Protect

Protect yourself against unwanted login attempts and brute force attacks with Jetpack Protect.

Activation

This feature is activated by default when you connect Jetpack to your WordPress.com account. It can be deactivated at any time (even if you’ve been locked out) via your WordPress.com dashboard under the Site Settings page.

Settings

Once activated you can whitelist IP addresses from the same Site Settings page. Whitelisting may be necessary if you’ve made too many failed log in attempts to your site or Jetpack has detected unusual behaviour from your current IP address.

  • Your current IP address is also shown on the page so you can easily add it to your whitelist.
  • Both IPv4 and IPv6 addresses are accepted.

Advanced Tip: You can also whitelist one IP address by setting it as the JETPACK_IP_ADDRESS_OK constant in your wp-config.php like this: define('JETPACK_IP_ADDRESS_OK', 'X.X.X.X');

Dashboards

You can view a count of the “total malicious attacks blocked on your site” under the Security section of your Jetpack dashboard.

Troubleshooting Information

Having trouble with Protect on your site? Check the tips below to find out why.

How long is an IP blocked?

The length of time is based on a number of factors and is not a set amount of time.

Jetpack locked me out. What can I do?

If Jetpack has flagged your IP address for any reason it may block you from logging in. In this case, you’ll see something like this:

protect-locked

Enter your email address and hit Send. You will receive an email with a special link you can click to regain access to the login form. If you get an error when clicking the link in the email, you can whitelist your IP address as covered under Settings to unblock yourself. If you are still blocked, it’s likely due to a configuration issue on your server. You can disable Protect to regain access to your site. Then contact us for help further troubleshooting.

Why am I seeing a math captcha on my login page?

The math captcha is used as a fallback for the protect feature. If your IP has been blocked due to too many failed login attempts, you may still access your site by correctly filling out the math captcha along with the correct login credentials. In very rare cases, you might see the captcha if you’ve not obtained an API key or during times of very heavy attacks.

Jetpack Protect is unable to effectively protect your site because your server is misconfigured

Whenever someone tries to log in to your site, Jetpack’s Protect module looks at that person’s IP address and compares it with our global database of malicious IP addresses.

For this to work properly, we rely on IP addresses stored and provided by your server. Unfortunately in some cases your server may not return any IP address, thus blocking Protect from working properly. When this happens, the Protect module will be disabled and we will let you know.

If that happens, do not hesitate to send a link to this page to your hosting provider, so they can take a look and fix the issue for you. They can also contact us directly via this contact form if they need more information.

Protect on Multisite Networks

If you tried to log in to your site multiple times but failed to log in because you had forgotten your password, you may end up being blocked by Jetpack’s Protect module.

In a WordPress Multisite installation, you can log in to any account that exists on the network through any log in page on the network.  As a result, if you have Jetpack Protect active on some sites but not all, then no site is truly being protected.

To address this, please network enable Jetpack on your multisite installation and activate the Protect feature on the network’s primary site.  Once completed, Jetpack’s Protect feature will be activated on every site on your network, even if Jetpack isn’t connected on those sites.

Protect reports thousands of blocked malicious login attempts

The best way to explain this feature is that there are thousands of “bots” out there trying to gain access to sites all over the internet. No matter what size your site is, there’s always someone or something trying to “break in”. WordPress is very secure and usually the weakest point is someone’s password. Bots consequently try to guess people’s passwords to get in.

Jetpack’s Protect module collects information from failed attempts from millions of sites and protects you from these attacks. For example, if a bot tried to gain access to site A, and then went to site B, Protect would already know who this bot is and before it even tries to get into site B, it would be blocked.

Along with that, it’s also really important to have strong secure passwords.

Where can I get more information about the blocked attacks?

e.g.

  • Which user names need more securing?
  • Is this via wp-login, or via XMLRPC?
  • From which IP addresses do these arrive?
  • When did these occur? Is there a pattern?
  • If these were found, how many more are there that were not detected?

We don’t have access to this information. Jetpack Protect was built to be lean and simple. It’s built in such a way that you don’t have to think about these questions or make any decisions. As such, the only data we store is the total number of attacks blocked.

Privacy Information

This feature is activated by default. It can be deactivated at any time by toggling the Protect setting in the Security section from Jetpack → Dashboard → At a Glance in your dashboard.

For general features and FAQs, please see our Jetpack Security features.

