Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

Allowlisting URLs and Handling False Positives

The VMP Security Web Application Firewall does not have a separate “Learning Mode” that observes traffic without blocking. The firewall is either Enabled and Protecting or Disabled. False positives — legitimate requests that happen to match an attack pattern — are handled by adding the URL and parameter to the firewall’s allowlist.

In This Article

What allowlisting does

An allowlist entry tells the firewall to skip rule evaluation for a specific combination of request URL and parameter. Future requests that match that URL/parameter pair are not tested against the WAF rules and therefore cannot be blocked by them.

Allowlist entries do not disable the firewall globally, and they do not affect Brute Force Protection, country blocking, or the IP blocklist — those layers continue to apply.

Allowlisting from the block page

If the firewall blocks a request you initiated yourself while logged in as an administrator, the 403 block page includes a button to add the offending parameter to the allowlist. This is the fastest path for one-off false positives. The page also shows the rule that matched, the request URL, and the parameter name — useful when filing a support ticket if the block looks wrong.

Allowlisting from Live Traffic

  1. Open VMP Security → Tools and switch to the Live Traffic tab.
  2. Locate the blocked request in the table (filter by status if needed).
  3. Use the row action to add the request’s URL/parameter pair to the allowlist.

This is the right place to start if a non-administrator on your site reported being blocked — you can find the blocked request in the log without having to reproduce it yourself.

Allowlisting from Firewall Options

For manual entries, open VMP Security → Firewall → Firewall Options and scroll to the allowlist table near the bottom of the page. You can add, edit, and remove entries here. Each entry is a URL/parameter pair, optionally restricted to a particular HTTP method or rule ID.

“Background Request Blocked” notices

Some requests sent by your browser in the background (XHR/fetch from the WordPress admin or a frontend builder) can match firewall rules. When that happens, an administrator who is logged in sees a small “Background Request Blocked” notice on the page. The notice includes a one-click button to allowlist the request if you know it is safe. Regular visitors and lower-privileged users do not see these notices.

If a background request comes from a link sent to you by another person or another site, do not allowlist it without understanding what it does — that is the case where the firewall is most likely doing its job correctly.

Contents