Support » Plugin: BruteProtect » BruteProtect, Jetpack, and XMLRPC

  • Resolved b-cat


    I understand BruteProtect has been acquired by Jetpack, and is now reincarnated as the “Protect” feature within Jetpack.

    I installed Jetpack today for the sole purpose of continuing to use BruteProtect, which has been an outstanding plugin. Upon installing Jetpack (which installs 27 other functions…which I don’t necessarily want), I immediately began encountering problems.

    Upon clicking the Debug button within the Jetpack admin panel, the error message indicated that Jetpack could not communicate with my website. After a few tech support emails, it appears Jetpack MUST have access to the XML-RPC file at the root of your domain in order for Jetpack to work (not sure if that means all of Jetpack, or just some parts of Jetpack).

    I had no plugins blocking Jetpack from access to the XMLRPC file, so I contacted my hosting provider…which it turns out is blocking all public access to XMLRPC by default on all WordPress installations because such access is a known vector for hacker attacks.

    I do not know yet if Jetpack’s “Protect” feature (aka BruteProtect) will continue to function properly without having access to the XMLRPC, but for sure certain features within Jetpack will NOT work properly without it.

    If Jetpack’s “Protect” feature will not function without opening a new door for hacker opportunities, then this will be a quite unfortunate development for BruteProtect.

    Does anyone know if “Protect” will still function properly even if the Jetpack system does not have public access to XMLRPC? I have not gotten a clear answer on that from Jetpack, yet.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Update: Jetpack says that the “Protect” function does indeed require XML-RPC access to work properly. So, unfortunately, I will probably not be using Jetpack Protect.

    Many thanks to the developers of BruteProtect for what they created, and for keeping it available through 2015! It’s been a great service. I hope a good alternative will emerge before 2016!

    : (

    Plugin Contributor Stephen Quirk


    Jetpack doesn’t require XMLRPC at the root of your domain, but it does expect xmlrpc.php to be in your WordPress folder (e.g. same level at wp-login.php).

    XMLRPC isn’t inherently vulnerable, but is one of the methods that is tried. Jetpack Protect (and BruteProtect before it) would help with blocking access.

    Jetpack support would be happy to communicate directly with your host with additional details. A total and absolute block of a standard, built-in feature of WordPress is overkill.

    You can also turn off any features you wouldn’t use.

    Hope this helps!

    Can you send me the alter JetPack WP Plugin link I should use to change BruteProtect?

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘BruteProtect, Jetpack, and XMLRPC’ is closed to new replies.