Brute Force Attack Protection

Brute Force Attack Protection on WordPress.com blocks unwanted login attempts from traditional and distributed brute force login attacks. This guide explains how to use Brute Force Attack Protection on your WordPress.com website.

About brute force attacks

Brute force attacks are a method hackers use to exploit code vulnerabilities on WordPress websites. Hackers use large networks of computers known as botnets to try to gain access to your site by using thousands of different combinations of usernames and passwords until they find the right one.

There are two main methods of signing into a WordPress website:

1. wp-login is the WordPress login page located at /wp-login.php. On WordPress.com, you can log in securely here using your WordPress.com credentials.
2. XMLRPC is a method used by external applications to authenticate and interact with WordPress.

Both methods are vulnerable to attacks from bots trying to gain access to websites, and therefore the Jetpack plugin protects both methods from brute force attacks. On average, Jetpack blocks 5,000+ WordPress brute force attacks over a site’s lifetime. 

No matter what size your site is, there’s always someone or something trying to break in. If successful, brute force attacks can slow down or stop your site from responding and give hackers unauthorized access to your site’s content and data.

How Brute Force Attack Protection works

WordPress.com sites come with Jetpack’s Brute Force Attack Protection enabled by default in addition to other state-of-the-art security tools. This feature blocks malicious login attempts automatically, helping to keep your site secure from the moment it’s created.

With Brute Force Attack Protection, you can:

• Automatically block suspicious IP addresses before they reach your site
• Whitelist trusted IPs to avoid false positives
• Enable or disable the feature as needed

Jetpack uses data from millions of sites to detect and stop threats. For example, if a bot fails to log in to one site, it will be blocked from others before it can even attempt access.

Turn Brute Force Attack Protection on or off

Sites hosted on WordPress.com cannot deactivate the Jetpack plugin, since doing so would break your access to your site and remove the essential features it provides. Jetpack is automatically managed so we can continue to ensure your site’s ultimate security and performance. 

However, you can deactivate specific features of Jetpack that you believe may be causing a conflict. Brute Force Attack Protection is activated by default when you create your WordPress.com website.

 You can deactivate and reactivate the feature with the following steps:

1. Visit your site’s dashboard.
2. Navigate to Jetpack → Settings (or Jetpack → Dashboard → Manage security settings if using the default interface style).
3. Scroll down to the “Brute force protection” section and toggle the feature on or off:

Whitelist IP addresses

You can allowlist IP addresses to prevent them from being blocked. This is useful if you’ve made several failed login attempts or if Jetpack has flagged unusual activity from your current IP.

To add an IP address to your site’s allowlist:

1. Visit your site’s dashboard.
2. Navigate to Jetpack → Settings (or Jetpack → Dashboard → Manage security settings if using the default interface style).
3. Scroll down to the “Always allowed IP addresses” section.
4. Toggle the setting on.
5. Add the IP addresses you wish to whitelist (separated by a comma).
   • Both IPv4 and IPv6 addresses are accepted.
   • To specify a range, enter the low value and high value separated by a dash. Example: 12.12.12.1-12.12.12.100
6. (Optionally) Click the button marked “Add to Allow list” to conveniently whitelist your current IP address.