Getting Started with the Jetpack Protect Plugin

Posted on March 7, 2023 by Bruce Allen

The Jetpack Protect plugin is a free security plugin for WordPress that scans your site and warns you about vulnerabilities, keeping your site one step ahead of security threats and malware.

What do I need to run Jetpack Protect on my site?

  • A web host that meets the WordPress host requirements.
  • The latest version of WordPress. If your version of WordPress is out of date, you’ll see a prompt to automatically upgrade with a single click, or can upgrade manually.
  • A WordPress.com account. Don’t have one yet? Sign up for one here, or create one during the Jetpack connection flow. You only need one WordPress.com account to access all our services (including Akismet, Crowdsignal, Gravatar, and WordPress.com itself). If you use any of these services, you already have a WordPress.com account to connect to Jetpack. You can reset your WordPress.com password if you need to.
  • A publicly accessible WordPress site: no password protection or Coming Soon / Maintenance Mode plugin in use.
  • A publicly accessible XML-RPC file.

Installing Jetpack Protect

Installing Jetpack Protect can be done from your site’s WP Admin. To install Jetpack Protect via the WP Admin:

  1. Go to Plugins → Add New.
  2. Search for Jetpack Protect. The latest version will show in the search results. 
  3. Click Install Now.
Image showing the Jetpack Protect logo and install now button for the plugin.
  1. Click Activate.
  1. After activating, you will be prompted to select one of two plans:
    • Free: This plan includes checking items against the WPScan database and daily automated scans for threats and vulnerabilities.
    • Jetpack Protect: This plan is a Jetpack Scan plan. With this plan, you will get the same features as the Free plan, plus several premium features.
  2. Once you’ve selected a plan and completed the purchase process (if necessary), Jetpack Protect will begin its first scan.
  3. Once the scan is complete, your results will show in the WP Admin by going to Jetpack → Protect.

Scanning Your Site

Once you’ve installed the plugin, your first malware scan will begin automatically. After the first scan, they will run about every 24 hours. It is not possible to set a time for automated daily scans. 

If you have a paid Jetpack plan that includes Jetpack Scan, you will have the ability to start a scan on demand through the plugin. You can do this by going to your WP Admin and then Jetpack → Protect. From there, click Scan now.

Viewing and Fixing Security Threats

You can visit the Jetpack Protect dashboard in your WordPress admin panel to see the security threats and malware found by the integrated malware scanner. When the malware scanner finds a security threat, you can view the recommended actions on the Jetpack Protect dashboard to secure your sites.

You can view security threats and malware found by Jetpack Protect by going to your WP Admin and then Jetpack → Protect. From there, you can see a list of threats found, and how to fix them. 

Still need help?

Please contact support directly. We’re happy to lend a hand and answer any other questions that you may have.

Privacy Information

This feature is deactivated by default. It can be activated at any time by installing the Jetpack Protect plugin.

Data Used
Site Owners/Users and Visitors
This feature evaluates the incoming HTTP requests and blocks them if they’re considered malicious.
Activity Tracked
Site Owners/Users and Visitors
If the Share data with Jetpack checkbox is selected we track which rules caused a request to be blocked. We don’t track actual request data with this option.
Data Synced (Read More)
Users:Used in the authentication process for some of our APIs.
Themes:Used to get the themes list that we should check against the WPScan API in the free version.
Plugins:Used to get the plugins list that we should check against the WPScan API in the free version.
WordPress version:Used to know which version we should check against the WPScan API in the free version.
Comments Off on Getting Started with the Jetpack Protect Plugin

Protect your site with brute force protection

Posted on August 29, 2019 by Emily Axel

Protect yourself against unwanted login attempts with brute force protection. (Formerly known as Jetpack Protect.)

Activate

Screenshot of Brutce force protection setting, with it toggled ON.

To protect your website immediately, this feature is activated by default when you connect Jetpack to your WordPress.com account. You can deactivate and reactivate either from:

If this feature has locked your site’s login page and you cannot access your WP Admin, you can temporarily deactivate the brute force protection via your WordPress.com dashboard under Settings > Security.

Settings

With brute force protection activated, you can allowlist IP addresses. Allowlisting may be necessary if you’ve made too many failed login attempts to your site or Jetpack has detected unusual behavior from your current IP address.

