Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

Advanced information and configuration

This section is the entry point to deeper material about how VMP Security operates: how the plugin auto-updates itself, what our infrastructure does, which hostnames and IP ranges the plugin communicates with, and where to find more detail when you need it. The deeper articles in this section (Technical Details, Constants, Compatibility, etc.) cover individual topics at length; this overview is a map of where to start.

In This Article

Automatic updates

VMP Security can keep itself updated automatically. The option is on by default for new installations. New plugin versions are pulled from the WordPress plugin directory and installed in the background, the same way any plugin auto-update happens, with no action required from you.

Auto-update can fail if the hosting environment kills the update partway through — for example, if the PHP max_execution_time or a gateway timeout fires during the file replacement step. The symptom is usually that the plugin has disappeared from the active list when you next sign in, often with a “destination folder already exists” error if you try to reinstall.

If this happens, the recovery is straightforward:

  1. SFTP into the site and remove the plugin folder under wp-content/plugins/. Settings are stored in the database, not in the plugin folder, so they are preserved.
  2. Reinstall the plugin from the WordPress Plugins page.
  3. The plugin reactivates with all your previous configuration intact.

If you are on LiteSpeed and seeing repeated auto-update failures, the System Requirements article has LiteSpeed-specific notes that often resolve them.

VMP Security cloud services

The plugin’s cloud services support the on-site features:

  • A pristine archive of every released version of WordPress core, plus per-file checksums, used to verify your core files match the official versions.
  • The same archive for every theme and plugin published in the wordpress.org repositories.
  • The malware signature database used by the firewall and the scanner.
  • A real-time mirror of Google’s Safe Browsing list for content-safety scans.
  • The vulnerability database (which is also exposed externally as VMP Security Intelligence).
  • The Real-Time IP Blocklist, populated by attack telemetry from sites participating in VMP Security Network.
  • Other support services for scanning, license validation, and Portal coordination.

All cloud services are accessed over HTTPS with certificate verification. The Technical Details article documents the request shapes and the data flow in more detail.

Hostnames and IP addresses

The plugin reaches our infrastructure for a small set of services:

  • The VMP Security API — primary backend for license validation, firewall rule updates, malware signatures, vulnerability data, and the Real-Time IP Blocklist.
  • vmpsecurity.com (Portal endpoints) — only used for sites connected to Portal.

The hostnames and IP ranges behind our infrastructure change over time as we scale and rotate servers. If your firewall, CDN, or hosting environment requires explicit allowlisting, contact support to request the current set of hostnames and IP ranges, and re-confirm the list periodically rather than working from a copy you saved months ago.

Allowlisting our infrastructure

If your site sits behind a CDN with strict bot-protection rules, or if your host runs an aggressive WAF, our outbound callbacks may be blocked. Symptoms include the visitor-IP detection check failing, Portal-initiated scan starts not happening, or connectivity tests on the Diagnostics page reporting unreachable callback paths.

The fix is to allowlist our outbound IP ranges in your CDN or host firewall. Most managed CDN platforms have a documented procedure for source-IP allowlists; the procedure does not depend on which provider issued the IPs you are allowing.

If your host or CDN does not support an IP allowlist (some restrictive shared hosting plans do not), the alternative is to disable the callback-dependent features — manual IP detection configuration, locally-scheduled scans, no Portal connection — as described in the API Callbacks article.

Further reading

The following articles in the Advanced section go into specific topics in depth:

Changelog

Version history of the VMP Security plugin.

Constants

PHP constants you can define in wp-config.php to override or fine-tune VMP Security behavior.

Remove or Reset

Cleanly remove VMP Security or reset its data without leaving stale files behind.

VMP Security PHP API

Public PHP classes, hooks, and shortcodes that VMP Security exposes for developers extending or integrating with the plugin.

Compatibility

Compatibility notes for popular plugins, themes, and hosting environments.

Troubleshooting

General troubleshooting steps for VMP Security issues that don't fit elsewhere.
Contents