Brute force attack protection

If you use the Jetpack plugin and its Protect feature, our plugin will monitor all attempts to log in to your site, whether someone attempts to log in using your site’s log in form, or if they attempt to log in using your site’s XML-RPC file. When someone repeatedly fails to log in because they don’t have the right credentials, we will block them from accessing your log in page altogether. We will also stop them from accessing any log in page of all the others sites using the Jetpack plugin.

This way, if a bot gets blocked on one Jetpack site it will be blocked on all the sites using Jetpack and won’t be able to even try to hack into your site.

You can read more about the Protect feature here:
https://jetpack.com/support/security-features/#enable

I hope this clarifies things a bit. Let me know if you have more questions!

What’s the algorithm it uses? For example, how many login attempts does it take for a user to be locked out? What happens if a legitimate user forgets their password and reaches their lockout limit? Are they permanently locked or is there a way to unlock them? How are you tracking users? By IP? By cookie?

The algorithm we use to detect and block bots is not something I’m able to share here. I can, however, try to answer your other questions:

We track users by IP. If a legitimate user forgets their password and repeatedly tries and fails to log in, they’ll first be “soft-blocked”: they’ll still be able to access the log in page, but will have to answer a simple math challenge to be able to try to log in again. If they keep trying and eventually get “hard-blocked” (i.e. blocked from accessing the log in page altogether), they can follow one of the methods here to unblock themselves if they’re the site owner:
https://jetpack.com/support/security-features/#unblock

I hope this helps.