Constants
VMP Security exposes a small number of PHP constants that can be defined in wp-config.php to override or extend its runtime behaviour. Constants are useful when you need a setting to be locked in (so it cannot be changed from the WordPress admin), when you are provisioning sites from infrastructure-as-code, or when you need to bypass a behaviour temporarily without leaving a record in the database.
In This Article
- How to set a constant
- Constants set by the plugin (read-only)
- Constants you can define
- Relevant WordPress constants
How to set a constant
Open wp-config.php and add a define() line above the /* That’s all, stop editing! */ comment, for example:
define('VMPFENCE_WAF_STORAGE_ENGINE', 'mysqli');Constants take effect on the next request. They cannot be changed from the WordPress admin while in place — that is the point of using a constant.
Constants set by the plugin (read-only)
The plugin defines several constants for its own use. You should not redefine these; they are listed here only so you can recognise them in code or diagnostics output.
| Constant | Value / type | Meaning |
|---|---|---|
VMPFENCE_VERSION | string | Currently installed plugin version (e.g. 2.2.8). |
VMPFENCE_PLUGIN_FILE | string | Absolute path to the main plugin entry file. |
VMPFENCE_PLUGIN_DIR | string | Absolute path to the plugin directory (with trailing slash). |
VMPFENCE_PLUGIN_URL | string | URL to the plugin directory (with trailing slash). |
VMPFENCE_PLUGIN_BASENAME | string | Plugin basename for use with WordPress hooks (e.g. vmpfence/vmpfence.php). |
VMPFENCE_DB_VERSION | string | Schema version for the plugin’s database tables. |
VMPFENCE_MIN_WP_VERSION | string | Minimum supported WordPress version (currently 5.0). |
VMPFENCE_MIN_PHP_VERSION | string | Minimum supported PHP version (currently 7.4). |
VMPFENCE_WAF_LOADED | bool | Set to true by the early-protection loader (vmp-waf.php) before WordPress boots, used internally to detect Extended Protection. |
Constants you can define
| Constant | Type | Effect |
|---|---|---|
VMPFENCE_WAF_STORAGE_ENGINE | string | Selects the firewall’s storage engine. Currently the supported value is 'mysqli'; leave undefined to use the default. The current value is shown on Tools → Diagnostics. |
VMPFENCE_WAF_LOG_FILE_MODE | int | POSIX file mode (octal, e.g. 0640) used when the firewall writes its on-disk log files. Override only on hosts where the default permissions cause access problems. |
VMPFENCE_DISABLE_NTP | bool | Set to true to skip the optional NTP-based clock check. Useful on shared hosts that block outbound NTP and where the resulting log noise is unwanted. |
Setting any of these constants in wp-config.php overrides the corresponding option in the database. Diagnostics shows which engine and modes are currently in effect, so you can confirm the override has applied.
Relevant WordPress constants
VMP Security inherits behavior from several WordPress core constants. These are not VMP-specific but affect how the plugin works:
WP_HTTP_BLOCK_EXTERNAL+WP_ACCESSIBLE_HOSTS: IfWP_HTTP_BLOCK_EXTERNALis true,WP_ACCESSIBLE_HOSTSmust include the VMP Security API hostnames (contact support for the current list),*.wordpress.org, andraw.githubusercontent.comfor the plugin to fetch rule and signature updates and run file-integrity checks.DISABLE_WP_CRON: If true, scheduled scans, signature sync, and other background jobs only run when an external cron triggerswp-cron.php. Recommended for any site with low traffic.WP_PROXY_HOST/WP_PROXY_PORT: If your environment requires an outbound HTTP proxy, set these and the plugin will route through it.SECURE_AUTH_KEY: Used as input to encryption of sensitive plugin data at rest. Should already be set on every WordPress installation; rotating it without re-keying breaks decryption of existing secrets.