JetPack is a collection of WordPress power tools maintained by the WordPress creators Automattic. It will, among other things, provide you with site stats and analytics, automatic social network sharing, 24/7 uptime monitoring, and access to a high-speed content deliver network for images.
Many of JetPack’s features use the WordPress.com infrastructure, and to use it on a self-hosted WordPress install - like the one you’re looking at right now - the WordPress XML RPC interface has to be accessible to the WordPress.com servers. The problem with that approach is that XML RPC interface is one of the favorite attack vectors for WordPress
hackers script kiddies. So the interface is ideally locked down and made inaccessible unless it’s strictly necessary to make it available.
To get JetPack to work properly it’s necessary to make the XML RPC interface accessible from the in-ter-net. But you don’t want every single Russian basement dweller to get access: Ideally, you just white list the JetPack servers.
I’m using the very handy - and free - IP Geo Block plugin to make certain features on my WordPress install unavailable. The login page, the admin area, the register page, the “lost password” page, and the XML RPC interface is only available to your truly. Everyone else trying to access these pages are greeted with a 503 Service Unavailable.
IP Geo Block also comes with a handy feature for white listing based on IP addresses, and that’s what you need to do if you want to use JetPack and still not having to worry about bad guys knocking on your front door. The IP ranges you need to white list are as follows (as of 2016-08-10):
For convenience, here’s a comma separated list you can just copy and paste into the IP Geo Block configuration:
- [JetPack by WordPress.com: Whitelist IPs](https://wordpress.org/support/topic/whitelist-ips-1#post-6354011)
- IP Geo Block whitelist tooltip