Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

Scan Options

The VMP Security scanner is the second pillar of the plugin’s defenses (the firewall is the first). Where the firewall blocks attacks as they arrive, the scanner looks for evidence of compromise that has already happened: changed core files, suspicious code patterns inside themes and plugins, known malware signatures, and configuration weaknesses. The Scan Options page is where you decide what the scanner checks during each run.

In This Article

To open this page: VMP Security → Scan, then click Scan Options and Scheduling in the page header.

General scan options

The General Options section covers the most-used checks. Most are turned on by default for the Standard profile.

  • Scan core files against repository. Compares your WordPress core files against the official copy of the same version. Any differences (extra files, modified files, missing files) are flagged. This is the single most reliable indicator of compromise on a WordPress site — legitimate operations almost never modify core files.
  • Scan theme files against repository. The same comparison for themes installed from wordpress.org. Custom or commercial themes are not compared (the scanner has nothing to compare them to), but they are still scanned for malware patterns.
  • Scan plugin files against repository. Same idea for plugins.
  • Scan for known malware signatures. Pattern-matches every PHP, JavaScript, and HTML file on disk against a database of known malware. The signatures are updated by the plugin in the background — you do not have to manage them.
  • Check for known vulnerabilities. Compares the version of WordPress core, every theme, and every plugin against the VMP Security Intelligence vulnerability database. Any installed version that has a known vulnerability is reported as a finding.
  • Check for outdated components. Reports themes and plugins that have updates available. Useful even when no vulnerability is known — outdated components are statistically more likely to contain unfixed issues.

Advanced scan options

Advanced options catch more subtle problems. They run in addition to basic options when enabled. Most are off by default to keep scan times reasonable.

  • Scan files outside your WordPress installation. Walks the parent directory of WordPress for files that should not be there (orphaned web shells, leftover backup archives). Useful for shared hosting where multiple sites share a parent directory.
  • Scan images, binaries, and other non-PHP files for malware. Some malware hides inside files that are normally not executed — a fake JPEG that contains PHP, for example. This option checks every file regardless of extension.
  • Scan for content posted to your site. Examines posts, pages, and comments in the database for suspicious payloads — spam links, hidden iframes, obfuscated scripts.
  • Scan posts for the existence of dangerous URLs. Cross-references URLs in your content against a list of known phishing and malware-distribution domains.
  • Scan public files for confidentiality leaks. Looks for files that look like backups, environment files, version-control directories, or database dumps that have been accidentally left in a publicly-reachable location.
  • Check the strength of administrator passwords. Tries a small dictionary of common weak passwords against admin accounts. Password hashes never leave the site. Only admin accounts are tested.

Performance options

Scans are designed to share the server with your site, not take it down. The Performance Options section gives you knobs to tune that balance:

  • Maximum memory the scan can use (MB). Higher values let the scan process more in memory and finish faster, but raise peak memory usage. Default 256 MB.
  • Use low-resource scanning. A pre-set combination of conservative values for hosts with tight resource budgets. Scans take longer but avoid hitting limits.
  • Maximum issues per scan. Caps the number of findings the scan will record before stopping. Helps when a single configuration error would otherwise generate millions of identical findings.
  • Maximum execution time for each scan stage. The scanner runs in stages; this sets the per-stage cap. 0 uses the default; values must be 8 or greater (10–20 is recommended).
  • Maximum number of resume attempts after a stage exceeds its time limit. Default 2.

If a scan reliably fails partway through, the first thing to try is enabling low-resource scanning. The Scan Troubleshooting article covers other failure modes.

Exclusions

The Exclude files from scan textarea (in the Advanced Scan Options section) lets you tell the scanner to skip specific files or directories. The most common use cases:

  • A custom-modified core file that you have intentionally changed for your build.
  • A directory of user uploads that contains files the scanner does not need to inspect (for example, a multi-gigabyte video archive).
  • A staging or development plugin you have installed but do not want flagged.

Exclusions are powerful and should be used sparingly. An overbroad exclusion can hide a real compromise. Prefer narrow exclusions (a specific file path) over broad ones (an entire directory) wherever possible.

Choosing a profile

Four pre-set scan types capture the most common configurations:

  • High Sensitivity. Every general and advanced check enabled, including treating images and binary files as if they could contain executable code. Use for sites you suspect have already been compromised; slower than Standard and produces more findings (some of which may be false positives).
  • Standard. The default. Includes core / theme / plugin file integrity, malware signatures, vulnerability and outdated-component checks, content safety, public-file leaks, password strength, and the user/option audits.
  • Limited. A pared-down configuration with low-resource scanning enabled and most advanced checks off. Use for sites on very constrained hosting where the Standard profile cannot complete reliably.
  • Custom. The page automatically labels your configuration as Custom when you mix and match individual options outside any of the named profiles. There is no functional difference; the label tells you that you are not on a known profile.

Pick a scan type from the cards near the top of the Scan Options page; the individual checkboxes update to match. You can then make per-option adjustments — the page will switch you to Custom automatically.

Contents