To protect against unwanted login attempts to your account or site, make sure you have set a strong password on your account and enabled two-step authentication. You can also protect your site from brute force attacks, which this guide will cover.
Brute force attacks are a method hackers use to exploit code vulnerabilities on WordPress websites. Hackers use large networks of computers known as botnets to try to gain access to your site by using thousands of different combinations of usernames and passwords until they find the right one.
There are two main methods of signing into a WordPress website:
- wp-login is the WordPress login page located at
/wp-login.php. On WordPress.com, you can log in securely here using your WordPress.com credentials. - XMLRPC is a method used by external applications to authenticate and interact with WordPress.
Both methods are vulnerable to attacks from bots trying to gain access to websites, and therefore our Jetpack plugin protects both methods from brute force attacks on WordPress.com. On average, Jetpack blocks 5,000+ WordPress brute force attacks over a site’s lifetime.
No matter what size your site is, there’s always someone or something trying to break in. If successful, brute force attacks can slow down or stop your site from responding and give hackers unauthorized access to your site’s content and data.
Brute force attack protection on WordPress.com blocks unwanted login attempts from traditional and distributed brute force login attacks, helping to keep your site secure from the moment it’s created.
With brute force attack protection, you can:
- Automatically block suspicious IP addresses before they reach your site
- Whitelist trusted IPs to avoid false positives
- Enable or disable the feature as needed
Jetpack uses data from millions of sites to detect and stop threats. For example, if a bot fails to log in to one site, it will be blocked from others before it can even attempt access.
This section of the guide applies to sites with the WordPress.com Business and Commerce plan. If you have a Business plan, make sure to activate it. For free sites and sites on the Personal and Premium plans, upgrade your plan to access this feature.
Sites hosted on WordPress.com cannot deactivate the Jetpack plugin, since doing so would break your access to your site and remove the essential features it provides. Jetpack is automatically managed so we can continue to ensure your site’s ultimate security and performance.
However, you can deactivate specific features of Jetpack that you believe may be causing a conflict. Brute force attack protection is activated by default when you create your WordPress.com website.
You can deactivate and reactivate the feature with the following steps:
- Visit your site’s dashboard.
- Navigate to Jetpack → Settings.
- Click on the Security tab.
- Scroll down to the “Brute force protection” section and toggle the feature on or off:
You can allowlist IP addresses to prevent them from being blocked. This is useful if you’ve made several failed login attempts or if Jetpack has flagged unusual activity from your current IP.
To add an IP address to your site’s allowlist:
- Visit your site’s dashboard.
- Navigate to Jetpack → Settings.
- Click on the Security tab.
- Scroll down to the “Always allowed IP addresses” section.
- Toggle the setting on.
- Add the IP addresses you wish to whitelist (separated by a comma). Both IPv4 and IPv6 addresses are accepted. To specify a range, enter the low value and high value separated by a dash. Example:
12.12.12.1-12.12.12.100 - (Optionally) Click the button marked “Add to Allow list” to conveniently whitelist your current IP address.
