Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

Firewall Options

The Firewall Options page is the central configuration page for the VMP Security WAF. From here you set the firewall’s overall mode, enable or disable individual rule categories, configure the more aggressive defenses, and manage the allowlist. Changes take effect immediately when you save.

In This Article

Web Application Firewall Status

The status field controls whether the firewall is actively evaluating traffic. It has two values:

  • Enabled and Protecting. The normal operating mode. The firewall evaluates every request against its rules and blocks anything that matches.
  • Disabled. The firewall is not evaluating traffic. Use only if you are debugging an issue and need to confirm the firewall is involved, then turn it back on as soon as you have an answer.

The plugin does not have a separate observation/learning mode. False positives are handled by adding URL/parameter pairs to the allowlist (see below).

Protection Level

The Protection Level box shows whether the firewall is running in Basic WordPress Protection mode (loaded as a regular WordPress plugin, after WordPress has started) or Extended Protection mode (loaded before WordPress via an auto_prepend_file entry in .htaccess). Click OPTIMIZE THE VMP FIREWALL to upgrade to Extended Protection. The wizard creates a small loader file (vmp-waf.php) at the WordPress root, edits .htaccess, and backs up the original .htaccess first. To revert, use the REMOVE EXTENDED PROTECTION button on the same page.

Real-Time IP Blocklist

When enabled, the plugin syncs a list of IP addresses that are actively attacking other WordPress sites and blocks them automatically. Sync runs hourly. This is a Premium feature.

Advanced firewall options

Expand the Advanced Firewall Options section for finer-grained controls:

  • Allowlisted IP addresses that bypass all rules. One IP, IP range (e.g. 127.0.0.1/24 or 127.0.0.1-127.0.0.100), or IPv6 prefix per line. Private networks are allowlisted automatically.
  • Allowlisted services. Pre-built allowlists for common services such as Sucuri, Facebook, Uptime Robot, StatusCake, and ManageWP.
  • Immediately block IPs that access these URLs. A list of trap URLs (such as /wp-config.php) — any IP requesting them is banned outright.
  • How long is an IP address blocked when it breaks a rule. Default lockout duration for IP blocks generated by rate limiting, brute force, or rule violations.

Allowlisted URLs

The allowlist table near the bottom of the Firewall Options page lists URL/parameter pairs that the firewall should not test. Use it to silence false positives without disabling the underlying rule.

Entries can be added in three places:

  • From the firewall block page itself, when you (a logged-in admin) hit a block.
  • From Tools → Live Traffic, by clicking the “Add to allowlist” action on a blocked entry.
  • By hand on this page, by adding a URL and the parameter names that should be ignored.

Removing an entry is safe: the firewall starts enforcing again, and if the original block returns, you can re-add the entry from the block page or Live Traffic.

Contents