Support Home > Security > Jetpack WAF (Web Application Firewall)

Jetpack WAF (Web Application Firewall)

Looking for more information about using the WAF with the Jetpack Protect plugin? See our article about the Jetpack Protect Plugin.

Jetpack’s WAF (Web Application Firewall) examines incoming traffic to a WordPress site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities.

With the WAF, you can configure IP addresses that will never be blocked (even if a rule would normally) or always be blocked (regardless of the rules). To allow or block incoming traffic based on various rules, you will need a plan that includes Jetpack Scan, such as Jetpack Security, Jetpack Complete, or Jetpack Scan, and a connection to your WordPress.com account.

If you previously had a Jetpack plan that includes Jetpack Scan and/or your site becomes disconnected from your WordPress.com account, you will continue to have access to the firewall settings in your Jetpack dashboard. This is to ensure that your IP allow/block lists and previous firewall rules remain functional.

Turning on the firewall

This feature is deactivated by default when you connect Jetpack to your WordPress.com account. It can be activated at any time on your Jetpack Settings page. To enable Jetpack WAF:

  1. Select Jetpack → Settings → Security → Firewall in your site’s WP Admin
  2. Enable Protect your site with Jetpack’s Web Application Firewall

How do I update the firewall options?

To add IP addresses to a block/allow list:

  1. Select Jetpack → Settings → Security → Firewall in your site’s WP Admin
  2. Enable Allow / Block list – Block or allow a specific request IP

You can add IP addresses to your block / allow list by entering complete IP addresses, separated by commas. Adding IP ranges or IP addresses in CIDR notation is not supported at the moment.

Once you’ve entered IP addresses to your block / allow list, click on Save Settings to save your block / allow list.

These are the firewall options:

  • Allow / Block list – Block or allow a specific request IP: This option allows you to add an IP blocklist and IP allowlist to your site.
  • Share data with Jetpack: This option allows Jetpack to collect data to improve the firewall protection and rules. You can check Jetpack Privacy before you set this option.
  • Enhance Protection:
  • You don’t need to activate Enhance Protection; however, if you want the firewall feature to be able to inspect all requests and run them before WordPress initializes, this is how:

In case you want to activate the Enhance protection, you need to contact your hosting support to make the changes on the server level.

Upgrade notification

If you don’t have a Scan subscription yet, a notification will show on your firewall options. After upgrading, the notification disappears.

Troubleshooting

What happens if I don’t renew my subscription?

Any rules delivered to the site will remain functional after the subscription lapses or is removed.

Can I use the IP allow and block lists behind a reverse proxy (like Cloudflare)?

The IP allowlists/blocklists currently have no way to configure trusted proxies and trusted headers and thus won’t work behind any sort of reverse proxy or load balancer setup.

My site went down after I activated the Firewall feature.

If you need to deactivate the firewall without access to the Jetpack settings screen, you can:

  • Modify your wp-config.php: add the line define( 'DISABLE_JETPACK_WAF', true ); to your wp-config.php file
  • Use WP-CLI: if you have WP-CLI installed, use the command wp jetpack-waf teardown

Still need help?

Please contact support directly. We’re happy to advise.

Privacy Information

This feature is deactivated by default. It can be activated at any time at Jetpack → Settings → Security → Firewall and by clicking on Protect your site with Jetpack’s Web Application Firewall.

Data Used
Site Owners / Users

This feature evaluates the incoming HTTP requests and blocks them if they’re considered malicious.

User data is used to authenticate some of our APIs. Installed themes and plugins and WordPress version are used to know which versions we should check against the WPScan API in the free version of the WAF.		Site Visitors

None.
Activity Tracked
Site Owners / Users

If the Share data with Jetpack checkbox is selected we track which rules caused a request to be blocked. We don’t track actual request data with this option.

Jetpack Firewall also tracks when settings in the Firewall settings are turned on or off.

If the Share data with Jetpack checkbox is selected we track the following data of requests that trigger a WAF block:
  • Information about the rule that triggered the blockRequest URIUser agentRefererContent typeGET params
If the Share detailed data with Jetpack checkbox is selected we also track the following data for requests that triggered the block alongside the previously mentioned data:
  • POST params
  • Header data
Site Visitors

None.
Data Synced (Read More)
Site Owners / Users

Information about users/admins, installed themes and plugins, and WordPress version.		Site Visitors

None.

For general features and FAQs, please see our Jetpack Security features.

  • Table Of Contents

  • Contact Us

    Need more help? Feel free to contact us.