  1. Start by navigating to:
  • WP Admin: Jetpack → Settings → Security

or

  1. Enter the IP list you wish to add into the Always allowed IP addresses field.
  2. Separate multiple IP addresses with a comma.
  3. To specify a range, enter the low value and high value separated by a dash. Example: 12.12.12.1-12.12.12.100.

Your current IP address is also shown on the page, so you can easily add it to your allowlist.

Both IPv4 and IPv6 addresses are accepted.

Advanced Tip: You can also allowlist one IP address by setting it as the JETPACK_IP_ADDRESS_OK constant in your wp-config.php file like this: define('JETPACK_IP_ADDRESS_OK', 'X.X.X.X');

Dashboards

View a count of the “total malicious attacks blocked on your site” under the Security section of your Jetpack dashboard: WP Admin: Jetpack → Dashboard → Security → Brute force protection

Screenshot of the Jetpack dashboard in the WP Admin area. The Security section lists VaultPress Backups, Activity, Scan, Akismet Anti-spam, Brute force protection, and Downtime monitoring.

How it works

The length of time is based on a number of factors and is not a set amount of time.

Getting locked out of your own website

If Jetpack has flagged your IP address for any reason, it may block you from logging in. If you do get locked out, you’ll see a message “Jetpack has locked your site’s login page. Your IP has been flagged for potential security violations.”

To resolve this:

  1. Enter your email address and hit Send.
  2. You will receive an email with a special link you can click to regain access to the login form.
  3. If you get an error when clicking the link in the email, you can allowlist your IP address to unblock yourself.
  4. If you are still blocked, it’s likely due to a configuration issue on your server. You can disable Brute Force Protection to regain access to your site, then contact us for help with further troubleshooting.

Math captcha on your login page

The math captcha is used as a fallback for the brute force protection feature. If your IP has been blocked due to too many failed login attempts, you may still access your site by correctly filling out the math captcha along with the correct login credentials. In very rare cases, you might see the captcha if you’ve not obtained an API key, or during times of very heavy attacks.

Error: server is misconfigured

Whenever someone tries to log in to your site, Jetpack’s brute force protection feature looks at that person’s IP address and compares it with our global database of malicious IP addresses.

For this to work properly, we rely on IP addresses stored and provided by your server. Unfortunately in some cases your server may not return any IP address, thus blocking brute force protection from working properly. When this happens, the feature will be disabled and we will let you know.

If that happens, do not hesitate to send a link to this page to your hosting provider, so they can take a look and fix the issue for you. They can also contact us directly via this contact form if they need more information.

Brute force protection on Multisite

In a WordPress Multisite installation, you can log into any account that exists on the network through any login page on the network. As a result, if you have Jetpack’s Brute force protection active on some sites but not all, then no site is truly being protected.

To address this, please network enable Jetpack on your multisite installation and activate the brute force protection feature on the network’s primary site.  Once completed, Jetpack’s brute force protection feature will be activated on every site on your network, even if Jetpack isn’t connected on those sites.

Multiple blocked malicious login attempts

You may worry if you see a high number of blocked suspicious login attempts. But rest assured this means the feature is working as expected!

There are thousands of “bots” out there trying to gain access to sites all over the internet. No matter what size your site is, there’s always someone or something trying to “break in”. WordPress is very secure and usually the weakest point is someone’s password. Bots consequently try to guess people’s passwords to get in.

Jetpack’s brute force protection feature collects information from failed attempts from millions of sites and protects you from these attacks. For example, if a bot tried to gain access to site A, and then went to site B, Jetpack’s brute force protection would already know who this bot is and before it even tries to get into site B, it would be blocked.

Along with that, it’s also really important to have strong secure passwords.

Information about the blocked attacks

For example, you might be wondering:

  • Which usernames need more securing?
  • Is this via wp-login, or via XMLRPC?
  • From which IP addresses do these arrive?
  • When did these occur? Is there a pattern?
  • If these were found, how many more are there that were not detected?

We don’t have access to this information. Jetpack’s brute force protection was built to be lean and simple. It’s built in such a way that you don’t have to think about these questions or make any decisions. As such, the only data we store is the total number of attacks blocked.

Still need help?

Please contact support directly. We’re happy to advise.

Privacy Information

This feature is activated by default. It can be deactivated at any time by toggling the Brute force protection setting under Jetpack → Settings → Security on your WP Admin dashboard.

For general features and FAQs, please see our Jetpack Security features.

More information about the data usage on your site
Data Used
Site Owners / Users

In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.

Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code.

 Site Visitors

In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.
Activity Tracked
Site Owners / Users

Failed login attempts.

