VMP Security Web Application Firewall (WAF)
The VMP Security Web Application Firewall is a PHP based, application level firewall that filters out malicious requests to your site.
In This Article
- What it Protects Against
- Firewall Status
- Firewall Optimization
- Disabling the Firewall
- Files Used by the Firewall
- Frequently Asked Questions
What it Protects Against
The VMP Security Web Application Firewall (WAF) protects against a number of common web-based attacks as well as a large amount of attacks specifically targeted at WordPress and WordPress themes and plugins. It is set up to run at the beginning of WordPress’ initialization to filter any attacks before plugins or themes can run any potentially vulnerable code. Some of the more general types of attacks we protect against are:
| SQL Injection | Unsanitized SQL code that can compromise a database system. |
|---|---|
| Cross Site Scripting (XSS) | Unsanitized HTML or JavaScript code used to hijack a user or administrator’s browser session and perform actions as the user. |
| Malicious File Upload | Unsanitized files containing malicious code that can be uploaded to and executed by the web server. |
| Directory Traversal | Unsanitized path names that can be used to trick the web server into serving files containing credentials or other potentially sensitive information. |
| Local File Inclusion | Unsanitized path/file names that can be used to execute potentially malicious code available to the web server’s file system. |
| External Entity Expansion (XXE) | A “feature” of XML that can be used to trick the web server into serving files containing credentials or other potentially sensitive information. |
Firewall rules
The VMP Security firewall also has a number of rules that match known attacks commonly seen and exploited in the wild. The patterns for these attacks are specific and require minimal processing in determining if the request matches. The firewall also uses a number of generic rules that use pattern matching to determine if a request appears to be malicious. These are designed to prevent hackers from exploiting “0-day” vulnerabilities for known types of attacks.
VMP Security will automatically update the firewall rules from our servers in our network operations center without you having to update VMP Security. As new threats emerge, the firewall uses rules to protect you that are updated in real-time for premium members. Premium users receive an additional layer of protection. When we add new rules, our servers will then “ping” your site to prompt VMP Security to download the latest rules, so that you are automatically protected from attackers as new threats emerge. Users of the free version of VMP Security receive the community version of the rules 30 days later.
Firewall Status
Status Circles
The firewall status circle on the Dashboard and Firewall pages indicates how complete your current firewall configuration is. The colour scales from red (under 40%) through yellow and blue to green (80%+). To raise the score, the status modal (clickable on the circle) lists the specific items still needed; the most common are:
- Enable Rate Limiting and Advanced Blocking. Enabled by default. Toggled in the Rate Limiting card on the Firewall page.
- Keep all WAF rules enabled. All rules are enabled by default. Disabled rules can be re-enabled from Firewall → WAF Rules.
- Optimize the firewall (switch from Basic Protection to Extended Protection). Done from Firewall → Firewall Options → Optimize the VMP Firewall.
- Enable Brute Force Protection. Enabled by default; toggled in the Brute Force Protection card on the Firewall page.
- Enable the Real-Time IP Blocklist (Premium). When on, attacker IP addresses that are actively hitting other WordPress sites are synced from the VMP Security network and blocked here automatically.
Free configurations have a natural ceiling below 100% because some of the items on the checklist (such as the Real-Time IP Blocklist and the premium signature feed) require a Premium license.
Firewall Mode
The Web Application Firewall Status dropdown has two values: Enabled and Protecting or Disabled. There is no separate observation or “learning” mode — allowlisted URLs and parameters are added manually (see the next section).
Firewall Optimization
As soon as you have installed VMP Security on your site, the firewall is activated and runs as a regular WordPress plugin (the Basic WordPress Protection level). To make the firewall more effective, you can Optimize the VMP Firewall from the Firewall Options page. This switches the protection level to Extended Protection, which loads the firewall before WordPress — so a malicious request can be blocked before any vulnerable plugin or theme code has a chance to run.