More information about the data usage on your site
Data Used
Site Owners / Users

In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.

Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code.

Site Visitors

In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.

Activity Tracked
Site Owners / Users

Failed login attempts.

We track when, and by which user, the feature is activated and deactivated. We also set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.

Site Visitors

Failed login attempts.

We set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.

Data Synced (Read More)
Site Owners / Users

Options that identify whether or not the feature is activated and how its available settings are configured. We also sync the site’s whitelisted entries (as configured by the site owners), the Protect-specific API key used for login checking, and any failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information.

Site Visitors

Failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information.

Comments Off on Protect

Securing Your Site After A Hack

This guide explains exactly what to do when our scanner has recently turned up security threats on your site or if you suspect your site has been hacked.

Review WordPress Security Best Practices

If you’re running a modest, personal site, you might want to first ensure you’re following best general security practices. The official documentation offers some solid tips.

Contact your host

Your host manages your server so the sooner they are aware the more actions they can take on their end to protect your site. In some cases, your host may be the one notifying you of the hack. In that case, work with them to get a list of hacked files and identify the hack. Getting access to server logs can help identify where the entry point might have been as well.

Update any out of date plugins or themes

Always running the latest versions of your plugins, themes, and WordPress itself, will go a long way in keeping your site safe and sound. At VaultPress, we highly recommend using something like Jetpack Manage to make this easier to take care of.

Remove unused plugins or themes

Even if a theme or plugin isn’t active on your site, the files for these extensions will remain on your server and can pose risks if they remain out of date or a threat is found. We highly recommend removing any unused plugins or themes as a result!

Make sure you are using the latest version of WordPress

In the same way using the latest version of plugins and themes gives you the best chance at site security, using the latest version of WordPress also will go a long way.

Reinstall WordPress core

VaultPress’ security scanner will catch any changes to WordPress core but, if you aren’t using a plan that includes our scanner, we recommend reinstalling your core files. You can do this by heading to Dashboard > Updates > Reinstall Now.

Reset all of your passwords related to your site

By resetting your passwords, you will help close down on any backdoor pathways a hacker might have. We recommend resetting passwords related to all aspects of your site from your email account to your hosting account to your site login. Ultimately, we recommend always using unique and complex passwords! Here are some tips for choosing a strong one.

Have questions? Feel free to reach out to support for more personalized assistance. We’re happy to help!

 

Comments Off on Securing Your Site After A Hack

Troubleshooting issues with the Protect module

Are you unable to enable the Protect module on your site? Check these tips to find out why.

Jetpack Protect is unable to effectively protect your site because your server is misconfigured

Whenever someone tries to log in to your site, Jetpack’s Protect module looks at that person’s IP address and compares it with our global database of malicious IP addresses.

For this to work properly, we rely on IP addresses stored and provided by your server. Unfortunately in some cases your server may not return any IP address, thus blocking Protect from working properly. When this happens, the Protect module will be disabled and we will let you know.

If that happens, do not hesitate to send a link to this page to your hosting provider, so they can take a look and fix the issue for you. They can also contact us directly via this contact form if they need more information.

Unblock yourself when your IP address was blocked by Jetpack’s Protect module

If you tried to log in to your site multiple times but failed to log in because you had forgotten your password, you may end up being blocked by Jetpack’s Protect module.

In this case, you’ll see something like this:

protect-locked

Enter your email address and hit Send. You will receive an email with a special link you can click to regain access to the login form. If you get an error when clicking the link in the email, you can follow one of the three methods described here to unblock yourself. If you are still blocked, it’s likely due to a configuration issue on your server. Please contact us for help fixing that.

Protect on Multisite Networks

In a WordPress Multisite installation, you can log in to any account that exists on the network through any log in page on the network.  As a result, if you have Jetpack Protect active on some sites but not all, then no site is truly being protected.

To address this, please network enable Jetpack on your multisite installation and activate the Protect feature on the network’s primary site.  Once completed, Jetpack’s Protect feature will be activated on every site on your network, even if Jetpack isn’t connected on those sites.

Protect reports thousands of blocked malicious login attempts

The best way to explain this feature is that there are thousands of “bots” out there trying to gain access to sites all over the internet. No matter what size your site is, there’s always someone or something trying to “break in”. WordPress is very secure and usually the weakest point is someone’s password. Bots consequently try to guess people’s passwords to get in.

