Login Security inside VMP Security
VMP Security ships login protection as part of the main plugin — there is no separate “Login Security” standalone plugin to install. This article explains where each login-related feature lives so you can find it quickly.
Where login protection lives
- Two-Factor Authentication (TOTP). VMP Security → Login Security. Enrol via QR code in any compatible authenticator app (Google Authenticator, Authy, 1Password, etc.). Per-role enforcement, per-user grace period, and 10 backup codes per user.
- reCAPTCHA v3 on login and registration. VMP Security → Login Security → CAPTCHA. Adds Google reCAPTCHA v3 with a configurable score threshold (default 0.5).
- Strong Password Enforcement. VMP Security → Firewall → the Strong Password Enforcement card.
- Username Harvest Protection (disable author archives). VMP Security → Firewall → the relevant card.
- Brute Force Protection. VMP Security → Firewall for the on/off toggle and Firewall → Firewall Options for the lockout thresholds, lockout duration, and trusted-IP allowlist.
- WooCommerce account-page integration. Login Security page (toggle plus optional “Show 2FA management on the WooCommerce account page”).
- XML-RPC handling. Login Security page — either require 2FA on XML-RPC or disable XML-RPC authentication entirely.
- Frontend 2FA management shortcode. Enable on the Login Security page; place the
[vmpfence_2fa]shortcode on any frontend page.
Why two locations
Brute Force Protection inspects every authentication request, so it is naturally part of the request-level firewall and lives on the Firewall page. 2FA, reCAPTCHA, and login-form hardening are user-account-level features and live on the dedicated Login Security page. Splitting them this way keeps each settings page focused.
Related articles
- For step-by-step user enrollment, see the Two-Factor Authentication article.
- For tuning lockout thresholds, see the Brute Force Protection article.
- For the underlying CAPTCHA settings, see the Login Security Options article.