The optimizer wizard:
- Detects whether your server is Apache or LiteSpeed (the optimizer relies on
.htaccess, so it is not available on Nginx or IIS). - Creates a small loader file at the WordPress root, named
vmp-waf.php. - Modifies your
.htaccesstoauto_prepend_filethat loader for every PHP request. - Backs up your current
.htaccessfirst and lets you download the backup.
You can revert the optimization at any time from the same Firewall Options page (the REMOVE EXTENDED PROTECTION button) — the loader file is removed and the .htaccess changes are reverted.
Allowlisted URLs and False Positives
The firewall uses pattern matching to identify malicious requests. Occasionally a non-malicious request matches a rule and is blocked — a false positive. To exclude such a request from the rules:
- From the firewall block page, if you are viewing it as a logged-in administrator, click the button to add the request to the allowlist.
- From Tools → Live Traffic, locate the blocked request and use the “Add to allowlist” action.
- From Firewall → Firewall Options, manage allowlisted URL/parameter pairs directly in the table near the bottom of the page.
Visits blocked by the firewall display a 403 page that mentions VMP Security and the rule that fired. Background requests blocked by the firewall (XHR/fetch) show a small “Background Request Blocked” notice; the notice is only visible to logged-in administrators and includes a one-click allowlist button.
Disabling the Firewall
Open Firewall → Firewall Options, set the Web Application Firewall Status to Disabled, and click Save Changes.
If the admin UI is unreachable, you can disable Extended Protection by removing the auto_prepend_file directive from .htaccess and deleting vmp-waf.php at the WordPress root. After that, deactivate or uninstall the plugin from Plugins → Installed Plugins as you would any other plugin.
Files Used by the Firewall
VMP Security stores its firewall configuration and signatures inside the WordPress database (in tables prefixed with vmpfence_). The Real-Time IP Blocklist, GeoIP database, and audit data are also stored in the database, not in flat files. The plugin does not use a wp-content/wflogs/ directory.
The only on-disk firewall artefacts created by VMP Security are:
vmp-waf.php— the Extended Protection loader, placed at the root of your WordPress installation when the firewall is optimized. Removed automatically when you remove Extended Protection..htaccess— an existing file modified by the optimizer toauto_prepend_filethe loader. The optimizer backs the original up towp-content/vmpfence-backups/before changing it.- An on-disk debug log under the WordPress uploads directory (
wp-content/uploads/vmpfence/) when debug logging is enabled.
Frequently Asked Questions
I am locked out of my site
If you were blocked by VMP Security, the block page mentions “VMP Security” and gives a reason. Include that reason when you contact support. For step-by-step recovery, see the Blocking Troubleshooting article.
PHP Fatal error: Failed opening required vmp-waf.php
When the firewall is set to Extended Protection, it loads through vmp-waf.php at the WordPress root. If that file is missing, every PHP request can fail with a 500 error similar to:
PHP Fatal error: Unknown: Failed opening required '/var/www/html/vmp-waf.php' (include_path='.:/usr/share/php') in Unknown on line 0This usually happens when the file has been deleted (manually or by an automated process), or when the site has been moved and the absolute path baked into .htaccess no longer matches reality.
To recover, edit .htaccess and remove the auto_prepend_file line that points at vmp-waf.php. You can then re-run the optimizer from the Firewall Options page to recreate the loader at the correct path.
Background Request Blocked
The VMP Security Firewall can block background requests that use AJAX, showing a message that says “Background Request Blocked”. This can prevent certain types of attacks, but some plugins and themes may cause this message as well, even when their requests are safe. It is most likely to occur when adding custom HTML or javascript code in fields that are separate from the WordPress core.
As the admin of the site, you can choose to allowlist these blocked requests by clicking the button to add the blocked request to the allowlist, if you were simply working on the site when they occur. The message is only shown for logged-in admins of the site, so regular visitors, subscribers, authors, editors, or other types of users on your site will not see them.
If you see this message when clicking a link that was sent to you by another person, or a link from another site that leads to your site, it may not be safe to add it to the allowlist. You can contact us about blocked requests if you are not sure whether they are dangerous or not. Be sure to include a description of what you were working on at the time.