Jetpack WAF (Web Application Firewall)

Jetpack’s WAF (Web Application Firewall) examines incoming traffic to a WordPress site and decides to allow or block it based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities.

Looking for more information about using the WAF with the Jetpack Protect plugin? See our article about the Jetpack Protect Plugin.

With Jetpack Firewall, you can configure IP addresses that will never or always be blocked (regardless of the automatic rules). To allow or block incoming traffic based on automatic rules, you will need one of these plans: Jetpack Security, Jetpack Complete, or Jetpack Scan, and a connection to your WordPress.com account.

If you previously had a Jetpack plan that includes Jetpack Scan and/or your site becomes disconnected from your WordPress.com account, you will continue to have access to the firewall settings in your Jetpack dashboard. This is to ensure that your IP allow/block lists and previous firewall rules remain functional.

Turning on the firewall

Jetpack Firewall is deactivated by default when you connect Jetpack to your WordPress.com account. It can be activated at any time on your Jetpack Settings page. To enable Jetpack WAF:

1. Select Jetpack → Settings → Security → Firewall in your site’s WP Admin
2. Enable Protect your site with Jetpack’s Web Application Firewall

Configure your firewall

Your firewall comes with the following options:

• Automatic rules – Protect your site against untrusted traffic sources with automatic security rules – this option requires a paid plan Jetpack Security, Jetpack Complete, or Jetpack Scan.
• Manual rules – Block specific IP addresses from accessing your site: This option allows you to add an IP blocklist.
• Share basic data with Jetpack: You allow Jetpack to collect basic data from blocked requests to improve firewall protection and accuracy. You can check Jetpack Privacy before you set this option.
• Share basic data with Jetpack: You allow Jetpack to collect detailed data from blocked requests to improve firewall protection and accuracy. You can check Jetpack Privacy before you set this option.

Block specific IP addresses from accessing your site

To add IP addresses to a block list:

1. Select Jetpack → Settings → Security → Firewall in your site’s WP Admin
2. Enable Manual rules – Block specific IP addresses from accessing your site
3. Enter IP addresses. Separate IPs with commas, spaces, or new lines. IPv4 and IPv6 are supported. To specify a range, use CIDR notation (i.e. 12.12.12.0/24) or enter the low value and high value separated by a dash (i.e. 12.12.12.0–12.12.12.255).
4. Click Save block list to save your settings

Add always-allowed IP addresses to your security settings

You can prevent Jetpack’s security features from blocking specific IP addresses. This will apply to both brute force protection and firewall rules.

Here is how to add IP addresses to the allowlist:

1. Select Jetpack → Settings → Security → Always allowed IP addresses in your site’s WP Admin
2. Toggle on the Prevent Jetpack’s security features from blocking specific IP addresses
3. Enter IP addresses. Separate IPs with commas, spaces, or new lines. IPv4 and IPv6 are supported. To specify a range, use CIDR notation (i.e. 12.12.12.0/24) or enter the low value and high value separated by a dash (i.e. 12.12.12.0–12.12.12.255).
4. Click Save allow list.

The Always allowed IP addresses section will show your current IP. You can add it to the list by clicking the Add to Allow List button.

Troubleshooting

What happens if I don’t renew my Scan subscription?

Any rules delivered to the site will remain functional after your Jetpack Scan subscription lapses or is removed.

Can I use the IP allow and block lists behind a reverse proxy (like Cloudflare)?

The IP allowlists and blocklists currently have no way to configure trusted proxies and trusted headers and thus won’t work behind any sort of reverse proxy or load balancer setup.

My site went down after I activated the Firewall feature.

If you need to deactivate the firewall without access to the Jetpack settings screen, you can:

• Modify your wp-config.php: add the line define( 'DISABLE_JETPACK_WAF', true ); to your wp-config.php file
• Use WP-CLI: if you have WP-CLI installed, use the command wp jetpack-waf teardown

Privacy Information

This feature is deactivated by default. It can be activated at any time at Jetpack → Settings → Security → Firewall and by clicking on Protect your site with Jetpack’s Web Application Firewall.

Data Used
Site Owners / Users This feature evaluates the incoming HTTP requests and blocks them if they’re considered malicious. User data is used to authenticate some of our APIs. Installed themes and plugins and WordPress version are used to know which versions we should check against the WPScan API in the free version of the WAF.	Site Visitors None.
Activity Tracked
Site Owners / Users If the Share data with Jetpack checkbox is selected we track which rules caused a request to be blocked. We don’t track actual request data with this option. Jetpack Firewall also tracks when settings in the Firewall settings are turned on or off. If the Share data with Jetpack checkbox is selected we track the following data of requests that trigger a WAF block: Information about the rule that triggered the blockRequest URIUser agentRefererContent typeGET params If the Share detailed data with Jetpack checkbox is selected we also track the following data for requests that triggered the block alongside the previously mentioned data: POST params Header data	Site Visitors None.
Data Synced (Read More)
Site Owners / Users Information about users/admins, installed themes and plugins, and WordPress version.	Site Visitors None.

For general features and FAQs, please see our Jetpack Security features.