Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

Blocking

In addition to the firewall’s pattern-matching defenses, VMP Security includes manual blocking tools you can use to shut down specific traffic sources you have identified as malicious. This article covers the manual block list and how to use each kind of block effectively.

In This Article

The blocking tools in VMP Security let you block:

  • A specific IP address, permanently.
  • An IP range or CIDR.
  • Whole countries via geo-IP lookup.
  • Custom patterns matching hostnames, User-Agent strings, referer headers, or combinations of those.

Blocking an IP address

Open VMP Security → Blocking and choose IP Address as the block type. Enter the IP, a reason describing why you are blocking it (this shows up in the block list and helps future you remember the context), and click Block this IP address. The block takes effect immediately.

You can also block an IP directly from the Live Traffic page by clicking on a request from that IP and using the block action there. The Live Traffic path is faster when you are reacting to a specific request you have just observed.

The current-blocks list also includes time-limited blocks. These come from automatic blocking — rule matches, brute-force lockouts, or rate-limit actions — that the plugin set up on its own. The duration is controlled by the “How long is an IP address blocked” option in the Rate Limiting settings. To make an automatic block permanent, select it in the list and click Make Permanent.

Manually blocking large numbers of individual IPs is rarely the right strategy. Most attack traffic comes from a constantly-shifting pool of compromised hosts, so individual IP blocks have a short useful life. The Real-Time IP Blocklist (Premium) does this much better automatically.

Country Blocking

Country Blocking is included in the free version of VMP Security. It uses geo-IP lookup to restrict access by country of origin. The lookup happens locally with a regularly-updated GeoIP database, so it adds no measurable latency to legitimate requests.

For the full configuration and tradeoffs (including how to handle VPN users, third-party callbacks, and CDN-fronted traffic), see the Country Blocking article.

Custom block patterns

Custom patterns let you block based on more than just an IP. You can match on:

  • An IP range or CIDR (more efficient than blocking each IP individually for sources that legitimately span a known range).
  • A hostname or hostname suffix (good for blocking entire hosting providers or ASNs by their reverse-DNS pattern).
  • A User-Agent string or pattern (good for known scanner User-Agents).
  • A Referer header value (good for stopping referer-spam campaigns from showing up in your stats).
  • Any combination of the above — the conditions are ANDed together.

Custom patterns sit on the same Blocking page as IP blocks. We recommend running a WHOIS lookup on suspicious traffic before adding a hostname or range block so you understand what you are about to cover — legitimate hosting providers that share infrastructure with attackers are easy to overshoot with a too-broad rule.

IP range syntax

An IP range is two IPs separated by a dash:

10.1.0.1 - 10.1.0.22

That covers all 22 addresses inclusive. Both IPv4 and IPv6 ranges are supported.

Hostname patterns

Asterisks act as wildcards in hostname patterns:

*.amazonaws.com
*.linode.com

Both rules block the entire hosting provider’s reverse-DNS suffix. Use these carefully — many of your legitimate users may also be served by hosting infrastructure that resolves into broad ranges. Test with a small sample before applying broadly.

User-Agent patterns

Asterisks again act as wildcards. *Android* blocks any User-Agent containing “Android” anywhere; Android* blocks any User-Agent starting with “Android”; *Android blocks any User-Agent ending with “Android.” All matching is case-insensitive. Each rule blocks one User-Agent pattern; multiple comma-separated User-Agents in a single rule are not supported.

Referer patterns

Same wildcard syntax as User-Agent and hostname. *example.com blocks any visitor whose Referer header ends in example.com. Useful against referer-spam campaigns that send fake referers to make their links appear in your traffic stats.

Combining conditions

You can combine an IP range, a User-Agent pattern, and a referer pattern in a single rule. Conditions are ANDed: the visitor must match every specified condition for the block to fire. This is the right tool when an attacker is identifiable by a combination of signals, but each signal alone would block too many legitimate visitors.

Removing a block

Select the block in the list and click Unblock. The block is removed immediately. Note that unblocking does not change the underlying configuration that originally triggered the block (rule, country, pattern), so an automatic block can re-trigger if the same condition occurs again.

To prevent re-blocking of an IP you have decided is legitimate, add it to the allowlist instead. Allowlisting is more durable than just unblocking.

Filtering and sorting the block list

The list filter accepts text matching against the Block Type, Detail, or Reason columns. Search for the keyword Lockout, IP Block, or Advanced Block to filter by block type.

For IP searches, partial matches against any prefix work. Searching 10.2. finds IPs in the 10.2.x.x range. Wildcard syntax with asterisks is supported but only matches whole octets — *.2.3.4 works, 1*.2.3.4 does not.

Click any column header to sort the list by that column. Clicking again reverses the direction. Sorting by date is the fastest way to find recent automatic blocks before they expire.

Frequently Asked Questions

I am locked out of my own site

If the block is from VMP Security, the block page identifies itself by name and gives a reason. The Blocking Troubleshooting article walks through how to get back in, including the SFTP escape hatch when no other path is available.

Can I export the blocked-IP list?

Yes. The Blocked IPs tab has an EXPORT ALL IPS button (added in 2.2.8) that downloads the current block list as a .txt file. The same page also supports bulk selection, bulk unblock, and bulk “Make Permanent” actions for efficient cleanup.

Country Blocking

Block traffic from specific countries based on geo-IP lookup — included in the free version.

Blocking Troubleshooting

Diagnose unintended blocks and resolve issues where legitimate visitors or admins are being blocked.
Contents