Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

Basic Plugin Settings

This article walks through the minimum recommended configuration after installing VMP Security. The plugin’s defaults are sensible for most sites; this list is the small set of decisions that benefit from being made deliberately on every site you set up.

In This Article

Each option in the plugin has a help-icon link to the relevant article if you need more detail. If you have just installed the plugin and want a quick sweep of the most important options, work through the steps below.

Step 1 — Firewall

Open VMP Security → Firewall → Firewall Options.

  1. Confirm Web Application Firewall Status is set to Enabled and Protecting.
  2. Confirm Protection Level shows Extended Protection. If it shows Basic WordPress Protection, click OPTIMIZE THE VMP FIREWALL to run the optimization wizard. The full procedure is in the Optimizing The Firewall article.
  3. Other defaults on this page are sensible. Leave them.

Step 2 — Visitor IP detection

If your site is behind a CDN or load balancer, the firewall has to be told how to read the visitor’s real IP rather than the proxy’s IP. If this is wrong, every per-IP defense in the plugin (rate limiting, brute force lockout, country blocking) silently misbehaves.

  1. Open VMP Security → All Options and find the How does VMP Security get IPs? option.
  2. Compare the “Your IP with this setting” line to your actual public IP from a service that shows your IP.
  3. If they match, the default is correct. If they do not, work through the alternative options until the displayed IP matches.
  4. If you use a CDN, set the corresponding trusted-proxy list so an attacker cannot spoof the visitor IP by sending a fake forwarded-for header.

Step 3 — Brute Force Protection

Brute Force Protection is on by default and is responsible for one of the largest practical reductions in attack surface. Confirm the defaults in VMP Security → Firewall (the Brute Force Protection card) and on the Firewall Options page are sensible for your site:

  • Lockout after a moderate number of failed login attempts within a short window.
  • Lockout immediately on attempts that use a known-invalid username (a strong attacker signal).
  • Strong-password enforcement for at least administrators.
  • Username harvest protection enabled.

For high-value sites, you can tighten the thresholds. The Brute Force Protection article has specific tuning suggestions for different site types.

Step 4 — Scheduled scans

Open VMP Security → Scan and click Scan Options and Scheduling. Confirm Scheduled Scans is enabled. The default schedule (weekly) is right for many sites; switch to Once Daily, Twice Daily, Weekdays Only, Weekends Only, or a Custom Schedule if you need different timing.

Pick the Standard scan type unless you have a reason to choose otherwise. Limited is for hosts with very tight resource budgets; High Sensitivity is for sites you specifically suspect have been compromised.

Step 5 — Two-factor authentication

Open VMP Security → Login Security. We strongly recommend requiring 2FA for at least the administrator role on any production site.

  1. In the 2FA Roles section, set the role to Required.
  2. Confirm the grace period is long enough for existing administrators to enroll without being locked out.
  3. Have each administrator enroll their own authenticator app from the same Login Security page. Store recovery codes somewhere durable.

For sites where editors or other roles can publish content, extend the requirement to those roles too.

Step 6 — Alerts and Portal connection

Open VMP Security → All Options and scroll to the email-alerts section. Confirm:

  • The recipient email address is one that someone actually reads.
  • Critical alerts (administrator sign-in, plugin/theme modified, scan failed, scan finding) are enabled.
  • The high-frequency alerts (each individual IP block, each individual login failure) are off in favor of their rate-limited equivalents.

Finally, connect the site to VMP Security Portal from VMP Security → Portal. Portal is free, gives you fleet-wide visibility, and unlocks more flexible alert routing. The Portal connection article walks through it.

Contents