Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

Blocking Troubleshooting

If a visitor or administrator is being unexpectedly blocked, the goal is to identify which layer is doing the blocking and why, then either remove the block or adjust the configuration so it does not happen again. This article walks through that process in order of likelihood.

In This Article

Identifying the source of the block

VMP Security has several blocking layers, each with a different cause and fix:

  • Firewall rule match. Triggered by a request that looked like an attack. Block page identifies the rule that matched.
  • Brute-force lockout. Triggered by repeated failed logins from the same IP. Block message mentions failed login attempts and a duration.
  • Rate limit. Triggered by too many requests too fast. Block message mentions request rate.
  • Country block. Triggered by the visitor’s country being on the blocklist.
  • Manual IP block. Triggered by an entry an administrator added by hand.
  • Real-Time IP Blocklist. The visitor’s IP is currently attacking other VMP-protected sites and was added to the live blocklist (Premium).

The block page itself usually tells you which layer fired. Look at it (or get the visitor to send you a screenshot). The reason given on the block page is the fastest path to the right fix.

If the visitor is not yours and you have to investigate from your side, find the request in VMP Security → Tools → Live Traffic. Filter by IP. Live Traffic shows the matched rule, the rate at the time, and the visitor’s country.

When the administrator is locked out

If you are the administrator and you have locked yourself out:

  1. If you have access to another administrator account on the site, sign in with that and remove your IP from the blocked list.
  2. If you have access to a different IP (different network, mobile data, VPN), sign in from there. The block is per-IP; a different IP gets you back in.
  3. If neither of those is possible, you can disable the plugin from the file system. SFTP into the site, open wp-content/plugins/vmpfence-security/, and rename the plugin folder (e.g. vmpfence-security.disabled). WordPress will deactivate the plugin and the block will be lifted. Sign in, rename the folder back, and reactivate from the WordPress admin.
  4. For brute-force lockouts specifically, the lockout duration eventually expires (default 4 hours). If you can wait, that is the cleanest fix.

To prevent re-locking yourself out, add a stable IP you administer from to the “Allowlisted IP addresses that bypass all rules” box on the Firewall Options page.

Removing IP blocks

From VMP Security → Blocking (the Blocked IPs tab), you can:

  • See every currently-blocked IP, the reason for each block, and the time remaining before the block expires.
  • Unblock a specific IP. The block is removed immediately and the IP can reach the site again.
  • Unblock everything. Use this only when you have made a mistake with a configuration change — for example, a too-aggressive country block that swept up your audience — and need to reset.

Unblocking does not change the underlying configuration; if the same IP triggers the same condition again, it will be blocked again. If you want to permanently exempt an IP, add it to the allowlist instead.

Adding an allowlist entry

The allowlist exempts an IP, IP range, or specific request pattern from blocking. The relevant fields are on Firewall → Firewall Options:

  • Allowlisted IP addresses that bypass all rules. Use for stable IPs you control: office network, VPN exit, payment provider callbacks. The IP bypasses all firewall rules, brute-force protection, rate limits, and country blocking.
  • Allowlisted services. Pre-built allowlists for common services such as Sucuri, Facebook, Uptime Robot, StatusCake, and ManageWP — tick the box for any service whose probes you do not want blocked.
  • Allowlisted URLs / parameters. Use for legitimate traffic that triggers a specific firewall rule. The entry is scoped to the URL and parameter that matched, so it does not waive the rule everywhere.

When the block is not from VMP Security

VMP Security’s block page identifies itself by name and gives a reason for the block. If a visitor is seeing a generic 403, 429, or “forbidden” page that does not mention VMP Security, the block is coming from somewhere else in your stack. Common culprits, in order of likelihood:

  • Host-level mod_security or similar WAF. Many shared hosts run their own WAF in front of WordPress. The host’s control panel usually has a section to view recent blocks and allowlist requests.
  • CDN WAF. Cloudflare, Sucuri, and other CDNs often include their own WAF that can block before traffic reaches your origin. Check the CDN’s firewall events.
  • An .htaccess rule. A previous administrator may have added a Deny rule. Open the file and look for RequireAll, RequireAny, or Deny from directives.
  • Another security plugin. If multiple security plugins are installed, any of them could be doing the block. The Live Traffic page only shows blocks made by VMP Security; other plugins have their own logs.

If after checking the above you cannot identify the block, the host’s server error log usually records the reason. Contact your host’s support and ask them to look up the block for the visitor’s IP at the relevant time.

Contents