plugin-icon

VMP Security – Firewall, Malware Scan, and Login Security

By VMP™·
Your all-in-one WordPress security solution. Stop hackers with our firewall, detect malware before it spreads, and protect your site.
2FA
brute force protection
firewall
Ratings
Add a review
Version
2.2.3
Last updated
Jan 31, 2026

Advanced Firewall and Security Scanner

Tired of worrying about your WordPress site getting hacked?

VMP Security is like having a professional security team watching your website 24/7. We combine a powerful firewall, intelligent malware scanner, and advanced threat detection to keep your site safe from hackers, malware, and security vulnerabilities.

Why Choose VMP Security?

Comprehensive Real-Time Protection – Advanced security features that detect and stop attacks in real-time. ✅ Easy to Use – Set it up in 5 minutes. No security degree required. ✅ Performance Optimized – Won’t slow down your site. Runs efficiently in the background. ✅ Always Up-to-Date – Our 280+ firewall rules and malware signatures are constantly updated. ✅ Complete Coverage – Firewall, malware scanner, 2FA, brute force protection, and more in one plugin.

🔥 Web Application Firewall (WAF)

Think of it as a security guard for your website.

Our firewall inspects every visitor before they reach your WordPress site. Bad guys? Blocked instantly. Legitimate visitors? They won’t even notice we’re there.

What It Protects Against:

  • SQL Injection – Hackers trying to steal your database
  • Cross-Site Scripting (XSS) – Malicious code injection
  • Remote File Inclusion (RFI) – Attempts to upload backdoors
  • Local File Inclusion (LFI) – Unauthorized file access
  • Command Injection – Server takeover attempts
  • Path Traversal – Directory browsing attacks

Key Features:

  • 280+ Built-in Security Rules – Covering all major attack types
  • Zero-Day Protection – Pattern-based detection catches new threats
  • Attack Logging – See exactly who’s trying to hack you
  • Custom Rules – Add your own protection patterns
  • Learning Mode – Fine-tune rules based on your legitimate traffic
  • IP Blocking – Automatic permanent bans for repeat offenders

🛡️ Brute Force Protection

Stop password guessing attacks before they succeed.

Hackers use bots to try thousands of password combinations. We stop them cold.

Features:

  • Smart Login Limiting – Lock out IPs after failed attempts
  • Invalid Username Blocking – Instant block for fake usernames
  • Leaked Password Detection – Check credentials against breach databases
  • Strong Password Enforcement – Force admins and users to use secure passwords
  • Username Blacklist – Block known malicious usernames instantly
  • Permanent Bans – Get rid of persistent attackers for good

⚡ Rate Limiting & Bot Protection

Prevent site scraping, resource exhaustion, and vulnerability scanning.

Not all attacks are malicious code. Some attackers just overwhelm your site with requests. We stop that too.

What We Control:

  • Request Limits – Maximum requests per IP per time period
  • Human vs Bot Detection – Smart classification of traffic
  • 404 Error Monitoring – Detect scanning attempts
  • Google Crawler Handling – Special treatment for legitimate search engines
  • Throttling or Blocking – Slow down or stop violators
  • Allowlist Support – Whitelist your own IPs and trusted services

🌍 Country Blocking

Block entire countries from accessing your site.

Protect your WordPress site from geo-targeted attacks by blocking traffic from specific countries. Perfect for sites with regional focus or facing attacks from certain locations.

Features:

  • Comprehensive Geo-Blocking – Block any country by ISO code
  • Granular Control – Block login only or entire site access
  • Block Statistics – Track attempts and blocks per country
  • Top Attackers Report – See which countries attack you most
  • Temporary Blocks – Set expiration times for country blocks
  • Permanent Blocks – Long-term protection from persistent threats
  • Detailed Logging – Complete audit trail with IP, country, and request data
  • Attack Analytics – Visual reports showing attack patterns by country
  • GeoIP Integration – Automatic IP-to-country lookup with IP2Location
  • Auto-Updates – GeoIP database updates automatically

🎯 Custom Pattern Matching

Block threats using advanced pattern matching.

Go beyond simple IP blocking. Create sophisticated blocking rules based on hostnames, user agents, referrers, and IP ranges.

Pattern Types:

  • Hostname Blocking – Block specific domains or wildcard patterns
  • User Agent Blocking – Stop malicious bots and scrapers
  • Referrer Blocking – Block traffic from specific sources
  • IP Range Blocking – CIDR notation support for network blocks
  • Wildcard Patterns – Flexible matching with * wildcards
  • Regex Support – Advanced users can use regular expressions

Management Features:

  • Pattern Groups – Organize related patterns together
  • Match Statistics – Track how often patterns trigger
  • Active/Inactive – Enable or disable patterns without deleting
  • Source Tracking – Know if patterns are local or from sync service
  • Reason Logging – Document why each pattern was created
  • Match History – See when patterns last matched

🚫 Blocking Options

Centralized management for all blocking features.

Manage all your site’s blocking rules from one convenient location. Control who can access your site and how.

