Support Home > Security > Protect

Protect

Protect yourself against unwanted login attempts and brute force attacks with Jetpack Protect.

Activation

This feature is activated by default when you connect Jetpack to your WordPress.com account. It can be deactivated at any time (even if you’ve been locked out) via your WordPress.com dashboard under the Site Settings page.

Settings

Once activated you can whitelist IP addresses from the same Site Settings page. Whitelisting may be necessary if you’ve made too many failed log in attempts to your site or Jetpack has detected unusual behaviour from your current IP address.

  • Your current IP address is also shown on the page so you can easily add it to your whitelist.
  • Both IPv4 and IPv6 addresses are accepted.

Advanced Tip: You can also whitelist one IP address by setting it as the JETPACK_IP_ADDRESS_OK constant in your wp-config.php like this: define('JETPACK_IP_ADDRESS_OK', 'X.X.X.X');

Dashboards

You can view a count of the “total malicious attacks blocked on your site” under the Security section of your Jetpack dashboard.

Troubleshooting Information

Having trouble with Protect on your site? Check the tips below to find out why.

How long is an IP blocked?

The length of time is based on a number of factors and is not a set amount of time.

Jetpack locked me out. What can I do?

If Jetpack has flagged your IP address for any reason it may block you from logging in. In this case, you’ll see something like this:

protect-locked

Enter your email address and hit Send. You will receive an email with a special link you can click to regain access to the login form. If you get an error when clicking the link in the email, you can whitelist your IP address as covered under Settings to unblock yourself. If you are still blocked, it’s likely due to a configuration issue on your server. You can disable Protect to regain access to your site. Then contact us for help further troubleshooting.

Why am I seeing a math captcha on my login page?

The math captcha is used as a fallback for the protect feature. If your IP has been blocked due to too many failed login attempts, you may still access your site by correctly filling out the math captcha along with the correct login credentials. In very rare cases, you might see the captcha if you’ve not obtained an API key or during times of very heavy attacks.

Jetpack Protect is unable to effectively protect your site because your server is misconfigured

Whenever someone tries to log in to your site, Jetpack’s Protect module looks at that person’s IP address and compares it with our global database of malicious IP addresses.

For this to work properly, we rely on IP addresses stored and provided by your server. Unfortunately in some cases your server may not return any IP address, thus blocking Protect from working properly. When this happens, the Protect module will be disabled and we will let you know.

If that happens, do not hesitate to send a link to this page to your hosting provider, so they can take a look and fix the issue for you. They can also contact us directly via this contact form if they need more information.

Protect on Multisite Networks

If you tried to log in to your site multiple times but failed to log in because you had forgotten your password, you may end up being blocked by Jetpack’s Protect module.

In a WordPress Multisite installation, you can log in to any account that exists on the network through any log in page on the network.  As a result, if you have Jetpack Protect active on some sites but not all, then no site is truly being protected.

To address this, please network enable Jetpack on your multisite installation and activate the Protect feature on the network’s primary site.  Once completed, Jetpack’s Protect feature will be activated on every site on your network, even if Jetpack isn’t connected on those sites.

Protect reports thousands of blocked malicious login attempts

The best way to explain this feature is that there are thousands of “bots” out there trying to gain access to sites all over the internet. No matter what size your site is, there’s always someone or something trying to “break in”. WordPress is very secure and usually the weakest point is someone’s password. Bots consequently try to guess people’s passwords to get in.

Jetpack’s Protect module collects information from failed attempts from millions of sites and protects you from these attacks. For example, if a bot tried to gain access to site A, and then went to site B, Protect would already know who this bot is and before it even tries to get into site B, it would be blocked.

Along with that, it’s also really important to have strong secure passwords.

Where can I get more information about the blocked attacks?

e.g.

  • Which user names need more securing?
  • Is this via wp-login, or via XMLRPC?
  • From which IP addresses do these arrive?
  • When did these occur? Is there a pattern?
  • If these were found, how many more are there that were not detected?

We don’t have access to this information. Jetpack Protect was built to be lean and simple. It’s built in such a way that you don’t have to think about these questions or make any decisions. As such, the only data we store is the total number of attacks blocked.

Privacy Information

This feature is activated by default. It can be deactivated at any time by toggling the Protect setting in the Security section from Jetpack → Dashboard → At a Glance in your dashboard.

For general features and FAQs, please see our Jetpack Security features.

More information about the data usage on your site
Data Used
Site Owners / Users

In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.

Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code.

Site Visitors

In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.

Activity Tracked
Site Owners / Users

Failed login attempts.

We track when, and by which user, the feature is activated and deactivated. We also set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.

Site Visitors

Failed login attempts.

We set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.

Data Synced (Read More)
Site Owners / Users

Options that identify whether or not the feature is activated and how its available settings are configured. We also sync the site’s whitelisted entries (as configured by the site owners), the Protect-specific API key used for login checking, and any failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information.

Site Visitors

Failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information.

  • Table Of Contents

  • Categories

  • Contact Us

    Need more help? Feel free to contact us.