Support Home > Security > Jetpack Firewall

Jetpack Firewall

The Jetpack Firewall is a web application firewall (known as WAF) designed to protect your WordPress site from malicious requests.

The Jetpack Firewall examines incoming traffic to a WP site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities.

On Jetpack Firewall, the user can configure IP addresses that will never be blocked (even if a rule would normally) or always be blocked (regardless of the rules).

Requirements

The Firewall Premium features require a connection to a WordPress.com account and a plan that has a Scan feature, like Jetpack Security, Jetpack Complete, or Jetpack Scan, to allow or block incoming traffic based on various rules.

However, the Firewall option will be visible in the Jetpack dashboard even without connection to a WordPress.com account or a paid plan that has a Scan feature and can be used to block/allow a specific request IP or make any rules delivered to the site remain functional after the subscription lapses/removed.

Activate

This feature is deactivated by default when you connect Jetpack to your WordPress.com account. It can be activated at any time on your Jetpack Settings page.

You can follow these steps to enable Jetpack WAF:

  1. Select Jetpack → Settings → Firewall in your site’s WP Admin
  2. Enable Protect your site with Jetpack’s Web Application Firewall

How to set up the Firewall options?

Here’s how to add IP addresses to a block / allow list:

  1. Select Jetpack → Settings → Firewall in your site’s WP Admin
  2. Enable Allow / Block list – Block or allow a specific request IP

You can add IP addresses to your block / allow list by entering complete IP addresses, separated by commas. Adding IP ranges or IP addresses in CIDR notation is not supported at the moment.

Once you’ve entered IP addresses to your block / allow list, click on Save Settings to save your block / allow list.

These are the Jetpack Firewall options:

  • Allow / Block list – Block or allow a specific request IP: This option allows you to add an IP blocklist and IP allowlist to your site.
  • Share data with Jetpack: This option allows Jetpack to collect data to improve Firewall protection and rules. You can check Jetpack Privacy before you set this option.
  • Enhance Protection:
  • You don’t need to activate Enhance Protection; however, if you want the Firewall feature to be able to inspect all requests and run them before WordPress initializes, this is how:

In case you want to activate the Enhance protection, you need to contact your hosting support to make the changes on the server level.

Upgrade notification

If you don’t have a Scan subscription yet, a notification will show on your Firewall options. After upgrading, the notification disappears.

Troubleshooting

What happens if I don’t renew my subscription?

Any rules delivered to the site will remain functional after the subscription lapses or is removed.

Can I use the IP allow and block lists behind a reverse proxy (like Cloudflare)?

The IP allowlists/blocklists currently have no way to configure trusted proxies and trusted headers and thus won’t work behind any sort of reverse proxy or load balancer setup.

My site went down after I activated the Firewall feature.

If you need to deactivate the firewall without access to the Jetpack settings screen, you can either:

a) add the line define( 'DISABLE_JETPACK_WAF', true ); to your wp-config.php file, or;

b) if you have WP-CLI installed, use the command wp jetpack-waf teardown

Still having trouble?

Please contact support directly. We’re happy to lend a hand and answer any other questions that you may have.

Privacy Information

This feature is deactivated by default. It can be deactivated at any time at Jetpack > Settings > Firewall and by clicking on Protect your site with Jetpack's Web Application Firewall.

If Share data with Jetpack is enabledInformation on the performance of the firewall on your site will be collected and sent to our servers for analysis to improve accuracy and performance. No request data is collected at this time.

For general features and FAQs, please see our Jetpack Security features.

  • Table Of Contents

  • Categories

  • Contact Us

    Need more help? Feel free to contact us.