Jetpack’s Protect module collects information from failed attempts from millions of sites and protects you from these attacks. For example, if a bot tried to gain access to site A, and then went to site B, Protect would already know who this bot is and before it even tries to get into site B, it would be blocked.

Along with that, it’s also really important to have strong secure passwords.

Find out more information about the Protect feature here.

If you have more questions, do not hesitate to contact us!

Comments Off on Troubleshooting issues with the Protect module

Security Features

Jetpack Security FeaturesJetpack includes state-of-the-art security tools that keep your site safe and sound, from posts to plugins.

Jetpack’s security features include:

Are you blocked from accessing your dashboard? Use one of the three methods described here to unblock yourself.

Here are some resources to help get you started:

  • Protect - Jetpack Protect allows you to protect yourself against traditional brute force attacks and distributed brute force attacks that use many servers against your site
  • Jetpack Scan - Jetpack Scan offers automated malware scanning and one-click threat resolution.
  • Troubleshooting issues with the Protect module - Are you unable to enable the Protect module on your site? Check these tips to find out why.
  • Security - Jetpack includes state-of-the-art security tools that keep your site safe and sound, from posts to plugins. Protection from brute force attacks24/7 downtime monitoringSecure Sign OnAutomatic plugin updatesAnd more Are you blocked from accessing your dashboard? Use one of the three methods described here to unblock yourself. Here are some resources to help get you started: […]
  • Security Features - Jetpack’s security features allow you to secure your self-hosted WordPress sites from a single dashboard on WordPress.com.
  • WordPress.com Secure Sign On - Using the same log-in credentials you use for WordPress.com, you’ll now be able to register for and sign in to self-hosted WordPress.org sites quickly and securely.
  • Downtime Monitoring - Jetpack Monitor will keep tabs on your site, and alert you the moment that downtime is detected.

Our paid subscriptions offer even more ways to protect and monitor your site — learn more here.

Troubleshooting information and FAQs

What else should I do to protect my sites?

Backups

It’s strongly recommended you back up your self-hosted sites using a tool such as Jetpack Backup. Backups provide a recovery mechanism should a malicious file corrupt your site or become otherwise compromised.

Plugin Updates

Jetpack’s automatic plugin updates make it easy to keep your plugins up to date. By setting your plugins to auto-update, you help ensure any issues that may arise due to plugins with malicious code will not harm your site.

Keeping your plugins and themes updated is one of the most effective ways to keep your self-hosted WordPress sites secure. By using Jetpack’s site management tools, you can keep your plugins up to date from one easy control panel in WordPress.com. Learn more about automatic plugin updates»

Site Monitoring

Jetpack’s downtime monitoring feature will keep tabs on your site and alert you the moment downtime is detected. Monitoring uptime of your site can be an important tool in the security of your site. Learn more about downtime monitoring»

Privacy Information

Comments Off on Security Features

Downtime Monitoring

Jetpack’s downtime monitor will continuously watch your site and alert you the moment that downtime is detected.

Jetpack keeps tabs on your site and notifies you the moment downtime is detected.

Once activated, one of our servers will start checking your site every five minutes.  If it looks like something’s gone awry, we’ll fire off an email notification to the WordPress.com account that Jetpack is connected to.

For general features and FAQs, please see our features page.


Emails

When downtime monitoring is activated, downtime notification emails will be sent to the user who activated it. If you have additional admin users connected to their WordPress.com accounts, they can also enable these email notifications for themselves via Jetpack → Settings → Security.

If you’d like to add something to your email filters to make sure these notification emails never get sent to spam, they’ll all be coming from support+monitor AT jetpack DOT com.

Push notifications

You can now receive notifications about your site being down on the web through WordPress.com and/or push notifications on mobile (Android and iOS) for both Jetpack and WordPress apps. 

In order to enable this feature from the web:

  1. Head to https://wordpress.com/settings/security/.
  2. Select your site.
  3. Enable “Send notifications via WordPress.com notification”.

In order to enable this feature from the apps (Android and iOS, Jetpack and WordPress):

  1. Head to My Site.
  2. Jetpack Settings.
  3. Enable “Send push notifications”.

Is your site up and running properly, but you’re receiving ‘site down’ notifications?

This can happen for different reasons, and the content of the Notification emails should tell you more.

Your site is responding intermittently, or extremely slowly.

