Support Home > Security > Jetpack Scan

Jetpack Scan

In one, centralized location, you can review scan results, fix problems, and restore backups. If Jetpack does notice a problem, you’ll receive an instant email alert so you can fix it right away and get back to running your business. We can even repair the majority of security threats for you with just one click.

How do I get Jetpack Scan?

Jetpack Scan is available to users who have purchased the Jetpack Scan solution. It is also the scan solution that is provided for any new Jetpack Premium or Professional plan purchase.

Note: Once the site is connected to Jetpack Scan, your site will remain on the Jetpack Scan solution, even if you change plan or add a Jetpack Premium or Professional plan – or if you move your site to a new host.

Getting Started

Jetpack Scan is activated and your first scan is kicked off right away.

At the top of your activity log, you will see the following prompt to add remote access/server credentials for your site:

Form to add backup credentials

Clicking on Backup and Scan under the Jetpack options in WP Admin will take you to the Jetpack.com dashboard.

Make sure to authorize your WordPress.com account if you see an authorization prompt.

After opening the Scan page, you will see two interfaces: Scanner and History.

The scanner page provides an at-a-glance reference of the current state of the site. It will either show that the site is looking great, or it will list the currently active threats.

Clicking the Scan now button will start a new scan.

On the history page, you’ll see a list of all threats that the site suffered from in the past. they can be filtered by their fix/ignore status, and ignored threats can be fixed.

Peace of Mind

Once a scan completes, you will receive a notification if any threats are found. These notifications will be in WP Admin, as well as via email and in your WordPress.com dashboard. You’ll see the same icon whether a threat is fixable or not, but if you click to the scanner page you’ll see a button to fix threats.

Clicking the icon in the notification will take you to the Scanner page where you can will see a button to fix the threat. Clicking on the threat will provide more information about what the problem is, and what can be fixed. You will also see an option to ignore the threat. By either ignoring or fixing the threat this will create a history of scan threats that you can now view.

However – some threats cannot be automatically fixed. In that case you will be prompted to contact support.

What data is scanned?

  • All files in the pluginsmu-pluginsthemes, and uploads directories.
  • Select files from your WordPress root directory, like wp-config.php.
  • Other select files inside the wp-content directory.

The files that are scanned include:

How often do scans occur?

Scans occur daily, or when manually triggered.

How do I fix threats?

When a threat is detected, we offer a one-click fix for most problems. In some cases that is not available, and you will be directed to our support team who can help you out from there!

Examples of threats

Changes to Core WordPress Files

We check your WordPress installation to see if any core files have been changed or deleted. Generally, these files should never be changed, so please keep that in mind when working on your site. WordPress functionality can and should be altered by using plugins and themes instead.

If you didn’t make the changes to your core files, you should consider the files suspicious and consider replacing them. If you’re unsure of the changes you see, you can always contact us.

Other Vulnerabilities

Web-based shells give an attacker full access to your server — allowing them to execute malicious code, delete files, make changes to your database, and many more dangerous things.

Shells are usually found in files, and they can be removed by deleting any infected files from your server and replacing them with a clean version from your backup. If you don’t have a clean backup, or have any questions about removing shells, please get in touch.

Outdated or insecure plugins

Plugins that have known security vulnerabilities will be detected by Jetpack Scan. If there’s a newer version that has patched the threat, you can update the plugin with one click. If there is no newer version with a fix, we allow you to delete the plugin from your site.

If you have any questions about security threats or suspicious code, you’re always welcome to contact us.

Privacy Information

This feature is deactivated by default, and requires an upgrade to a paid solution (Jetpack Scan, Jetpack Premium or Jetpack Professional) to unlock/activate.

Data Used
Site Owners / Users

We currently scan the following data: files in your plugins, themes, and uploads directories, as well as select files from your WordPress root directory and `wp-content` directory. This includes all the unique and irreplaceable data in WordPress, as well as everything properly integrated into the WordPress installation. In addition to the data that we scan, we also use (and store) your server access credentials (if provided): SSH and/or FTP/SFTP. These credentials are explicitly provided by you when activating Jetpack Scan.
For feature usage tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID, user agent, referring URL, timestamp of event, browser language, country code, and user site count.

We may also use scanned content to improve our performance but do not otherwise store it long-term.


Site Visitors

None.

Activity Tracked
Site Owners / Users

We track several events around the usage of this feature: requests to view threats, fix threats, run a scan, click on the header of a threat (in the scan scanner and in the scan history).

Site Visitors

None.

Data Synced (Read More)
Site Owners / Users

None.

Site Visitors

None.

  • Table Of Contents

  • Categories

  • Contact Us

    Need more help? Feel free to contact us.