Jetpack Firewall examines incoming traffic to your site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities.
The Firewall Premium features require a connection to a WordPress.com account and a plan that has a Scan feature, like Jetpack Security, Jetpack Complete, or Jetpack Scan, to allow or block incoming traffic based on various rules.
Activate Jetpack Firewall
1. Install and activate the Jetpack Protect plugin.
2. Once activated, you can select either a paid or a free plan:

The free plan allows manual rules only to be used, providing the ability to block or allow specific IP addresses from accessing your site. The paid plan offers automatic firewall rules that identify and block harmful requests.
3. After choosing a plan, you will be redirected to the Jetpack Protect page and see the first scan started:

4. To access Jetpack Firewall settings, you can click the Firewall tab inside the Protect settings page, or navigate to Jetpack → Protect.
The free plan allows for the use of Jetpack’s Brute Force Attack Prevention and manual rules. The Automatic rules option requires a paid plan.

Upgrading to a paid plan will enable the automatic rules:

To add manual rules, use the toggle to turn on the feature. When enabled, an “Edit manual rules” button will be displayed on the right side. Click the button and a new modal will be displayed where manual rules can be edited. You can add IP addresses to your block / allow list by entering complete IP addresses, separated by commas. Adding IP ranges or IP addresses in CIDR notation is not currently supported. Once you’ve entered IP addresses into your block / allow list, click on Save Settings to save y your block / allow list.

Privacy Information
This feature is deactivated by default. You can activate the feature by visiting the Jetpack Protect dashboard and clicking the toggle in the firewall tab.
Data Used | |
---|---|
Site Owners / Users This feature evaluates the incoming HTTP requests and blocks them if they’re considered malicious. User data is used to authenticate some of our APIs. Installed themes and plugins and WordPress version are used to know which versions we should check against the WPScan API in the free version of the WAF. | Site Visitors None. |
Activity Tracked | |
Site Owners / Users If the Share data with Jetpack checkbox is selected we track which rules caused a request to be blocked. We don’t track actual request data with this option.Jetpack Firewall also tracks when settings in the Firewall settings are turned on or off. | Site Visitors None. |
Data Synced (Read More) | |
Site Owners / Users Information about users/admins, installed themes and plugins, and WordPress version. | Site Visitors None. |
For general features and FAQs, please see our Jetpack Security features.