Take a look at all the security features Jetpack offers.
In one centralized location, you can review security scan results, fix problems, and restore backups. If Jetpack does notice a problem, you’ll receive an instant email alert. You can repair the majority of security threats with just one click and get back to running your business.
Jetpack Scan is not intended to be a service to clean up already hacked or malware-infected sites. While we can fix some hacked files after purchase, we do rely on the site not being infected at the time of purchase and having a clean version to compare any changed files to. In that case we suggest following this guide to cleaning a hacked site.
How do I get Jetpack Scan?
Jetpack Scan is available to users who have purchased the Jetpack Scan solution. It is also the scan solution that is provided for any new Jetpack Security or Jetpack Complete purchase.
Note: Once the site is connected to Jetpack Scan, your site will remain on the Jetpack Scan solution, even if you change plan or add a Jetpack plan – or if you move your site to a new host.
As soon as your purchase is complete, Jetpack Scan is activated and your first scan is kicked off right away.
Adding Server Credentials (optional)
Jetpack can scan your site without any server credentials, but we recommend adding them if you can, as they will help with faster and more reliable scanning. If you also use Jetpack Backup, then you’ll need to add server credentials to enable restores.
Read more on how to add remote access / server credentials.
Navigating the dashboard
Clicking on Backup and Scan under the Jetpack options in WP Admin will take you to the Jetpack.com dashboard.
Make sure to authorize your WordPress.com account if you see an authorization prompt.
After opening the Scan page, you will see two interfaces: Scanner and History.
The scanner page provides an at-a-glance reference of the current state of the site. It will either show that the site is looking great, or it will list the currently active threats.
Clicking the Scan now button will start a new scan.
On the history page, you’ll see a list of all threats that the site suffered from in the past. they can be filtered by their fix/ignore status, and ignored threats can be fixed.
Peace of Mind
Once a scan completes, you will receive a notification if any threats are found. These notifications will be in WP Admin, as well as via email and in your WordPress.com dashboard.
What data is scanned?
- All files in the
- Select files from your WordPress root directory, like
- Other select files inside the wp-content directory.
How often do scans occur?
Scans occur daily, or when manually triggered.
How do I fix threats?
When a threat is detected and you’re notified, we offer a one-click fix for most problems.
You’ll see the same icon whether a threat is fixable or not. Clicking on the threat will provide more information about what the problem is, and what can be fixed. You will also see an option to ignore the threat. By either ignoring or fixing the threat, this will create a history of scan threats that you can view.
However, sometimes a website can get hacked more severely, meaning a one-click fix is not possible. In that case we suggest following this guide to cleaning a hacked site. It will help guide you through the process of identifying and cleaning up a hacked site, as well as strengthening the site’s security to help prevent future hacks.
Examples of threats
Changes to Core WordPress Files
We check your WordPress installation to see if any core files have been changed or deleted. Generally, these files should never be changed, so please keep that in mind when working on your site. WordPress functionality can and should be altered by using plugins and themes instead.
If you didn’t make the changes to your core files, you should consider the files suspicious and consider replacing them. If you’re unsure of the changes you see, you can always contact us.
Web-based shells give an attacker full access to your server — allowing them to execute malicious code, delete files, make changes to your database, and many more dangerous things.
Shells are usually found in files, and they can be removed by deleting any infected files from your server and replacing them with a clean version from your backup.
Outdated or insecure plugins
Plugins that have known security vulnerabilities will be detected by Jetpack Scan. If there’s a newer version that has patched the threat, you can update the plugin with one click. If there is no newer version with a fix, we allow you to delete the plugin from your site.
If you have any questions about security threats or suspicious code, you’re always welcome to contact us.
Does Jetpack Scan support multisite?
Currently, Jetpack Scan does not support multisite.
This feature is deactivated by default, and requires an upgrade to a paid solution (Jetpack Scan, Jetpack Security or Jetpack Complete) to unlock/activate.
|Site Owners / Users
We currently scan the following data: files in your plugins, themes, and uploads directories, as well as select files from your WordPress root directory and `wp-content` directory. This includes all the unique and irreplaceable data in WordPress, as well as everything properly integrated into the WordPress installation. In addition to the data that we scan, we also use (and store) your server access credentials (if provided): SSH and/or FTP/SFTP. These credentials are explicitly provided by you when activating Jetpack Scan.
We may also use scanned content to improve our performance but do not otherwise store it long-term.
|Site Owners / Users
We track several events around the usage of this feature: requests to view threats, fix threats, run a scan, click on the header of a threat (in the scan scanner and in the scan history).
|Data Synced (Read More)|
|Site Owners / Users