the Brute force attack protection feature on your site? Check these tips to find out why and learn more about our error messages.

Unblock your IP address

If Jetpack has flagged your IP address for any reason, it may block you from logging in. If you do get locked out, you’ll see a message:

Jetpack has locked your site’s login page. Your IP has been flagged for potential security violations.

To resolve this:

  1. Enter your email address and hit Send.
  2. You will receive an email with a special link you can click to regain access to the login form.
  3. If the email never reaches you or if you get an error when clicking the link in the email, you can allowlist your IP address to unblock yourself. Allowlisting can be done from your WordPress.com dashboard Settings → Security, which remains accessible even if you are locked out of your site.
  4. If you are still blocked, it’s likely due to a server configuration issue on your server. You can disable Brute Force Protection to regain access to your site, then contact us for help with further troubleshooting.

Resolve a “Server misconfigured” error

You may see the message “Brute Force Attack Protection is unable to effectively protect your site because your server is misconfigured.”

Whenever someone tries to log in to your site, Brute Force Attack Protection feature looks at that person’s IP address and compares it with our global database of malicious IP addresses.

For this to work properly, we rely on IP addresses stored and provided by your server. In some cases your server may not return any IP address, thus blocking brute force protection from working properly. When this happens, the feature will be disabled and we will let you know.

If that happens, please send a link to this page to your hosting provider, so they can take a look and fix the issue for you. They can also contact us directly via this contact form if they need more information.

Still need help?

Please contact support. We’re happy to advise.

Comments Off on Troubleshoot Jetpack Brute Force Attack Protection

Monitor your site’s uptime and downtime

Posted on November 21, 2013 by bob matyas

Jetpack’s downtime monitor continuously watches your website and alerts you the moment that downtime is detected.

Once Jetpack’s Downtime Monitor is activated, one of our servers will start checking your site every five minutes.  If it looks like something’s gone awry, we’ll fire off a notification to the WordPress.com account that Jetpack is connected to. For more information and FAQs, please see our features page.

Requirements

Jetpack’s Downtime Monitor needs a working Jetpack connection. To activate the feature, you need to install and activate the Jetpack plugin.

Jetpack’s Downtime Monitor is a free feature, it does not require a Jetpack plan.

Activate/Deactivate Downtime Monitoring

You or additional admin users connected to Jetpack can activate or deactivate the downtime monitoring feature from your WP Admin dashboard:

  1. In your WP Admin, Navigate to Jetpack → Settings → Security
  2. Toggle Downtime monitoring to:
    • On if you wish to receive Jetpack Monitor notifications when your site goes offline.
    • Off if you wish to stop receiving Jetpack Monitor notifications about your site going offline.
  3. Choose if you want alerts via email and/or WordPress.com notifications.

Emails

When downtime monitoring is activated, downtime notification emails will be sent to the user(s) who have enabled them in their WordPress.com security settings.

The time and date used in the notification comes from the timezone set in your WordPress settings (Settings > General).

If you’d like to add something to your email filters to make sure these notification emails never get sent to spam, they’ll all be coming from support+monitor AT jetpack DOT com.

If you are still getting downtime notifications for a site you no longer manage, please contact support.

Who receives downtime emails?

Downtime notification emails are sent only to the WordPress.com account that originally connected Jetpack to your site. This is typically the site’s primary user or Jetpack connection owner. It isn’t currently possible to add or CC additional recipients for these emails.

Enable notifications about downtime in your app

You can now receive push notifications about your site being down on mobile (Android and iOS) in both the Jetpack and WordPress apps. 

In order to enable downtime notifications from the Jetpack app or WordPress app go to:

  1. My Site.
  2. Site Settings > Jetpack > Security.
  3. Enable “Send push notifications”.

Downtime Status Alerts

When Jetpack Monitor records that your site is experiencing downtime, it also logs the reason in the form of a status. This status helps explain why your site is down. You can see this status in the downtime notification emails.

The status is located in the reference number at the bottom of the downtime notification emails. This reference number looks like:[23454191/server]. The number is our internal I.D. for your site. The second part is the status which is being returned.