We track when, and by which user, the feature is activated and deactivated. We also set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.

 Site Visitors

Failed login attempts.

We set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.
Data Synced (Read More)
Site Owners / Users

Options that identify whether or not the feature is activated and how its available settings are configured. We also sync the site’s allowlisted entries (as configured by the site owners), the Protect-specific API key used for login checking, and any failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information.

 Site Visitors

Failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information.
Comments Off on Protect your site with brute force protection

Troubleshoot Jetpack Brute Force Attack Protection

Posted on December 13, 2016 by Emily Axel

Are you unable to enable the Brute force attack protection feature on your site? Check these tips to find out why and learn more about our error messages.

Server misconfigured

You may see the message “Brute Force Attack Protection is unable to effectively protect your site because your server is misconfigured.”

Whenever someone tries to log in to your site, Brute Force Attack Protection feature looks at that person’s IP address and compares it with our global database of malicious IP addresses.

We rely on IP addresses stored and provided by your server for this to work properly. If your server does not return any IP addresses, then Brute Force Attack Protection will not work properly. The Brute Force Attack Protection feature will be disabled when this happens, and we will let you know.

If that happens, please send a link to this page to your hosting provider, so they can take a look and fix the issue for you. They can also contact us directly via this contact form if they need more information.

Unblock your IP address

If you tried to log in to your site multiple times but failed because you had forgotten your password, Brute Force Protection may block your IP address.

Enter your email address in the available field and hit Send. You will receive an email with a special link you can click to regain access to the login form.

If you get an error when clicking the link in the email, you can follow one of the three methods described here under Jetpack locked me out. What can I do? to unblock yourself.

If you are still blocked, it’s likely due to a configuration issue on your server. Please contact us for help fixing that.

Brute Force Attack Protection on Multisite Networks

In a WordPress Multisite installation, you can log in to any account that exists on the network through any log-in page on the network.  As a result, if you have Brute Force Attack Protection active on some sites but not all, then no site is truly being protected.

To address this, please network enables Jetpack on your multisite installation and activate the Brute Force Attack Protection feature on the network’s primary site.  Once completed, Brute Force Attack Protection feature will be activated on every site on your network, even if Jetpack isn’t connected to those sites.

Malicious login attempt reports

The best way to explain this feature is that there are thousands of “bots” out there trying to gain access to sites all over the internet. No matter what size your site is, there’s always someone or something trying to “break in”. WordPress is very secure and usually the weakest point is someone’s password. Bots consequently try to guess people’s passwords to get in.

Brute Force Attack Protection feature collects information from failed attempts from millions of sites and protects you from these attacks. For example, if a bot tried to gain access to site A, and then went to site B, Brute Force Attack Protection would already know who this bot is and before it even tries to get into site B, it would be blocked.

Along with that, it’s also really important to have strong secure passwords.

Find out more information about the Brute Force Attack Protection feature here.

Still need help?

Please contact support directly. We’re happy to advise.

Comments Off on Troubleshoot Jetpack Brute Force Attack Protection

Security Features

Posted on January 28, 2015 by Kellie Hodgins

Jetpack includes state-of-the-art security tools that keep your site safe and sound, from posts to plugins.

Backups

It’s strongly recommended you back up your site using a tool such as Jetpack Backup. Backups provide a recovery mechanism should a malicious file corrupt your site or become otherwise compromised.

Security Scans

Jetpack Scan will monitor your site for security threats and bad actors, offering a one-click fix for many security issues.

Plugin Updates

Jetpack’s automatic plugin updates make it easy to keep your plugins up to date. By setting your plugins to auto-update, you help ensure any issues that may arise due to plugins with malicious code will not harm your site.

Keeping your plugins and themes updated is one of the most effective ways to keep your self-hosted WordPress sites secure. By using Jetpack’s site management tools, you can keep your plugins up to date from one easy control panel in WordPress.com. Learn more about automatic plugin updates.

Site Monitoring

Jetpack’s downtime monitoring feature will keep tabs on your site and alert you the moment downtime is detected. Monitoring uptime of your site can be an important tool in the security of your site. Learn more about downtime monitoring.

