Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

Scan

The VMP Security scanner inspects your WordPress site for evidence of compromise: modified core files, malware signatures, suspicious code patterns, vulnerable component versions, configuration weaknesses, and content that has been tampered with. Where the firewall blocks attacks before they take effect, the scanner finds the things that have already gone wrong (or might soon) so you can act on them before they do real damage.

In This Article

What a scan checks

A full scan looks at:

  • Every file in the WordPress installation, comparing core, theme, and plugin files against the official wordpress.org versions.
  • Every file’s contents against a database of known malware signatures.
  • Every installed component (core, plugins, themes) against the vulnerability database.
  • Posts, pages, and comments for suspicious payloads — obfuscated scripts, hidden iframes, links to known-malicious domains.
  • Server and WordPress configuration for issues like exposed backup files, debug mode left on, or weak admin passwords.
  • Whether your IP is on third-party reputation blocklists (Premium).

Scans run on a schedule and can also be started on demand. Scan duration depends on your site size, your server resources, and which options are enabled — from one minute on a small site with a Limited profile, to over ten minutes on a large site with all advanced options on.

If you suspect your site has already been compromised, see the “After a confirmed compromise” section of the Scan Results article for the recommended steps before, during, and after running a scan.

Scan status

Status circles

The Scan circles on the Dashboard show how thorough your current scan configuration is. To reach 100%:

  • Enable all options in the Standard profile (or your tuned equivalent).
  • Have a valid Premium license, which automatically enables Premium scan signatures and reputation checks.

The two Premium-tier circles — Malware Signatures and Reputation Checks — can only reach 100% with a Premium license. Free users top out at the indicated lower percentage; this is normal and is not a sign of misconfiguration.

If you are on a host with severe resource limits, the Limited profile is the right choice, even though it caps the displayed protection level. A scan that completes reliably on a Limited profile is more useful than a Standard-profile scan that times out partway through.

Severity levels

Findings have one of four severities: Critical, High, Medium, or Low.

  • Critical. Strong indicators of compromise. Investigate immediately.
  • High. Issues that should be examined as soon as possible. They may not be active threats yet but they create exposure.
  • Medium. Worth knowing about. Acting on these is good hygiene; not acting is unlikely to be immediately dangerous.
  • Low. Informational. Often safe to ignore but worth a glance.

Filtering only on Critical is tempting but a mistake on most sites. The most successful compromises tend to surface as High or Medium findings — suspicious-looking content, modified-but-not-yet-flagged files, components with newly-disclosed vulnerabilities — and bypassing those because they are not Critical means missing the cases that matter.

Scan profiles

Limited Scan

For sites on heavily-restricted hosting where Standard cannot complete reliably. Skips the heavier checks and uses conservative resource caps.

Standard Scan

The default. Enables core, theme, and plugin file-integrity checks; malware signatures; vulnerability and outdated-component checks; content safety; public-file leaks; password strength; and the user/option audits. This is the right choice for an everyday safety net on a typical WordPress site.

High Sensitivity

For sites you suspect have been compromised. Adds the heaviest checks — including treating image and binary files as if they could contain executable code — and uses higher resource caps. Slower than Standard; finds more, but with a higher false-positive rate.

Custom Scan

If you mix and match individual options outside any of the named profiles, the page labels the resulting configuration as Custom. There is no functional difference; the label just tells you that you are not on a known profile.

Scan stages

A scan is divided into stages so it can run within typical PHP timeouts. The progress UI shows a check icon for each completed stage and a warning icon for stages that found issues. The stages, with the options each one runs, are:

Reputation

  • Check whether your site appears in spam-distribution lists.
  • Check whether your site IP is generating spam.
  • Check whether your site or hostname is on third-party domain blocklists.

Server state

  • Disk space monitoring.
  • Visitor-IP detection sanity check.
  • PHP version (always checked, cannot be disabled).
  • Firewall status check.
  • Detection of paths the default scan does not cover.

File changes

  • Files in core directories that should not be there.
  • Plugin files vs. wordpress.org versions.
  • Theme files vs. wordpress.org versions.
  • Core files vs. wordpress.org versions.

Malware

  • Pattern-match against known malware signatures.
  • File-content scan for backdoors, trojans, and suspicious code.

Content safety

  • Scan comments for known dangerous URLs and suspicious content.
  • Scan posts for known dangerous URLs and suspicious content.
  • Scan file contents for malicious URLs.

Public files

  • Quarantined files reachable from the public web.
  • Configuration, backup, or log files reachable from the public web.

Password strength

  • Dictionary check on administrator passwords (hashes never leave the site).

Vulnerability scan

  • Cross-reference WordPress, plugin, and theme versions against the vulnerability database.
  • Flag abandoned components.

User and option audit

  • WordPress core, plugin, and theme options scanned for malicious URLs and suspicious values.
  • Detection of admin users created outside the standard WordPress user-creation flow.

Working with scan results

Each finding has a row of available actions:

Ignore

Marks the finding as a known false positive so future scans do not surface it. Use only when you have positively determined the finding is benign — for example, a custom-modified core file you intentionally changed for your build.

View file

Shows the contents of the affected file in a read-only viewer. Safe to use on suspected malware: the file is rendered as text, not executed.

View differences

For modified-file findings, shows a side-by-side diff between the version you have and the official version. Examine the changes. Garbage-looking text appended to a file is almost always malicious; clean PHP or HTML additions are usually intentional theme or core customizations and should be ignored rather than reverted.

Repair file

For files belonging to WordPress core or to a plugin/theme from wordpress.org, replaces your version with the official one. The plugin offers to download a copy of the existing file before repair so you can restore it if the change turns out to be wrong.

Delete file

Removes a file. The wp-config.php file is exempted because deleting it always breaks the site.

Be careful with the bulk Delete all deletable files action. It is intended for the specific case where a compromise has dropped many malicious files into the installation; on any other site it can remove legitimate custom code without recovery. Premium themes and plugins, in particular, do not have repository files for restore, so deleting and reinstalling from a fresh download is the safer recovery path.

Mark as fixed

Hides the finding from the current view. The next scan will re-evaluate; if the underlying issue is gone, the finding stays gone, otherwise it returns. Useful for working through a long results list one item at a time.

Frequently Asked Questions

Allowed memory size exhausted

Switch to the Limited scan profile, or raise PHP’s memory_limit. The Scan Troubleshooting article has more options.

Error connecting to scanning servers

The site cannot reach our infrastructure to fetch checksums and signatures. Check the Connectivity section of the Diagnostics page; the most common causes are WP_HTTP_BLOCK_EXTERNAL without an accessible-hosts list, host-level outbound firewall rules, or DNS misconfiguration.

Red errors in the scan log

Errors in the activity log are not always from the plugin — other plugins, themes, and even WordPress itself surface errors there too. The filename in each error usually identifies which plugin produced it. If the error is from VMP Security and immediately precedes a stalled scan, it is worth a support ticket.

Scan Options

Configure what the VMP Security scanner checks, including file integrity, malware, and reputation checks.

Scan Results

Understand and act on the issues reported by a VMP Security scan.
Contents