Add an essential layer of protection to your site with Jetpack Firewall: when attackers actively exploit unpatched vulnerabilities, this feature increases your security level.
Jetpack Firewall is a web application firewall (WAF) that examines incoming traffic to your site and decides to allow or block it based on various rules. It requires a connection to a WordPress.com account in order to work; the Automatic firewall protection is a premium feature included in these paid plans: Jetpack Security, Jetpack Complete, or Jetpack Scan.
Jetpack Firewall can be used with and without the Jetpack Protect plugin. If you don’t have Jetpack Protect active, your interface will look different, so please refer to the Jetpack WAF (Web Application Firewall) article instead.
Check also the requirements for Jetpack Protect.
Activate Jetpack Firewall with Jetpack Protect
- Install and activate the Jetpack Protect plugin.
- Once activated, you can select a paid or a free plan.
With the free plan, you can add manual rules to block or allow specific IP addresses from accessing your site. The free plan also includes Brute Force Protection and security scans.
With the paid plan, you additionally get automatic firewall rules that identify and block harmful requests. You also get enhanced scans with one-click auto-fixes, threat history, notifications, and severity labels. - After choosing a plan, you will be redirected to the Jetpack Protect page (Jetpack → Protect) and see the first scan started.
- Click the Firewall tab in Jetpack → Protect.
Configure Jetpack Firewall with Jetpack Protect
Jetpack Firewall comes with the following options:
- Automatic firewall protection. This option requires a paid plan: Jetpack Security, Jetpack Complete, or Jetpack Scan. Your site will be protected using an always-up-to-date list of automatic rules.
- Brute force protection. This option is active by default. It prevents bots and hackers from attempting to log in to your website with common username and password combinations. You can read more on the Protect your site with brute force protection documentation page.
- Block IP addresses.
- Trusted IP addresses.
- Share basic data with Jetpack: you allow Jetpack to collect basic data from blocked requests to improve firewall protection and accuracy. You can check Jetpack Privacy before you set this option.
- Share basic data with Jetpack: you allow Jetpack to collect detailed data from blocked requests to improve firewall protection and accuracy. You can check Jetpack Privacy before you set this option.
Block specific IP addresses from accessing your site
You can stop specific visitors from accessing your site by their IP address. To add IP addresses to the block list:
- Navigate to Jetpack → Protect and select the Firewall tab.
- Toggle on Block IP Addresses.
- Enter IP addresses. Separate IPs with commas, spaces, or new lines. IPv4 and IPv6 are supported. To specify a range, use CIDR notation (i.e.
12.12.12.0/24) or enter the low value and high value separated by a dash (i.e.12.12.12.0–12.12.12.255). - Click Save block list.
Currently, if your site is hosted by Pressable, you will not see this option in your Jetpack settings. If you need to block IP addresses on a Pressable-hosted site, you will need to implement a custom-redirects file by following the guidance in Pressable’s documentation. The snippet is provided below, but assistance with custom code beyond what is provided in this documentation is outside our scope of support:
$deny = array('ADD-IP-HERE', 'ADD-IP-HERE', 'ADD-IP-HERE');
if ( in_array ($_SERVER['REMOTE_ADDR'], $deny) ) {
header('HTTP/1.0 404 Not Found');
exit;
}Add always-allowed IP addresses to your security settings
You can prevent Jetpack’s security features from blocking specific IP addresses. This will apply to both brute force protection and firewall rules. To add IP addresses to the allowlist:
- Navigate to Jetpack → Protect and select the Firewall tab.
- Toggle on Trusted IP addresses.
- Enter IP addresses. Separate IPs with commas, spaces, or new lines. IPv4 and IPv6 are supported. To specify a range, use CIDR notation (i.e.
12.12.12.0/24) or enter the low value and high value separated by a dash (i.e.12.12.12.0–12.12.12.255). - Click Save allow list.
The Trusted IP addresses section displays your current IP address. You can add it to the list by clicking the Add to Allow List button.
Enable standalone mode for Jetpack Firewall
Standalone mode allows Jetpack Firewall to run before WordPress is initialized, offering the highest level of protection. However, enabling this mode requires updating your server configuration.
To enable standalone mode, set the auto_prepend_file PHP directive to point to wp-content/jetpack-waf/bootstrap.php. This directive is typically configured in either your site’s .htaccess file or the global PHP configuration.
For example, on an Apache server, you might add the following line at the top of your .htaccess file:
php_value auto_prepend_file "/full/path/to/wp-content/jetpack-waf/bootstrap.php"
Important notes:
- The
auto_prepend_filedirective requires an absolute path, not a relative one. - Some hosting providers block certain PHP directives in
.htaccess, or configure Apache in a way that prevents users from overriding settings via their own.htaccessfiles. - The
php_valuedirective is not supported on Apache servers running PHP-FPM.
We strongly recommend contacting your hosting provider for help applying standalone mode for Jetpack Firewall.
Remember to remove this configuration when you turn off Firewall or uninstall Jetpack.
Troubleshooting Jetpack Firewall
What happens if I don’t renew my Scan subscription?
Any rules delivered to the site will remain functional after your Jetpack Scan subscription lapses or is removed.
Can I use the IP allow and block lists behind a reverse proxy, such as Cloudflare?
The IP allowlists and blocklists currently have no way to configure trusted proxies and trusted headers, and thus won’t work behind any sort of reverse proxy or load balancer setup.
My site went down after I activated the Firewall feature.
If you need to deactivate the firewall without access to the Jetpack settings screen, you can:
- Modify your wp-config.php: add the line
define( 'DISABLE_JETPACK_WAF', true );to yourwp-config.phpfile - Use WP-CLI: if you have WP-CLI installed, use the command
wp jetpack-waf teardown
Still need help?
Please contact support. We’re happy to advise.
Privacy Information
The Jetpack Firewall is deactivated by default. You can activate the feature by visiting the Jetpack Protect dashboard and clicking the toggle in the Firewall tab.
| Data Used | |
|---|---|
| Site Owners / Users This feature evaluates the incoming HTTP requests and blocks them if they’re considered malicious. User data is used to authenticate some of our APIs. Installed themes and plugins and WordPress version are used to know which versions we should check against the WPScan API in the free version of the WAF. | Site Visitors None. |
| Activity Tracked | |
| Site Owners / Users If the Share data with Jetpack checkbox is selected we track which rules caused a request to be blocked. We don’t track actual request data with this option.Jetpack Firewall also tracks when settings in the Firewall settings are turned on or off. If the Share data with Jetpack checkbox is selected we track the following data of requests that trigger a WAF block:
| Site Visitors None. |
| Data Synced (Read More) | |
| Site Owners / Users Information about users/admins, installed themes and plugins, and WordPress version. | Site Visitors None. |
For general features and FAQs, please see our Jetpack Security features.
Jetpack 