Jetpack downtime alerts will return the following statuses. You can use these statuses to troubleshoot why your site is down:

  • “server” — a 5xx response, meaning the server had some type of fatal error, in particular if your theme or one of your plugins creates a Fatal Error.
  • blocked” — a 403 response, meaning the server replied that we were forbidden from viewing the home page.
  • client” — a 4xx response (other than 403), suggesting a similar server-side setting disabling access.
  • intermittent” — the request timed out without a response after 10 seconds. This case is one that can be confusing, since the site may actually be loading, just really slow. This one is also most likely to self-resolve–if the site is on a shared host and another site on the server is using too many resources, it could cause the other sites on the server to respond slowly. Note that our primary monitor server and the multiple verifying servers would all be seeing this for us to mark the site down.
  • redirection” — a 3xx response. Monitor will follow a few redirects, but if we’re asked to follow a fourth redirect, we assume there is a problem. Realistically, the suggests a redirect loop, but could be a relatively poor setup (e.g. example.com -> http://www.example.com -> http://www.example.com/en/ -> http://www.example.com/en/blog/ would be seen as down).
  • success” — a normal response. Everything worked. This should only be seen on the follow-up “Your site is back up!” e-mail.
  • unknown” — this shouldn’t ever happen. It suggests our monitoring service didn’t send an expected response to WordPress.com.

These are based on the HTTP response code to the HTTP HEAD request to your site’s home page and help why your site is down.

You received a downtime alert, but your site is not offline

Sometimes, Jetpack Downtime Monitor may alert you even if your site appears to be running normally. Here are the most common reasons for these false positives:

  • Your site is responding intermittently or too slowly.
    If your site takes longer than 20 seconds to load, we consider it inaccessible and trigger an alert. This often happens on shared hosting, where server resources are limited and shared with other sites. Heavy home pages with many loading resources can also slow things down.
    If you received only one alert and your site quickly returns to normal, it’s likely the issue was temporary and has already resolved itself.
  • Too many redirects.
    If our monitoring agent encounters excessive redirection, it may trigger a downtime alert. Double-check that your site’s URL is set up correctly and review any redirection plugins that might be misconfigured.
  • Jetpack is being blocked.
    Some hosting providers may block Jetpack’s monitoring agent. Ensure that your host allows requests with the following user agent:
    jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)

If you’re unsure or still encountering issues, please contact support for help.

Testing Monitor

You can run the following command in Terminal to check if the Jetpack Monitor agent is being blocked. If your site is up, it should return 200:

curl -IA "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)" https://jetpack.com 

You will need to replace jetpack.com with your site’s domain.

How does this work behind the scenes?

When Jetpack checks your site, it pings your site’s homepage every five minutes, via a HTTP HEAD request.

We tentatively mark your site as down if the HTTP response code is 400 or greater, which indicates either a permissions error or a fatal code error is prohibiting your site from appearing to visitors, or we see more than three 300-series redirects, suggesting a redirect loop, or if your site fails to respond within 20 seconds.

Once it is tentatively marked down, we then spin up three separate servers in geographically different locations from a third-party vendor to ensure the problem is not isolated to our network or the location of our primary data center. If all three checks fail, we mark the site as down and notify you.

You can test to see if Jetpack Monitor is working on your site by running the cURL (client URL) command below, replacing “yourjetpack.blog” with your own site URL:

curl -IA "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)" https://yourjetpack.blog

A response of 200 OK indicates that it is working.

Known Issues

Missed downtime notification and Cloudflare

If you’re using Cloudflare and your site is down, Downtime Monitor may not be able to notice it. This is due to how Cloudflare works, when the origin server (web host) is down, a cached copy of the site will be served by Cloudflare; because of that, Downtime Monitor will see the cached copy and won’t detect the downtime at the origin server.

Offline/non-operational sites still receiving Monitor alerts

You may still receive downtime notifications from Jetpack Monitor for your closed, no longer existing site. This happens because Jetpack Monitor continues to check the site’s status unless the Jetpack connection is stopped.

If you are receiving unwanted notifications and no longer have access to the WP Admin area for your site, please contact Jetpack Support directly.

Privacy Information

Downtime Monitoring is deactivated by default. You can activate it from your WordPress.com dashboard under Settings  Security.

Data Used
Site Owners / Users

Site owner’s local user ID, WordPress.com user ID, email address, WordPress.com-connected blog ID, and the date of the last downtime status change.

Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code.

 Site Visitors

None.
Activity Tracked
Site Owners / Users

We track when, and by which user, the feature is activated and deactivated. We also track when, and which, configuration settings are modified.

 Site Visitors

None.
Data Synced (Read More)
Site Owners / Users

We sync options that identify whether or not the feature is activated and how its available settings are configured.

 Site Visitors

None.

Tagged | Comments Off on Monitor your site’s uptime and downtime

  • Enter your email address to receive news and updates from Jetpack

  • Join 98.9K other subscribers

  • Browse by Topic