Your site may be loading slowly. If your site can’t be loaded in less than 20 seconds, we consider it as inaccessible. This may happen if you’re on shared hosting, where your bandwidth is shared with many other websites, or if you have a lot of resources loading on your home page; this will slow your site down.

Note that in some cases your site may be slow for a few minutes only. Its loading speed then comes back to normal after your hosting provider has taken measures to isolate other sites on your server that may have used too many resources and slowed everyone else’s site down for a few minutes.

Our requests are being redirected too many times.

If this happens, make sure your site URL is properly set up and that you don’t use any redirection plugins that may cause issues.

Jetpack is blocked.

Make sure your hosting service isn’t blocking our monitoring agent! The user agent that we’re sending along with the HEAD requests should be jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)! If it’s still not going through properly, please contact support.

The server does not respond..

If your theme or one of your plugins create 500 errors, also known as Fatal Errors, on your site, readers won’t be able to access your site and we will send you an email to let you know.

Status Alerts

At the bottom of the Notification email we send you when monitoring detects an issue with your site there is a section that can provide a little more information:

The number is our internal I.D. for your site. The second part is the status which is being returned. These are based on the HTTP response code to the HTTP HEAD request to your site’s home page:

  • “server” — a 5xx response, meaning the server had some type of fatal error.
  • blocked” — a 403 response, meaning the server replied that we were forbidden from viewing the home page.
  • client” — a 4xx response (other than 403), suggesting a similar server-side setting disabling access.
  • intermittent” — the request timed out without a response after 10 seconds. This case is one that can be confusing, since the site may actually be loading, just really slow. This one is also most likely to self-resolve–if the site is on a shared host and another site on the server is using too many resources, it could cause the other sites on the server to respond slowly. Note that our primary monitor server and the multiple verifying servers would all be seeing this for us to mark the site down.
  • redirection” — a 3xx response. Monitor will follow a few redirects, but if we’re asked to follow a fourth redirect, we assume there is a problem. Realistically, the suggests a redirect loop, but could be a relatively poor setup (e.g. example.com -> http://www.example.com -> http://www.example.com/en/ -> http://www.example.com/en/blog/ would be seen as down).
  • success” — a normal response. Everything worked. This should only be seen on the follow-up “Your site is back up!” e-mail.
  • unknown” — this shouldn’t ever happen. It suggests our monitoring service didn’t send an expected response to WordPress.com.

How does this work behind the scenes?

When we check your site, we ping your site’s homepage (via a HTTP HEAD request) every five minutes.

We tentatively mark your site as down if the HTTP response code is 400 or greater, which indicates either a permissions error or a fatal code error is prohibiting your site from appearing to visitors, or we see more than three 300-series redirects, suggesting a redirect loop, or if your site fails to respond within 20 seconds.

Once it is tentatively marked down, we then spin up three separate servers in geographically different locations from a third-party vendor to ensure the problem is not isolated to our network or the location of our primary datacenter.

If all three checks fail, we mark the site as down and notify you.

Note: Jetpack uses the timezone set in your WordPress settings (Settings > General)

Privacy Information

This feature is deactivated by default. If you ever need to deactivate this feature, you can click on the Settings link in the Downtime Monitoring section from Jetpack — Dashboard — At a Glance in your dashboard. Once you’re viewing the feature’s settings on WordPress.com, toggle the Monitor your site’s downtime setting found within the Downtime Monitoring section at the top of the page.

More information about the data usage on your site

This feature is deactivated by default. If you ever need to deactivate this feature, you can click on the Settings link in the Downtime Monitoring section from Jetpack — Dashboard — At a Glance in your dashboard. Once you’re viewing the feature’s settings on WordPress.com, toggle the Monitor your site’s downtime setting found within the Downtime Monitoring section at the top of the page.

Data Used
Site Owners / Users

Site owner’s local user ID, WordPress.com user ID, email address, WordPress.com-connected blog ID, and the date of the last downtime status change.

Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code.

Site Visitors

None.

Activity Tracked
Site Owners / Users

We track when, and by which user, the feature is activated and deactivated. We also track when, and which, configuration settings are modified.

Site Visitors

None.

Data Synced (Read More)
Site Owners / Users

We sync options that identify whether or not the feature is activated and how its available settings are configured.

Site Visitors

None.

Comments Off on Downtime Monitoring
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 110,172 other followers

  • Browse by topic