How To White List JetPack Servers

JetPack is a collection of WordPress power tools maintained by the WordPress creators Automattic. It will, among other things, provide you with site stats and analytics, automatic social network sharing, 24/7 uptime monitoring, and access to a high-speed content deliver network for images.

Many of JetPack’s features use the WordPress.com infrastructure, and to use it on a self-hosted WordPress install - like the one you’re looking at right now - the WordPress XML RPC interface has to be accessible to the WordPress.com servers. The problem with that approach is that XML RPC interface is one of the favorite attack vectors for WordPress hackers script kiddies. So the interface is ideally locked down and made inaccessible unless it’s strictly necessary to make it available.

To get JetPack to work properly it’s necessary to make the XML RPC interface accessible from the in-ter-net. But you don’t want every single Russian basement dweller to get access: Ideally, you just white list the JetPack servers.

I’m using the very handy - and free - IP Geo Block plugin to make certain features on my WordPress install unavailable. The login page, the admin area, the register page, the “lost password” page, and the XML RPC interface is only available to your truly. Everyone else trying to access these pages are greeted with a 503 Service Unavailable.

IP Geo Block also comes with a handy feature for white listing based on IP addresses, and that’s what you need to do if you want to use JetPack and still not having to worry about bad guys knocking on your front door. The IP ranges you need to white list are as follows (as of 2016-08-10):

  • 185.64.140.0/22
  • 76.74.255.0/25
  • 76.74.248.128/25
  • 198.181.116.0/22
  • 192.0.64.0/18
  • 64.34.206.0/24
  • 192.0.64.0/18

For convenience, here’s a comma separated list you can just copy and paste into the IP Geo Block configuration:

185.64.140.0/22,76.74.255.0/25,76.74.248.128/25,198.181.116.0/22,192.0.64.0/18,64.34.206.0/24,192.0.64.0/18

Sources


Feedback

This post has no feedback yet.

Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.


Caution

It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.

The Contra Chrome comic explains why this is bad, and why you should use another browser.