Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

Login Security Options

The Login Security page is where you configure two-factor authentication, optional CAPTCHA on login and registration forms, WooCommerce integration, and general login-related options. This article covers the settings on that page; for instructions on setting up 2FA on individual user accounts, see the Two-Factor Authentication article.

In This Article

Two-Factor Authentication options

User Summary

The user summary table counts how many users in each role have 2FA active and how many do not. On sites with very large user counts, the page replaces the live count with a button you click to compute it on demand — counting users by role can be slow on a database with hundreds of thousands of accounts.

If you have required 2FA for a role, the inactive column links to the list of users who are still in their grace period or have already been locked out for failing to enroll.

For multisite installations, the count covers the main site only. Use the per-sub-site Users page on each sub-site to see 2FA status across the network.

2FA Roles

By default, only administrators are allowed to use 2FA. You can enable it for any role from the Roles section. For each role you have three choices:

  • Required. Members of this role must enable 2FA to sign in. They get a grace period from the date the requirement was set.
  • Optional. Members can enable 2FA but are not required to.
  • Disabled. Members cannot use 2FA at all. Not available for the administrator role.

When 2FA is required for administrators, the requirement does not actually take effect until at least one administrator has enrolled. This safeguard prevents you from locking yourself and every other administrator out at the moment you save the setting.

For ecommerce sites, requiring 2FA for the customer role is generally not recommended — some customers will struggle to set it up and some fraction will abandon their account rather than complete the setup. The Optional setting on customer roles is usually the right balance.

Grace Period

The grace period is how long a user has to enroll in 2FA after the role requirement is set, before they are locked out. The default is reasonable for most sites; lengthen it if your users are slow to act on email instructions, shorten it if you want to push a faster rollout.

Administrators do not get a grace period by default. If you create a new administrator, you can opt them into a grace period by ticking the corresponding option on their user-edit page.

If a user is already locked out for failing to enroll, you can grant them a fresh grace period from their profile. You can also revoke a manually-granted grace period if you change your mind.

We recommend communicating the upcoming requirement to your users before turning enforcement on, so the grace period serves as a reminder rather than a surprise.

Allow remembering device for 30 days

When this option is on, the 2FA prompt at sign-in offers a checkbox to remember the device. After a successful 2FA on a remembered device, the user can sign in for 30 days from that browser without re-entering a code. The trade-off is convenience for users vs. a slightly weaker overall posture.

Require 2FA for XML-RPC authentication

Set to Skipped by default; switch it to Required if you want XML-RPC authentication to enforce 2FA. XML-RPC is a common target for password-guessing attacks, so requiring 2FA on XML-RPC closes that bypass — but breaks compatibility with legacy clients (see below).

Most plugins and apps that require authenticated XML-RPC are not compatible with this option. The mobile WordPress app, for example, does not handle TOTP at sign-in. If you have a use case that needs XML-RPC authentication, either skip the requirement (less secure) or restrict XML-RPC to specific allowlisted IPs (more secure than skipping). For new integrations, the Application Passwords feature in modern WordPress is a better path than legacy XML-RPC.

Disable XML-RPC authentication

Rejects all authenticated XML-RPC requests, regardless of 2FA status. Not compatible with the WordPress mobile app, Jetpack, or most external services that authenticate via XML-RPC.

WooCommerce and custom integrations

WooCommerce integration

Enable this option if you use WooCommerce and want VMP Security’s 2FA and CAPTCHA features to apply on the WooCommerce account pages, not just the standard WordPress login. After enabling, test your login flow to confirm there are no conflicts with other plugins that modify the login form.

Show 2FA management on the WooCommerce account page

When the customer role is allowed to use 2FA, this option exposes 2FA setup on the WooCommerce account page so customers can enroll without needing access to the WordPress admin. Available only after WooCommerce integration is enabled.

2FA management shortcode

For sites that build custom account pages outside of WooCommerce, the shortcode [vmpfence_2fa] places the 2FA setup interface on any page. The shortcode is the right tool when your account pages are template-managed by a membership plugin or theme rather than provided by WordPress core or WooCommerce. The shortcode must first be enabled in Login Security settings.

CAPTCHA

The CAPTCHA option adds a Google reCAPTCHA v3 check to the login and registration forms. v3 does not present a challenge to the user; it scores each request and decides whether to allow, deny, or challenge based on the score.

Enabling CAPTCHA

Enable the option, then enter the v3 site key and secret from your Google reCAPTCHA admin console. The CAPTCHA only applies to the standard WordPress login and registration forms (and the WooCommerce ones, with WooCommerce integration enabled). Custom login forms from third-party plugins or themes are not covered.

Score threshold

Google returns a score between 0 (likely bot) and 1 (likely human) for each request. The threshold determines what counts as a pass. The default of 0.5 is a reasonable starting point; lower it (0.3–0.4) if too many real users are blocked, raise it (0.6–0.7) if too many bots are getting through. Save the page after adjusting; the new threshold takes effect immediately.

General

Allowlisted IPs that bypass 2FA and CAPTCHA

For trusted networks (your office, a corporate VPN exit), you can allow sign-in from specific IPs without 2FA and without the CAPTCHA. Use this sparingly — an attacker who reaches the same network gets the same bypass.

How does VMP Security get IPs?

If your site is behind a proxy, set how the plugin should determine the visitor IP. The default uses the most reliable method available; specific options are needed if you have an unusual proxy chain. Get this right, otherwise the IP allowlist (and every other per-IP feature) will not work.

NTP

2FA depends on the server clock matching real time within ~30 seconds. The plugin can use NTP to verify the server clock; if the clock has drifted, NTP correction keeps 2FA codes accepting. Some shared hosts block NTP, in which case the plugin falls back to trusting the server clock as-is.

Delete Login Security tables and data on deactivation

If checked, deactivating the plugin removes the Login Security tables, settings, and user 2FA enrollments. Useful when uninstalling cleanly; do not enable for routine deactivations because re-enabling later means every user has to re-enroll.

Contents