Skip to main content
WordPress made easy with the drag & drop Total WordPress Theme.Learn More

Important Notice: Update Your Jetpack WordPress Plugin Now

August 1, 2016

We love Jetpack – it’s full of great features for lots of websites. We’ve share reasons why you should use Jetpack, and then urged you again to give Jetpack a try. But it appears that there was a critical security loophole hiding in all those options. But have no fear, the folks over at Automattic were the ones to find it during a routine security check and they had the plugin updated in no time – so if you haven’t already, update your Jetpack as soon as possible.

According to Jetpack, the flaw has been present since Jetpack 1.9 and in all versions thereafter. The vulnerability left a hole open for hackers to access your site and publish posts without being an admin, and could have possibly been combined with other malicious attacks to further impair your site. Although they haven’t seen any documentation of this loophole being exploited “in the wild” Jetpack said it themselves:

This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world.

So please make sure to update your Jetpack plugin as soon as you get a chance. Jetpack released a statement that they plan to disconnect websites using an outdated version of the plugin to offer an extra blanket of security. You can learn more about the update on the JetPack Blog, but you should also checkout some of our other articles on WordPress security to keep your website extra safe.

WordPress Security

Recommended WordPress Security Plugins & Memberships

Article by Kyla WPExplorer Staff
Published on: April 11, 2014
Last updated on: August 1, 2016
Subscribe to the Newsletter

Get our latest news, tutorials, guides, tips & deals delivered to your inbox.


  1. Matt says:

    While this might be a serious security vulnerability in Jetpack, if you prevent people from accessing the backend completely, you stop them from being able to do anything. You do this by allowing ONLY your IP Address to access the wp-admin. If you find or create an .htaccess file, you can add this code:

    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^xx\.xx\.xxx\.xxx$
    RewriteRule ^(.*)$ - [R=403,L]

    Replace the x’s with your IP address.

    No one can access your backend unless they are using a specific IP address, but I’ve been using this code for over a year now. There used to be dozens of brute force attempts everyday on my website and I used to ban those IP addresses from accessing my website, but it was taking too much time to grab all those IP addresses. Since this code has been implemented, any brute force attempts lead to a 404 Error Page, and there have been zero attempts to break into my website. Regardless of anything, if Jetpack says its serious, its serious and everyone should update to the latest version of WordPress.

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn how your comment data is processed by viewing our privacy policy here.