Jetpack’s full range of security features include:

  • WordPress.com Secure Sign On - Using the same log-in credentials you use for WordPress.com, you’ll now be able to register for and sign in to self-hosted WordPress.org sites quickly and securely.
  • Security Features - Jetpack’s security features allow you to secure your self-hosted WordPress sites from a single dashboard on WordPress.com.
  • Security - Jetpack includes state-of-the-art security tools that keep your site safe and sound, from posts to plugins. Protection from brute force attacks24/7 downtime monitoringSecure Sign-OnAutomatic plugin updatesAnd more Are you blocked from accessing your dashboard? Use one of the three methods described here to unblock yourself. Here are some resources to help get you started: Our […]
  • Troubleshoot Jetpack Brute Force Attack Protection - Are you unable to enable the Protect feature on your site? Check these tips to find out why.
  • Jetpack Scan - Jetpack Scan offers automated malware scanning and one-click threat resolution.
  • Protect your site with brute force protection - Jetpack Protect allows you to protect yourself against traditional brute force attacks and distributed brute force attacks that use many servers against your site
  • How to Clean Your Hacked WordPress Site - It can be scary and stressful when your website is hacked, but it needn’t be a disaster. If you use Jetpack Scan to monitor your site, it will notify you of any potential threats. In many cases, these can be resolved with the click of a button. However, sometimes a website can get hacked more […]
  • Jetpack Akismet Anti-spam - Jetpack Anti-spam, powered by Akismet, automatically filters spam comments and contact form submissions on your site. Using Jetpack Akismet Anti-spam requires a Jetpack Security, Jetpack Complete, or Jetpack Akismet Anti-spam plan, or a legacy plan that includes anti-spam. Getting Started with Jetpack Akismet Anti-spam Once you’ve purchased your Jetpack Akismet Anti-spam plan and connected your […]
  • Jetpack WAF (Web Application Firewall) - Looking for more information about using the WAF with the Jetpack Protect plugin? See our article about the Jetpack Protect Plugin. Jetpack’s WAF (Web Application Firewall) examines incoming traffic to a WordPress site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly […]
  • Jetpack Protect - Jetpack Protect is a free security plugin for WordPress that scans your site and warns you about vulnerabilities, keeping your site one step ahead of security threats and malware. What do I need to run Jetpack Protect on my site? Installing Jetpack Protect Installing Jetpack Protect can be done from your site’s WP Admin. To […]
  • Jetpack Firewall in the Jetpack Protect Plugin - Jetpack Firewall examines incoming traffic to your site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities.  The Firewall Premium features require a connection to a WordPress.com account and a plan that has a Scan feature, […]
  • Use MainWP Extensions for Jetpack Protect and Scan - Scan and fix multiple WordPress websites from a centralized dashboard, combining the power of Jetpack and MainWP. This article is only for customers using MainWP alongside Jetpack. If you’re not using MainWP, please see our general documentation about Jetpack Scan. The Jetpack Protect Extension for MainWP To use the Jetpack Protect Extension for MainWP, you […]
  • Getting Started with the Jetpack Protect Plugin - The Jetpack Protect plugin is a free security plugin for WordPress that scans your site and warns you about vulnerabilities, keeping your site one step ahead of security threats and malware. What do I need to run Jetpack Protect on my site? Installing Jetpack Protect Installing Jetpack Protect can be done from your site’s WP […]

Are you blocked from accessing your dashboard?

Use one of the three methods described here to unblock yourself.

Troubleshooting

Still need help?

Please contact support directly. We’re happy to advise.

Comments Off on Security Features

Monitor your site’s uptime and downtime

Posted on November 21, 2013 by paulinahetman

Jetpack’s downtime monitor continuously watches your website and alerts you the moment that downtime is detected.

Activate/Deactivate Downtime Monitoring

Once Jetpack’s Downtime Monitor is activated, one of our servers will start checking your site every five minutes.  If it looks like something’s gone awry, we’ll fire off a notification to the WordPress.com account that Jetpack is connected to. For more information and FAQs, please see our features page.

You or additional admin users connected to Jetpack can activate or deactivate the feature from your WordPress.com dashboard:

  1. Go to WordPress.com dashboard: Settings  Security
  2. Toggle notifications on or off about your site going offline.
  3. Choose if you want alerts via email and/or WordPress.com notifications.

Emails

When downtime monitoring is activated, downtime notification emails will be sent to the user(s) who have enabled them in their WordPress.com security settings.

If you’d like to add something to your email filters to make sure these notification emails never get sent to spam, they’ll all be coming from support+monitor AT jetpack DOT com.

If you are still getting downtime notifications for a site you no longer manage, please contact support.

