CARVIEW

MOTORHOMES

Select Language

HTTP/2 200 server: nginx date: Fri, 10 Oct 2025 23:04:28 GMT content-type: text/html; charset=UTF-8 vary: Accept-Encoding x-hacker: Want root? Visit join.a8c.com/hacker and mention this header. host-header: WordPress.com x-frame-options: SAMEORIGIN vary: accept, content-type, cookie link: ; rel=shortlink content-encoding: gzip x-ac: 1.bom _dca MISS alt-svc: h3=":443"; ma=86400 strict-transport-security: max-age=31536000; includeSubDomains; preload server-timing: a8c-cdn, dc;desc=bom, cache;desc=MISS;dur=1527.0 Improve your WP Admin password security with Account Protection

Support Home > Improve your WP Admin password security with Account Protection

Improve your WP Admin password security with Account Protection

Weak and compromised credentials are among the leading causes of site breaches and malware infections. Jetpack and Jetpack Protect enhance your site’s security by strengthening password management. We perform advanced checks to detect compromised passwords and enforce additional verification when necessary.

Note: Account Protection is different from Jetpack’s Brute Force Protection feature.
Brute Force Protection helps prevent repeated login attempts from unknown IPs and can be toggled from the Security settings in WP Admin.
Account Protection, on the other hand, is triggered when a user attempts to log in with a password that has been compromised in a known data breach.
If the user is locked out and cannot receive the verification code, the feature cannot be disabled from WP Admin and may require manual recovery.

Requirements

Jetpack Account Protection requires either the Jetpack plugin (version 14.5 or higher) or the Jetpack Protect plugin (version 4.1 or higher) along with the site connection. If you have both the Jetpack and Jetpack Protect plugins, you must upgrade them to at least versions 14.5 and 4.1, respectively.

This feature is activated by default, is free to use, and does not require a Jetpack plan.

How Account Protection works

Manage Account Protection activation

Account Protection is activated by default. Here is how you can manage the activation:

If you have the Jetpack plugin active:
1. Navigate to Jetpack → Settings.
2. Locate the Account Protection section in the Security tab (the default tab).
3. Toggle Protect your site with advanced password detection and profile management protection.
If you have the Jetpack Protect plugin active:
1. Navigate to Jetpack → Protect.
2. Open to the Settings tab.
3. Toggle Account Protection.

If the setting is disabled and activation is not possible, please check the Unsupported environments section.

Add extra security checks when saving a password

Jetpack Account Protection performs additional security checks whenever a user sets or updates their password.

Passwords are evaluated against the following additional criteria:

Must not contain a backslash character.
Must be between 6 and 150 characters.
Must not appear in known data breaches. Attackers frequently use passwords leaked in public breaches to gain unauthorized access.

When you update your password in WP Admin → Users → Profile, we perform additional checks to ensure security:

The password must not match any part of your user data (e.g., display name, username, first or last name, email address, or nickname). Using a password similar to your personal details makes guessing easier for attackers.
The password must not be identical to a previously used password. Reusing old passwords increases security risks.

Prevent unverified logins from using leaked passwords

Account Protection adds an extra layer of security to the login process.

We automatically check passwords against a database of known breaches for users with the role of Author or higher. If a compromised password is detected, an additional verification step is required. No configuration is needed—this happens automatically. Here’s how it works:

A WP Admin user attempts to log in, and Jetpack detects that their password has been compromised.
A 6-digit verification code is sent to the user’s email address.
The user sees a Verify Your Identity form, where they must enter the verification code. They can also request resending a new code if needed.
Once the code is submitted, the user is prompted to either Create a New Password (recommended) or Proceed Without Updating.

Recover your account in case of issues with the verification code delivery

We send the verification code to the email address associated with your WP Admin user profile.

If you don’t receive your verification code, here’s what you can do:

If you no longer have access to that mailbox:

Contact support. We will work with you to confirm your ownership of the site. We will then deactivate the Account Protection module for you.
After regaining access to your WP Admin, access your user profile at https://yourjetpack.blog/wp-admin/profile.php where yourjetpack.blog is your site’s domain. Once there, you will need to:
- Update the Email field with your current email address.
- Update the Password field with a strong, uncompromised password.

If you have access to the mailbox:

Try to resend the code. You can resend it three times per session. You should be able to make subsequent attempts every 15 minutes.
If you still haven’t received the code, you can reset your current password. Once you update your password to a strong, uncompromised one, you will no longer be blocked by our Account Protection.

Unsupported environments

The Jetpack Account Protection feature can be disabled by your hosting provider to avoid conflicts with platform-specific security solutions. Your site administrator can also manually disable it in the wp-config.php file:

define( 'DISABLE_JETPACK_ACCOUNT_PROTECTION', true );

In such cases, you will not be able to activate Account Protection. Instead, you will see a notice stating that this feature is disabled by your site administrator or hosting provider.

Risks of using a weak password

As a WordPress Administrator, your password is the first line of defense against unauthorized access. A weak password can put your entire site at risk. Here’s why strong password security is essential:

Easy Target for Attackers: Weak passwords make your site vulnerable to brute-force attacks, where hackers systematically guess passwords to gain access.
Higher Risk of Credential Theft: If you reuse passwords across multiple sites, a breach on another platform could expose your WP Admin account to attackers.
Loss of Administrative Control: Attackers can make unauthorized changes, delete content, or insert malicious code.
User and Data Breach Risks: Attackers with admin access can steal user information, including emails and personal details, putting your visitors at risk.
SEO and Reputation Damage: If your site is hacked, search engines may flag it as unsafe, leading to lower search rankings and loss of visitor trust.
Time-Consuming Recovery Process: Regaining control over a hacked site requires resetting credentials, restoring backups, and securing vulnerabilities—all of which take time and effort.
Potential Legal and Compliance Issues: Depending on your industry, a security breach could result in legal consequences, including fines for failing to protect user data.
Financial Losses: A compromised site can lead to lost revenue, particularly for WooCommerce businesses, membership sites, or any site that relies on visitor engagement.