Jetpack Firewall in the Jetpack Protect Plugin

Jetpack Firewall examines incoming traffic to your site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities.

The Firewall Premium features require a connection to a WordPress.com account and a plan that has a Scan feature, like Jetpack Security, Jetpack Complete, or Jetpack Scan, to allow or block incoming traffic based on various rules.

Activate Jetpack Firewall

1. Install and activate the Jetpack Protect plugin.

2. Once activated, you can select either a paid or a free plan.

The free plan allows manual rules only to be used, providing the ability to block or allow specific IP addresses from accessing your site. It also includes Brute Force Protection. The paid plan offers automatic firewall rules that identify and block harmful requests.

3. After choosing a plan, you will be redirected to the Jetpack Protect page and see the first scan started:

Upon choosing the plan, Jetpack Protect will initiate the initial scan for your website.

4. To access Jetpack Firewall settings, you can click the Firewall tab inside the Protect settings page, or navigate to Jetpack → Protect.

The free plan allows for the use of Jetpack’s Brute Force Attack Prevention and manual rules. The Automatic rules option requires a paid plan.

With the free plan, automatic rules option is not accessible and only manual rules can be applied

Upgrading to a paid plan will enable the automatic rules:

With the paid plan, automatic rules are applied.

To add manual rules, use the toggle to turn on the feature. When enabled, an “Edit manual rules” button will be displayed on the right side. Click the button and a new modal will be displayed where manual rules can be edited. You can add IP addresses to your block / allow list by entering complete IP addresses, separated by commas. Adding IP ranges or IP addresses in CIDR notation is not currently supported. Once you’ve entered IP addresses into your block / allow list, click on Save Settings to save your block / allow list.

Edit manual rules by adding specific IP addresses to the allow or block list.

Privacy Information

The Jetpack firewall is deactivated by default. You can activate the feature by visiting the Jetpack Protect dashboard and clicking the toggle in the firewall tab.

Data Used
Site Owners / Users This feature evaluates the incoming HTTP requests and blocks them if they’re considered malicious. User data is used to authenticate some of our APIs. Installed themes and plugins and WordPress version are used to know which versions we should check against the WPScan API in the free version of the WAF.	Site Visitors None.
Activity Tracked
Site Owners / Users If the `Share data with Jetpack` checkbox is selected we track which rules caused a request to be blocked. We don’t track actual request data with this option. Jetpack Firewall also tracks when settings in the Firewall settings are turned on or off. If the Share data with Jetpack checkbox is selected we track the following data of requests that trigger a WAF block: Information about the rule that triggered the blockRequest URIUser agentRefererContent typeGET params If the Share detailed data with Jetpack checkbox is selected we also track the following data for requests that triggered the block alongside the previously mentioned data: POST params Header data	Site Visitors None.
Data Synced (Read More)
Site Owners / Users Information about users/admins, installed themes and plugins, and WordPress version.	Site Visitors None.