Jetpack Protect allows you to protect yourself against traditional brute force attacks and distributed brute force attacks that use many servers against your site.
In this support doc, you can find:
- How to enable Jetpack Protect’s security features
- How to adjust your security settings and configurations
- How to unblock and whitelist your IP address
- Troubleshooting information and FAQs
Jetpack’s botnet security features work automatically when you install Jetpack 3.4 or above and connect Jetpack to your WordPress.com account. With botnet protection in place via Jetpack Protect, your site will block unwanted login attempts.
You can view a count of attacks to your site with a widget in your self-hosted site’s dashboard.
Let’s look into what we can do for your Jetpack sites from this new interface.
Whitelisting may be necessary if you’ve made too many failed log in attempts to your site. There are three methods for whitelisting your IP address:
- If you have access to your site and you’ve not been blocked, you can enter your IP or IPv6 address(es) by going to Jetpack → Settings → Security → Brute force attack protection.
- If you are blocked from entering your site, you can enter the IP or IPv6 address(es) via WordPress.com by visiting My Sites → Settings → Security → Prevent brute force login attacks.
- You can also whitelist one IP address by setting it as the
JETPACK_IP_ADDRESS_OKconstant in your wp-config.php like this:
You can find your IP by visiting any of the following sites:
What else should I do to protect my sites?
It’s strongly recommended you back up your self-hosted sites using a tool such as VaultPress. Backups provide a recovery mechanism should a malicious file corrupt your site or become otherwise compromised.
Introduced in Jetpack 3.3, Jetpack’s site management makes it easy to keep your plugins up to date. By setting your plugins to auto-update, you help ensure any issues that may arise due to plugins with malicious code will not harm your site.
Keeping your plugins and themes updated is one of the most effective ways to keep your self-hosted WordPress sites secure. By using Jetpack’s Site Management tools, you can keep your plugins up to date from one easy control panel in WordPress.com. Learn more »
Added in Jetpack 2.6, Jetpack’s site monitoring feature will keep tabs on your site and alert you the moment downtime is detected. Monitoring uptime of your site can be an important tool in the security of your site. Learn more»
Why am I seeing a math captcha on my login page?
The math captcha is used as a fallback for the protect feature. If your IP has been blocked due to too many failed login attempts, you may still access your site by correctly filling out the math captcha along with the correct login credentials. In very rare cases, you might see the captcha if you’ve not obtained an API key or during times of very heavy attacks.
Do I need to delete BruteProtect?
Once you’ve installed and activated Jetpack 3.4.1 or higher, BruteProtect should deactivate on its own. After BruteProtect is deactivated, feel free to delete the plugin.
How long is an IP blocked?
The length of time is based on a number of factors and is not a set amount of time.