Jetpack Scan

You can review security scan results in one centralized location, fix problems, and restore backups. If Jetpack does notice a problem, you’ll receive an instant email alert. You can repair the majority of security threats with just one click and get back to running your business.

Take a look at all the security features Jetpack offers.

Overview: The content below offers a comprehensive overview of Jetpack Scan, a powerful security scanning tool by Jetpack. It explains the features, benefits, and important details regarding the use of Jetpack Scan, including which plans include it, how to get started, the importance of server credentials, navigating the dashboard, frequency of scans, fixing threats, and privacy information. Users can learn about the types of threats detected, examples of threats, and how Jetpack Scan helps enhance the security of WordPress sites.

Important: Jetpack Scan is not intended to be a service to clean up already hacked or malware-infected sites. While Jetpack Scan can fix some hacked files after purchase, we do rely on the site not being infected at the time of purchase and having a clean version to compare any changed files to. In that case, we suggest following this guide to cleaning a hacked site.

Which Plans Include Jetpack Scan?

Jetpack Scan is available to users who have purchased the Jetpack Scan, Jetpack Security, or Jetpack Complete plans. It is also the scan solution for any new Jetpack Security or Jetpack Complete purchase.

Note: Once the site is connected to Jetpack Scan, your site will remain on the Jetpack Scan solution, even if you change or add a Jetpack plan or move your site to a new host.

Getting Started

Jetpack Scan is activated as soon as your purchase is complete, and your first scan is kicked off immediately.

Note: In order for Jetpack Scan to scan a website, it needs to be able to create files in the /jetpack-temp/ directory (which is located in the root of the site alongside /wp-content/ and /wp-includes/. It writes a temporary helper file to this directory during the scan and removes it after the scan is complete.

If your site is hosted on a server that prevents files from being changed, you will need to work with your host to ensure that Jetpack is able to write files to the /jetpack-temp/ directory.

Adding Server Credentials to Jetpack Scan

Jetpack Scan can check your site for malware without requiring server credentials. You can also resolve detected threats using one-click (auto) fixes without credentials, as long as you’re using Jetpack Protect v4.2 or higher.

However, providing server credentials (like SSH, SFTP, or FTP) can make scans faster and more reliable.

To learn how to securely add remote access credentials, see SSH, SFTP, FTPS, and FTP Credentials guide.

Navigating the Jetpack dashboard

You can reach the Jetpack Scan from your WP Admin dashboard by following these steps:

👁 Image

1. Access the Jetpack.com dashboard by clicking on Scan within the Jetpack options in WP Admin. If prompted, authorize your WordPress.com account.
2. Upon reaching the Scan page, you will encounter two interfaces: Scanner and History.
3. The scanner page offers a quick overview of the site’s current status, displaying either that the site is in good condition or listing any active threats.
4. To commence a new scan, just click the Scan now button.

👁 Image

On the History page, you’ll see a list of all threats detected on the site in the past. They can be filtered by their fix/ignore status, and ignored threats can be fixed.

👁 Image

How Jetpack Scan Works

Once a scan completes, you will receive a notification if any threats are found. These notifications will be in WP Admin, via email, and on your WordPress.com dashboard.

If your site is hosted on WordPress.com, email notifications for security threats are not sent. WordPress.com handles threat remediation automatically in the background, so manual action is not required.

What data is scanned?

Jetpack scans:

• All files in the plugins, mu-plugins, themes, and uploads directories.
• Select files from your WordPress root directory, like wp-config.php.
• Other select files inside the wp-content directory.

What data is not scanned?

• Jetpack does not scan your site’s database.

How often do scans occur?

Scans occur daily or when manually triggered.

How do I fix threats?

When Jetpack Scan detects a threat to your site, you have the following options:

• When a threat is detected, and you’re notified, we offer an auto fix (one-click fix) for most problems.
• You will find the “Auto fix all” button to handle all the threats at once.
• Clicking on the threat will provide more information about the problem and what can be fixed. You will also see buttons to “Ignore threat” or “Fix threat“.
• Ignoring or fixing the threat will create a history of scan threats you can view that you can view in the History tab.

However, sometimes a website can get hacked more severely, meaning an auto fix (one-click fix) by Jetpack Scan is impossible. In that case, we suggest following this guide to cleaning a hacked site. It will help guide you through identifying and cleaning up a hacked site and strengthening the site’s security to help prevent future hacks.

Examples of Threats that Jetpack Scan May Find

Changes to Core WordPress Files

Jetpack Scan will check your WordPress installation to see if any core files have been changed or deleted. Generally, these files should never be changed, so please remember when working on your site. WordPress functionality can and should be altered by using plugins and themes instead.

If you didn’t make the changes to your core WordPress files, you should consider the files suspicious and consider replacing them. You can always contact us if you’re unsure of the changes you see.

Other Vulnerabilities

Web-based shells give an attacker full access to your server — allowing them to execute malicious code, delete files, make changes to your database, and many more dangerous things.

Shells are usually found in files, and they can be removed by deleting any infected files from your server and replacing them with a clean version from your backup.

Outdated or insecure plugins

Plugins that have known security vulnerabilities will be detected by Jetpack Scan. If a newer version has patched the threat, you can update the plugin with one click. We allow you to delete the plugin from your site if there is no newer version with a fix.

You’re always welcome to contact us if you have any questions about security threats or suspicious codes.

Privacy Information

Jetpack Scan is deactivated by default and requires an upgrade to a paid solution (Jetpack Scan, Jetpack Security, or Jetpack Complete) to unlock/activate.

Data Used
Site Owners / Users We currently scan the following data: files in your plugins, themes, and uploads directories, and select files from your WordPress root directory and `wp-content` directory. This includes all WordPress’s unique and irreplaceable data and everything properly integrated into the WordPress installation. In addition to the data we scan, we also use (and store) your server access credentials (if provided): SSH and/or FTP/SFTP. These credentials are explicitly provided by you when activating Jetpack Scan. For feature usage tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID, user agent, referring URL, timestamp of event, browser language, country code, and user site count. We may also use scanned content to improve our performance but do not otherwise store it long-term.	Site Visitors None.
Activity Tracked
Site Owners / Users We track several events around the usage of this feature: requests to view threats, fix threats, run a scan, and click on the header of a threat (in the scan scanner and in the scan history).	Site Visitors None.
Data Synced (Read More)
Site Owners / Users None.	Site Visitors None.