Push notifications from WordPress.com

You can now receive notifications about your site being down on the web through WordPress.com and/or push notifications on mobile (Android and iOS) for both Jetpack and WordPress apps. 

In order to enable this feature from the web:

  1. Head to https://wordpress.com/settings/security/.
  2. Select your site.
  3. Enable “Send notifications via WordPress.com notification”.

In order to enable this feature from the apps (Android and iOS, Jetpack and WordPress), go to:

  1. My Site.
  2. Jetpack Settings.
  3. Enable “Send push notifications”.

Types of Jetpack Monitor notifications

Downtime alert, but site is up

Is your site up and running properly, but you’re receiving ‘site down’ notifications?

This can happen for different reasons, and the content of the Notification emails should tell you more.

Your site is responding intermittently, or extremely slowly.

If your site can’t be loaded in 20 seconds, we consider it as inaccessible. This may happen if you’re on shared hosting, where your bandwidth is shared with many other websites, or if you have a lot of resources loading on your home page; this will slow your site down.

In some cases this problem may be temporary. If you get just one notification and then your site loads quickly without any problem, it may have already been resolved.

Our requests are being redirected too many times.

If this happens, make sure your site URL is properly set up and that you don’t use any redirection plugins that may cause issues.

Jetpack is blocked.

Make sure your hosting service isn’t blocking our monitoring agent. The user agent that we’re sending along with the HEAD requests should be jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com). If it’s still not going through properly, please contact support.

The server does not respond.

If your theme or one of your plugins creates 500 errors, also known as Fatal Errors, readers won’t be able to access your site and we will send you an email to let you know.

Status Alerts

At the bottom of the Notification email we send, there is a reference number that can provide more information. It will be something like [23454191/server].

The number is our internal I.D. for your site. The second part is the status which is being returned. These are based on the HTTP response code to the HTTP HEAD request to your site’s home page:

  • “server” — a 5xx response, meaning the server had some type of fatal error.
  • blocked” — a 403 response, meaning the server replied that we were forbidden from viewing the home page.
  • client” — a 4xx response (other than 403), suggesting a similar server-side setting disabling access.
  • intermittent” — the request timed out without a response after 10 seconds. This case is one that can be confusing, since the site may actually be loading, just really slow. This one is also most likely to self-resolve–if the site is on a shared host and another site on the server is using too many resources, it could cause the other sites on the server to respond slowly. Note that our primary monitor server and the multiple verifying servers would all be seeing this for us to mark the site down.
  • redirection” — a 3xx response. Monitor will follow a few redirects, but if we’re asked to follow a fourth redirect, we assume there is a problem. Realistically, the suggests a redirect loop, but could be a relatively poor setup (e.g. example.com -> http://www.example.com -> http://www.example.com/en/ -> http://www.example.com/en/blog/ would be seen as down).
  • success” — a normal response. Everything worked. This should only be seen on the follow-up “Your site is back up!” e-mail.
  • unknown” — this shouldn’t ever happen. It suggests our monitoring service didn’t send an expected response to WordPress.com.

How does this work behind the scenes?

When we check your site, we ping your site’s homepage (via a HTTP HEAD request) every five minutes.

We tentatively mark your site as down if the HTTP response code is 400 or greater, which indicates either a permissions error or a fatal code error is prohibiting your site from appearing to visitors, or we see more than three 300-series redirects, suggesting a redirect loop, or if your site fails to respond within 20 seconds.

Once it is tentatively marked down, we then spin up three separate servers in geographically different locations from a third-party vendor to ensure the problem is not isolated to our network or the location of our primary datacenter.

If all three checks fail, we mark the site as down and notify you.

Note: Jetpack uses the timezone set in your WordPress settings (Settings > General)

Privacy Information

Downtime Monitoring is deactivated by default. You can activate it from your WordPress.com dashboard under Settings  Security.

Data Used
Site Owners / Users

Site owner’s local user ID, WordPress.com user ID, email address, WordPress.com-connected blog ID, and the date of the last downtime status change.

Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code.

 Site Visitors

None.
Activity Tracked
Site Owners / Users

We track when, and by which user, the feature is activated and deactivated. We also track when, and which, configuration settings are modified.

 Site Visitors

None.
Data Synced (Read More)
Site Owners / Users

We sync options that identify whether or not the feature is activated and how its available settings are configured.

 Site Visitors

None.
Comments Off on Monitor your site’s uptime and downtime

  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 112.5K other subscribers

  • Browse by Topic