Brute Force Attack Protection

Brute Force Attack Protection on WordPress.com blocks unwanted login attempts from traditional and distributed brute force login attacks. This guide explains how to use Brute Force Attack Protection on your WordPress.com website.

About Brute Force Attacks

Brute force attacks are a method hackers use to exploit code vulnerabilities on WordPress websites. Hackers use large networks of computers known as botnets to try to gain access to your site by using thousands of different combinations of usernames and passwords until they find the right one.

There are two main methods of signing into a WordPress website:

1. wp-login is the WordPress login page located at /wp-login.php. On WordPress.com, you can log in securely here using your WordPress.com credentials.
2. XMLRPC is a method used by external applications to authenticate and interact with WordPress.

Both methods are vulnerable to attacks from bots trying to gain access to websites, and therefore our Jetpack plugin protects both methods from brute force attacks. On average, Jetpack blocks 5,193 WordPress brute force attacks over a site’s lifetime. 

No matter what size your site is, there’s always someone or something trying to break in. If successful, brute force attacks can slow down or stop your site from responding and give hackers unauthorized access to your site’s content and data.

How Our Brute Force Attack Protection Works

The Jetpack plugin on WordPress.com provides your site with state-of-the-art security tools, including brute force attack protection to block these attacks. Our Brute Force Attack Protection is automatically enabled on your website. 

From the beginning of your site, you can:

• Automatically block malicious IPs before they reach your site.
• Whitelist known IP addresses to prevent false positives.
• Disable and enable Brute Force Attack Protection as needed.

The Jetpack Brute Force Attack Protection feature collects information from failed attempts from millions of sites and protects you from these attacks. For example, if a bot tried to gain access to site A, and then went to site B, the Jetpack Brute Force Attack Protection would already recognize this bot and block it before it even tries to get into site B. Jetpack’s brute force attack protection feature blocks suspicious IP addresses before they even get to your site!

Whitelist IP Addresses

You can allowlist IP addresses, which may be necessary if you’ve made too many failed login attempts to your site or Jetpack has detected unusual behavior from your current IP address.

To add IP addresses to the site’s allowed list:

1. Visit your site’s dashboard.
2. Navigate to Jetpack → Settings (or Jetpack → Dashboard → Manage security settings if using the default interface style).
3. Scroll down to the “Brute force protection” section.
4. Click the down arrow to expand the IP address options.
5. In the “Always allowed IP addresses” box, add the IP addresses you wish to whitelist (separated by a comma). Both IPv4 and IPv6 addresses are accepted.
   • To specify a range, enter the low value and high value separated by a dash. Example: 12.12.12.1-12.12.12.100
6. (Optionally) Click the button marked “Add to Always Allowed list” to conveniently whitelist your current IP address.

Turn Brute Force Attack Protection On or Off

Sites hosted on WordPress.com cannot deactivate the Jetpack plugin, since doing so would break your access to your site and remove the essential features it provides. Jetpack is automatically managed so we can continue to ensure your site’s ultimate security and performance. 

However, you can deactivate specific features of Jetpack that you believe may be causing a conflict. Brute Force Attack Protection is activated by default when you create your WordPress.com website.

 You can deactivate and reactivate the feature with the following steps:

1. Visit your site’s dashboard.
2. Navigate to Jetpack → Settings (or Jetpack → Dashboard).
3. Scroll down to the “Brute force protection” section and toggle the feature on or off: