Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

System requirements

VMP Security supports modern WordPress installations on most popular hosting environments. This article documents the supported PHP and WordPress versions, server resource minimums, and notes for specific hosts that need extra setup. If your environment falls outside these ranges, the plugin may still install and run, but parts of it may not function correctly.

In This Article

Supported PHP and WordPress versions

  • WordPress: 5.0 or later (the plugin’s declared minimum). Tested up to WordPress 6.9. Older WordPress versions may install but receive no compatibility testing.
  • PHP: 7.4 or later. End-of-life PHP versions older than 7.4 are not supported and the plugin will refuse to activate.
  • Multisite: supported. The plugin can be activated network-wide or on individual sites within a network.

If you are running a version older than what we currently support, the right move is almost always to update WordPress and PHP. Old WordPress and PHP versions are themselves a security risk much larger than any plugin can compensate for.

Database requirements

  • MySQL 5.7 or later, or MariaDB 10.3 or later.
  • Storage engine: InnoDB. The MyISAM engine is technically supported but recommended only for very small sites; InnoDB is the practical choice everywhere else.
  • Character set: utf8mb4. The plugin can run on older utf8 tables but emoji and some attack signatures may not be handled correctly.

If you have enabled the firewall’s MySQLi storage engine (covered in its own article), the plugin will create a small set of additional tables under your WordPress prefix. Free space on the database server should comfortably exceed the size you expect those tables to grow to — usually a few megabytes per active site.

Server resource minimums

VMP Security is designed to run alongside the rest of WordPress without dominating resources. The minimums you should expect:

  • PHP memory_limit: 128MB minimum for the firewall to load. 256MB recommended; 512MB if you run scans with all advanced options enabled.
  • Disk space: roughly 50MB for the plugin itself, plus a working area for firewall data and scan state. Plan for 200-500MB total.
  • PHP max_execution_time: 30 seconds is the floor; 60-120 seconds gives the scanner more room to work without splitting into many small stages.
  • Outbound HTTPS: the plugin needs to reach our infrastructure on port 443. Without outbound HTTPS, the firewall rules and malware signatures cannot update.

Network requirements

The plugin makes outbound HTTPS connections to a small set of endpoints. They should all be reachable from your server:

  • The VMP Security API — our main backend. Used for license validation, firewall rule updates, malware signatures, and CVE/vulnerability data. If your environment requires explicit hostname allowlisting, contact support for the current endpoints.
  • vmpsecurity.com (Portal endpoints) — only when the site is connected to Portal.
  • api.wordpress.org, downloads.wordpress.org, core.svn.wordpress.org, raw.githubusercontent.com — for file-integrity comparisons during malware scans.
  • safebrowsing.googleapis.com and www.google.com/recaptcha — URL reputation lookups and the optional reCAPTCHA v3 integration.

If your environment uses an outbound proxy, configure WordPress’s standard proxy constants (WP_PROXY_HOST, WP_PROXY_PORT) in wp-config.php; the plugin uses WordPress’s HTTP API and inherits those settings.

If you have set WP_HTTP_BLOCK_EXTERNAL, list the hostnames above in WP_ACCESSIBLE_HOSTS. Without that, the plugin cannot reach our infrastructure and many features fail silently.

Hosting-specific notes

Most popular hosts work without configuration. A few have quirks worth knowing about:

  • Shared hosting with strict resource limits. Sites on plans with very low CPU and memory budgets sometimes cannot complete a full scan. Use the Limited scan profile (covered in Scan Options) and/or run scans from a server-side cron rather than the WordPress admin.
  • LiteSpeed servers. The firewall’s Extended Protection works on LiteSpeed via the same auto_prepend_file mechanism it uses on Apache. The optimization wizard detects LiteSpeed and configures it correctly. If you also use the LiteSpeed Cache plugin, see the Compatibility article for known interactions.
  • Managed-WordPress hosts. Many managed hosts run their own host-level WAF in front of WordPress. VMP Security still works in this configuration, but you may see some attacks blocked by the host’s WAF before our firewall sees them. Check the host’s firewall logs alongside ours during incident triage.
  • Containerized or read-only filesystem hosting. If wp-content is read-only at runtime, switch the firewall storage engine to MySQLi (covered in its own article) and move the scan working directory to a writable mount.
  • Multi-server / load-balanced setups. Use the MySQLi storage engine so every web node shares firewall state. With the file-based storage engine, each node maintains its own private state, which fragments rate limiting and IP-level data.
Contents