You can review security scan results in one centralized location, fix problems, and restore backups. If Jetpack does notice a problem, you’ll receive an instant email alert. You can repair the majority of security threats with just one click and get back to running your business.
Take a look at all the security features Jetpack offers.
Important: Jetpack Scan is not intended to be a service to clean up already hacked or malware-infected sites. While we can fix some hacked files after purchase, we do rely on the site not being infected at the time of purchase and having a clean version to compare any changed files to. In that case, we suggest following this guide to cleaning a hacked site.
How do I get Jetpack Scan?
Jetpack Scan is available to users who have purchased the Jetpack Scan, Jetpack Security, or Jetpack Complete plans. It is also the scan solution for any new Jetpack Security or Jetpack Complete purchase.
Note: Once the site is connected to Jetpack Scan, your site will remain on the Jetpack Scan solution, even if you change or add a Jetpack plan or move your site to a new host.
Getting Started
Jetpack Scan is activated as soon as your purchase is complete, and your first scan is kicked off immediately.
Note: In order for Jetpack Scan to scan a website, it needs to be able to create files in the /jetpack-temp/
directory (which is located in the root of the site alongside /wp-content/
and /wp-includes/
. It writes a temporary helper file to this directory during the scan and removes it after the scan is complete.
If your site is hosted on a server that prevents files from being changed, you will need to work with your host to ensure that Jetpack is able to write files to the /jetpack-temp/
directory.
Adding Server Credentials
Jetpack can scan your site without any server credentials, but server credentials are required to use one-click fixes. The server credentials can also help make the scans faster and more reliable.
Read more on how to add remote access/server credentials.
Navigating the dashboard

Clicking on Scan under the Jetpack options in WP Admin will take you to the Jetpack.com dashboard.
Make sure to authorize your WordPress.com account if you see an authorization prompt.
After opening the Scan page, you will see two interfaces: Scanner and History.
The scanner page provides an at-a-glance reference of the site’s current state. It will either show that the site is looking great or list the currently active threats.
Clicking the Scan now button will start a new scan.

On the history page, you’ll see a list of all threats the site suffered from in the past. They can be filtered by their fix/ignore status, and ignored threats can be fixed.

Peace of Mind
Once a scan completes, you will receive a notification if any threats are found. These notifications will be in WP Admin, via email, and on your WordPress.com dashboard.
What data is scanned?
- All files in the
plugins
,mu-plugins
,themes
, anduploads
directories. - Select files from your WordPress root directory, like
wp-config.php
. - Other select files inside the wp-content directory.
How often do scans occur?
Scans occur daily or when manually triggered.
How do I fix threats?

When a threat is detected, and you’re notified, we offer a one-click fix for most problems.
You will find the “Auto-fix all” button to handle all the threats at once.
Clicking on the threat will provide more information about the problem and what can be fixed. You will also see the buttons to “Ignore threat” or “Fix threat”.
Ignoring or fixing the threat will create a history of scan threats you can view that you can view in the History tab.
However, sometimes a website can get hacked more severely, meaning a one-click fix is impossible. In that case, we suggest following this guide to cleaning a hacked site. It will help guide you through identifying and cleaning up a hacked site and strengthening the site’s security to help prevent future hacks.
Examples of threats
Changes to Core WordPress Files
We check your WordPress installation to see if any core files have been changed or deleted. Generally, these files should never be changed, so please remember when working on your site. WordPress functionality can and should be altered by using plugins and themes instead.
If you didn’t make the changes to your core files, you should consider the files suspicious and consider replacing them. You can always contact us if you’re unsure of the changes you see.
Other Vulnerabilities
Web-based shells give an attacker full access to your server — allowing them to execute malicious code, delete files, make changes to your database, and many more dangerous things.
Shells are usually found in files, and they can be removed by deleting any infected files from your server and replacing them with a clean version from your backup.
Outdated or insecure plugins
Plugins that have known security vulnerabilities will be detected by Jetpack Scan. If a newer version has patched the threat, you can update the plugin with one click. We allow you to delete the plugin from your site if there is no newer version with a fix.
You’re always welcome to contact us if you have any questions about security threats or suspicious codes.
Multisite
Currently, Jetpack Scan does not support multisite.
Still need help?
Please contact support directly. We’re happy to advise.
Privacy Information
Jetpack Scan is deactivated by default and requires an upgrade to a paid solution (Jetpack Scan, Jetpack Security, or Jetpack Complete) to unlock/activate.
Data Used | |
---|---|
Site Owners / Users We currently scan the following data: files in your plugins, themes, and uploads directories, and select files from your WordPress root directory and `wp-content` directory. This includes all WordPress’s unique and irreplaceable data and everything properly integrated into the WordPress installation. In addition to the data we scan, we also use (and store) your server access credentials (if provided): SSH and/or FTP/SFTP. These credentials are explicitly provided by you when activating Jetpack Scan. For feature usage tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID, user agent, referring URL, timestamp of event, browser language, country code, and user site count. We may also use scanned content to improve our performance but do not otherwise store it long-term. | Site Visitors None. |
Activity Tracked | |
Site Owners / Users We track several events around the usage of this feature: requests to view threats, fix threats, run a scan, and click on the header of a threat (in the scan scanner and in the scan history). | Site Visitors None. |
Data Synced (Read More) | |
Site Owners / Users None. | Site Visitors None. |