Overview
Jetpack is the official WordPress plugin developed by Automattic, the company behind WordPress.com. Among its many features, Jetpack includes a Web Application Firewall that provides automated protection against common WordPress threats. The WAF uses rules that are automatically updated based on threat intelligence from the millions of sites running on the WordPress.com platform.
The Jetpack WAF operates as an endpoint firewall within your WordPress installation, filtering malicious requests before they can exploit vulnerabilities in plugins, themes, or WordPress core. For sites on the free plan, the WAF provides basic protection with brute force attack prevention. Upgrading to Security or Complete plans unlocks the full WAF ruleset with automatic updates, real-time malware scanning, and one-click fixes.
What sets Jetpack apart is its deep integration with the WordPress.com ecosystem. Activity logs, real-time backups, and downtime monitoring work together with the WAF to provide a unified security and site management experience. If your site is compromised, you can restore a clean backup in seconds.
As an open-source project maintained by Automattic, Jetpack benefits from significant development resources and a massive user base that helps identify emerging threats quickly.
Ratings Breakdown
Key Features
Web Application Firewall
Endpoint firewall with automatically updated rules based on WordPress.com threat intelligence.
Brute Force Protection
Blocks distributed brute force login attacks using data from millions of WordPress.com sites.
Malware Scanning
Automated scanning for malware, suspicious code, and known vulnerabilities in plugins and themes.
Real-Time Backups
Cloud-based backups with every change saved, enabling one-click restore if your site is compromised.
Downtime Monitoring
Monitors site availability and sends instant alerts when your site goes offline.
Activity Log
Detailed log of all site changes, logins, and security events for auditing and troubleshooting.
Pros & Cons
Pros
-
Automattic backing
Developed by the company behind WordPress.com, ensuring long-term support and deep WordPress integration.
-
Unified security platform
WAF, backups, malware scanning, and monitoring in one plugin instead of managing multiple tools.
-
Easy setup
One-click installation and setup through WordPress.com account connection, no technical expertise needed.
-
Auto-updated WAF rules
Firewall rules are automatically updated based on threats detected across the WordPress.com network.
-
Open source
Jetpack is open source on GitHub, allowing community review and contributions.
Cons
-
WAF is relatively new
Jetpack''s WAF was added later and is less mature than dedicated security plugins like Wordfence.
-
Full WAF requires paid plan
The free tier only provides basic protection; full WAF rules and malware scanning require the Security plan.
-
Plugin bloat concerns
Jetpack bundles many features beyond security, which some users find adds unnecessary overhead.
-
WordPress.com account required
Requires connecting to a WordPress.com account, which some self-hosted users prefer to avoid.
Pricing
Pricing model: Freemium (Free tier + paid subscriptions)
Free
Basic WAF and brute force protection
- Basic WAF protection
- Brute force attack prevention
- Downtime monitoring
- WordPress.com stats
Security
Full WAF rules, malware scanning, and real-time backups
- Everything in Free
- Full WAF with auto-updated rules
- Real-time malware scanning
- One-click malware fixes
- Real-time cloud backups
- Activity log (30-day archive)
Complete
Full security suite with extended features
- Everything in Security
- Real-time backups (unlimited archive)
- Activity log (1-year archive)
- VideoPress hosting
- CRM integration
- Site search
Our Verdict
Jetpack WAF benefits from being developed by Automattic, the company behind WordPress.com. The WAF leverages threat intelligence gathered from millions of sites on the WordPress.com platform, providing rule updates that reflect real-world attack patterns at scale.
The integration with Jetpack's broader feature set—real-time backups, activity logging, and downtime monitoring—creates a compelling all-in-one security solution. If your site is compromised despite the WAF, you can restore a clean backup in seconds rather than dealing with manual cleanup.
Our verdict: A solid choice for WordPress users who want unified security from a trusted source. The WAF itself is less mature than Wordfence or NinjaFirewall, but the integrated backup and monitoring features add significant value.
CVE Coverage
Jetpack Protect / Jetpack WAF can detect and block attacks matching 81K+ known CVEs based on its supported rule sets.
Coverage by Attack Type
Latest Blockable CVEs
| CVE | Severity |
|---|---|
| CVE-2026-4510 | MEDIUM |
| CVE-2026-4161 | MEDIUM |
| CVE-2026-4087 | MEDIUM |
| CVE-2026-4086 | MEDIUM |
| CVE-2026-4084 | MEDIUM |
| CVE-2026-4077 | MEDIUM |
| CVE-2026-4072 | MEDIUM |
| CVE-2026-4069 | MEDIUM |
| CVE-2026-4067 | MEDIUM |
| CVE-2026-4022 | MEDIUM |
Frequently Asked Questions
How does Jetpack WAF compare to Wordfence?
Wordfence is a dedicated security plugin with a more mature and comprehensive WAF. Jetpack offers a broader feature set (backups, monitoring, stats) with security as one component. If WAF protection is your top priority, Wordfence is stronger. If you want an all-in-one WordPress management tool with good security, Jetpack is compelling.
Is the free Jetpack WAF worth using?
The free tier provides basic brute force protection, which is better than nothing. However, the full WAF ruleset with automatic updates requires the Security plan ($9.95/mo). For free WAF protection specifically, Wordfence Free offers more comprehensive firewall features.
Does Jetpack WAF slow down my site?
Jetpack's WAF adds minimal overhead for request filtering. However, Jetpack as a whole includes many features that can impact performance. You can selectively disable unused modules to reduce overhead. The malware scanning runs on Jetpack's servers, not yours, minimizing local resource usage.
Can I use Jetpack WAF with other security plugins?
Jetpack can work alongside other security plugins, but running multiple WAFs simultaneously is not recommended as they may conflict. If you use Jetpack primarily for backups and monitoring, you can disable its security module and use Wordfence or NinjaFirewall for WAF protection instead.
Ready to try Jetpack Protect / Jetpack WAF?
Start with the free tier and upgrade as you grow.