This feature can be enabled by switching on “Brute force attack protection” at Jetpack → Settings → Security in your site’s wp-admin Dashboard.
For issues with Protect, visit the troubleshooting section.
Jetpack Protect allows you to protect yourself against traditional brute force attacks and distributed brute force attacks that use many servers against your site.
Jetpack’s botnet security features work automatically when you install Jetpack and connect Jetpack to your WordPress.com account. With botnet protection in place via Jetpack Protect, your site will block unwanted login attempts.
You can view a count of attacks to your site with a widget in your self-hosted site’s dashboard.
Let’s look into what we can do for your Jetpack sites from this new interface.
Settings
Whitelisting may be necessary if you’ve made too many failed log in attempts to your site. There are three methods for whitelisting your IP address:
- If you have access to your site and you’ve not been blocked, you can enter your IP or IPv6 address(es) by going to Jetpack → Settings → Security → Brute force attack protection.
- If you are blocked from entering your site, you can enter the IP or IPv6 address(es) via WordPress.com by visiting My Sites → Manage → Settings → Security → Prevent brute force login attacks.
- You can also whitelist one IP address by setting it as the
JETPACK_IP_ADDRESS_OKconstant in your wp-config.php like this:define('JETPACK_IP_ADDRESS_OK', 'X.X.X.X');
You can find your IP by visiting any of the following sites:
Troubleshooting Information and FAQs
Are you unable to enable the Protect module on your site? Check these tips to find out why.
Why am I seeing a math captcha on my login page?
The math captcha is used as a fallback for the protect feature. If your IP has been blocked due to too many failed login attempts, you may still access your site by correctly filling out the math captcha along with the correct login credentials. In very rare cases, you might see the captcha if you’ve not obtained an API key or during times of very heavy attacks.
How long is an IP blocked?
The length of time is based on a number of factors and is not a set amount of time.
Privacy Information (Protect)
This feature is activated by default. It can be deactivated any time by toggling the Protect setting in the Security section from Jetpack — Dashboard — At a Glance in your dashboard.
More information about the data usage on your site
| Data Used | |
|---|---|
| Site Owners / Users
In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user. Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code. |
Site Visitors
In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user. |
| Activity Tracked | |
| Site Owners / Users
Failed login attempts. We track when, and by which user, the feature is activated and deactivated. We also set a cookie ( |
Site Visitors
Failed login attempts. We set a cookie ( |
| Data Synced (Read More) | |
| Site Owners / Users
Options that identify whether or not the feature is activated and how its available settings are configured. We also sync the site’s whitelisted entries (as configured by the site owners), the Protect-specific API key used for login checking, and any failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information. |
Site Visitors
Failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information. |
