Allowing IP addresses in WordPress enables you to control who can (or cannot) access your website.
This article covers how to allowlist IPs for Jetpack, Jetpack VaultPress Backup, and the older VaultPress, and shows our hosting requirements.
An allowlist lists IP addresses or domains that are provided privileged access or treatment. It is the opposite of a blocklist intended to block or restrict access. Some hosting could use other words to identify the allowed IPs list on their systems. If you have questions, the recommendation is to contact your host support for more information.
Allow all Communications Between Jetpack and WordPress.com
Some hosts and plugins believe that blocking access to xmlrpc.php will stop various hacking attempts. However, XML-RPC support has been built into WordPress core since version 3.5 and is a stable tool. Jetpack, like other plugins, services, and mobile apps, relies on the XML-RPC file to communicate with WordPress.com. If this is blocked, your Jetpack connection will stop working properly. You can read more about how Jetpack uses xmlrpc.php.
You should be able to protect a site’s XML-RPC file without having to allow specific IP ranges. The most popular hosts use tools like fail2ban or ModSecurity, for example.
If you’d prefer to use an allowlist, you’ll need to allow these IP ranges:
- 122.248.245.244/32
- 54.217.201.243/32
- 54.232.116.4/32
- 192.0.80.0/20
- 192.0.96.0/20
- 192.0.112.0/20
- 195.234.108.0/22
Important: These IP addresses are subject to change. If you are writing IP-based firewall rules, you’ll need to update those rules any time the addresses change. We also have machine-readable versions of these IP ranges in JSON and plain text format that you can use to automate configuration changes on your systems.
Using Jetpack with Cloudflare and/or Sucuri
By default, Cloudflare and Jetpack should require no additional configuration to operate together if there are no additional security configurations specified with Cloudflare.
If you are using Cloudflare (with additional security rules) or Sucuri, you will need to manually add Jetpack’s IPs.
View the list of IP Ranges Cloudflare and Sucuri Accept
192.0.64.0/24192.0.65.0/24192.0.66.0/24192.0.67.0/24192.0.68.0/24192.0.69.0/24192.0.70.0/24192.0.71.0/24192.0.72.0/24192.0.73.0/24192.0.74.0/24192.0.75.0/24192.0.76.0/24192.0.77.0/24192.0.78.0/24192.0.79.0/24192.0.80.0/24192.0.81.0/24192.0.82.0/24192.0.83.0/24192.0.84.0/24192.0.85.0/24192.0.86.0/24192.0.87.0/24192.0.88.0/24192.0.89.0/24192.0.90.0/24192.0.91.0/24192.0.92.0/24192.0.93.0/24192.0.94.0/24192.0.95.0/24192.0.96.0/24192.0.97.0/24192.0.98.0/24192.0.99.0/24192.0.100.0/24192.0.101.0/24192.0.102.0/24192.0.103.0/24192.0.104.0/24192.0.105.0/24192.0.106.0/24192.0.107.0/24192.0.108.0/24192.0.109.0/24192.0.110.0/24192.0.111.0/24192.0.112.0/24192.0.113.0/24192.0.114.0/24192.0.115.0/24192.0.116.0/24192.0.117.0/24192.0.118.0/24192.0.119.0/24192.0.120.0/24192.0.121.0/24192.0.122.0/24192.0.123.0/24192.0.124.0/24192.0.125.0/24192.0.126.0/24192.0.127.0/24
If you are using Cloudflare they also support only allowing traffic coming from servers with a specific ASN (autonomous system number). To configure that, you can allow access to 2635.
Jetpack VaultPress Backup / Older VaultPress
The entire IP range from 192.0.64.1 ~ 192.0.127.254 needs to be added to the allowlist.
- CIDR Notation:
192.0.64.0/18 - GoDaddy Firewall & Sucuri use CIDR Notation.
- Wordfence:
192.0.[64-127].[1-254]
Find more information that can be useful to server administrators and hosting providers on our Hosting Reference Documentation page.
Jetpack 