Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

All Options

The All Options page is the central place for plugin-wide settings that do not belong on a feature-specific page. The page is reached from the VMP Security → All Options menu item, or from the “Global Options” quick-link tile on the Dashboard. Most options have sensible defaults; you typically set them once at install time and rarely revisit them.

In This Article

General options

  • How does VMP Security get IPs? Tells the plugin how to identify the visitor’s real IP. The default (use REMOTE_ADDR) is correct for the majority of sites. If your site is behind a CDN or load balancer, change this to read from X-Forwarded-For or the trusted header your proxy sets. This option matters because per-IP defenses (rate limiting, brute force, country blocking) cannot work if the firewall thinks every visitor is the same proxy IP.
  • Trusted proxy IPs. When the “use forwarded header” option is set, this is the list of proxy IPs whose forwarded-for header is trustworthy. Requests from any other source IP fall back to REMOTE_ADDR. Setting this prevents an attacker from spoofing their visitor IP by sending a fake forwarded-for header from outside your trusted proxy list.
  • Plugin auto-update. Whether VMP Security itself should keep itself updated. Recommended: on. Security plugins are most useful when they are current.
  • Data retention on deactivation. Choose whether deactivating the plugin removes its database tables and meta entries, or leaves them behind so a later reactivation picks up where you left off.

Dashboard display

  • Dashboard widget. Toggle the WordPress dashboard widget that gives an at-a-glance security overview without leaving the WordPress admin home.
  • Live update intervals. Dynamic update intervals for the audit log table and dashboard live counters. Lower values produce faster UI updates at the cost of slightly more AJAX traffic.

Update settings

VMP Security receives a few kinds of updates: the plugin itself, firewall rules, malware signatures, and the vulnerability database. The Update section controls how each is fetched.

  • Background sync. The plugin syncs WAF rules, blocked IPs (for the Real-Time IP Blocklist on Premium), and malware signatures on its own schedule. The schedule uses WP-Cron by default; on low-traffic sites a real cron job hitting wp-cron.php is recommended so syncs are not delayed.
  • Auto-update plugin. When on, WordPress’s built-in auto-update mechanism keeps the plugin at the latest version.
  • Email alerts. Recipient address, which categories of events trigger an email, and the maximum hourly alert rate.

Data and privacy

The All Options page lets you adjust what local data is captured and how long it is retained:

  • Audit log retention. How long captured events are kept in the vmpfence_audit_log table.
  • Live Traffic mode and retention. How verbosely the request log captures visits, and how long entries are retained before auto-pruning.
  • Email summary excluded directories. Paths whose changes should not appear in the periodic email summary (useful for noisy upload-only directories).

License management

The License Management section is where you enter or remove a Premium license key. Free installations work without a key; you only need to fill this in to activate Premium features. After saving, the dashboard’s “Premium Protection” card flips to Enabled and the premium signature feed becomes active. To downgrade, clear the field and save.

Contents