Important Notice: Update Your Jetpack WordPress Plugin Now

We love Jetpack – it’s full of great features for lots of websites. We’ve share reasons why you should use Jetpack, and then urged you again to give Jetpack a try. But it appears that there was a critical security loophole hiding in all those options. But have no fear, the folks over at Automattic were the ones to find it during a routine security check and they had the plugin updated in no time – so if you haven’t already, update your Jetpack as soon as possible.

According to Jetpack, the flaw has been present since Jetpack 1.9 and in all versions thereafter. The vulnerability left a hole open for hackers to access your site and publish posts without being an admin, and could have possibly been combined with other malicious attacks to further impair your site. Although they haven’t seen any documentation of this loophole being exploited “in the wild” Jetpack said it themselves:

This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world.

So please make sure to update your Jetpack plugin as soon as you get a chance. Jetpack released a statement that they plan to disconnect websites using an outdated version of the plugin to offer an extra blanket of security. You can learn more about the update on the JetPack Blog, but you should also checkout some of our other articles on WordPress security to keep your website extra safe.

WordPress Security

Recommended WordPress Security Plugins & Memberships

Kyla
Post Author: Kyla

Hi! My name is Kyla, and I'm the VP at WPE. Although I'm still new to WordPress, I love every bit and I have fun sharing what I learn with all of you!

Disclosure: This page contains external affiliate links that may result in us receiving a comission if you choose to purchase said product. The opinions on this page are our own. We do not receive payment for positive reviews.
Got something to say? Join the discussion.
  1. While this might be a serious security vulnerability in Jetpack, if you prevent people from accessing the backend completely, you stop them from being able to do anything. You do this by allowing ONLY your IP Address to access the wp-admin. If you find or create an .htaccess file, you can add this code:
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^xx\.xx\.xxx\.xxx$
    RewriteRule ^(.*)$ - [R=403,L]
    
    Replace the x's with your IP address. No one can access your backend unless they are using a specific IP address, but I've been using this code for over a year now. There used to be dozens of brute force attempts everyday on my website and I used to ban those IP addresses from accessing my website, but it was taking too much time to grab all those IP addresses. Since this code has been implemented, any brute force attempts lead to a 404 Error Page, and there have been zero attempts to break into my website. Regardless of anything, if Jetpack says its serious, its serious and everyone should update to the latest version of WordPress.

Leave a Reply