Features:

  • IP Blocking – Block individual IPs or entire IP ranges using CIDR notation
  • Country Blocking – Block entire countries from accessing your site
  • Pattern Blocking – Create custom blocking rules based on hostnames, user agents, and referrers
  • Temporary Blocks – Set time-limited blocks that expire automatically
  • Permanent Blocks – Long-term protection from persistent threats
  • Block Statistics – See what’s being blocked and why with detailed analytics
  • Allowlist Management – Whitelist trusted IPs and services to bypass all blocks
  • Unified Dashboard – Manage all blocking types in one place

🔐 Two-Factor Authentication (2FA)

Add an extra layer of security to your WordPress login.

Even if someone steals your password, they can’t get in without the second factor.

Features:

  • QR Code Setup – Easy configuration with any authenticator app
  • Backup Codes – Never get locked out of your own site
  • User Management – Force 2FA for admins or specific roles
  • Frontend 2FA Management – Users can manage their own 2FA settings
  • Email Notifications – Get notified when 2FA is enabled/disabled
  • Shortcode Support – Add 2FA controls anywhere on your site
  • XML-RPC Protection – Require 2FA for XML-RPC requests
  • WooCommerce Integration – Secure your online store checkout

🔍 Advanced Malware Scanner

Multiple specialized scanners working together to find threats.

We don’t just look for known malware. Our intelligent scanner detects suspicious patterns, unauthorized changes, and hidden backdoors.

Our Security Scanners:

  1. Malware Scanner – Detects backdoors, trojans, and malicious code from our 40,000+ malware scanner
  2. File Integrity Monitor – Compares files against official WordPress versions
  3. Vulnerability Scanner – Identifies security flaws in plugins and themes
  4. User Security Scanner – Finds suspicious admin accounts
  5. Content Safety Scanner – Analyzes posts/comments for malicious content
  6. Public Files Scanner – Detects exposed configuration files
  7. Server State Scanner – Monitors server security settings
  8. Binary Scanner – Checks images and executables for embedded malware
  9. Domain Reputation Scanner – Verifies URLs against threat databases

Scan Types:

  • Quick Scan – Critical files only (2-5 minutes)
  • Standard Scan – Balanced coverage (6-12 minutes)
  • High Sensitivity Scan – Complete site analysis (10-25 minutes)
  • Custom Scan – Choose exactly what to scan

🚨 Advanced Threat Detection

Advanced pattern matching and behavioral analysis.

Intelligent Detection:

  • Pattern Analysis – Detects obfuscated and encrypted malware
  • Behavior Analysis – Identifies suspicious file operations
  • Reputation Checking – Validates URLs against Google Safe Browsing
  • Legitimacy Assessment – Distinguishes real threats from false positives
  • Unknown File Detection – Flags files that shouldn’t be there
  • Password Breach Checking – Scans for compromised credentials

📊 Live Traffic Monitor & Event Tracking

See exactly what’s happening on your site in real-time.

Features:

  • Real-Time Traffic View – Watch visitors and attacks as they happen
  • Event Logging – Complete audit trail of security events
  • Attack Statistics – Visual dashboards showing threats over time
  • IP Intelligence – WHOIS lookup and IP reputation checking
  • Human vs Bot Tracking – Classify and analyze traffic patterns
  • Export Capabilities – Download logs and reports for analysis

🎛️ Easy-to-Use Dashboard

All your security in one place. No tech degree required.

What You Get:

  • Security Status – Green, yellow, or red. Know your status at a glance
  • Recent Attacks – See who’s trying to hack you
  • Scan Results – Detailed reports with clear action items
  • Firewall Status – Protection levels and rule statistics
  • One-Click Actions – Block IPs, ignore false positives, repair files
  • Scheduled Scans – Set it and forget it

⚙️ Advanced Features for Power Users

Need more control? We’ve got you covered.

  • Custom Firewall Rules – Write your own protection patterns
  • File Exclusions – Skip certain directories or file types
  • Performance Tuning – Adjust memory limits and timeouts
  • API Integrations – Google Safe Browsing, IP reputation databases
  • IPv4/IPv6 Support – Dual-stack or IPv4-only mode
  • Multisite Compatible – Works perfectly with WordPress networks
  • Developer Friendly – Hooks and filters for customization
  • Sync Service – Central management for multiple sites

🔒 Privacy & Your Data

Your site data and scan results stay on your server. Optional features like settings export use secure cloud storage.

What We DON’T Do:

❌ We don’t send your file content or database data to external servers ❌ We don’t track your users ❌ We don’t collect analytics about your site ❌ We don’t send data without your knowledge

External Services (Optional):

We use external services only when necessary for specific security features. You can see exactly what’s sent:

VMP Security Servers * License activation and validation (free/premium) * WAF rules synchronization and updates * Malware signature database updates * Two-Factor Authentication (2FA) system management * Settings export/import cloud storage(optional) * Privacy: Your site data remains on your server – only configuration and security rules are synced

Google Services (safebrowsing.googleapis.com, www.google.com/recaptcha) * URL threat detection and reCAPTCHA spam protection * Privacy: https://policies.google.com/privacy

WordPress.org APIs (api.wordpress.org, downloads.wordpress.org, core.svn.wordpress.org) * Download original files for integrity checking during malware scans * Privacy: https://wordpress.org/about/privacy/

GitHub (raw.githubusercontent.com) * Download WordPress core files for file comparison

IP Lookup Services (api.ipify.org, ifconfig.me, icanhazip.com, ip-api.com, ipwhois.app, download.ip2location.com) * Server IP detection, geolocation, and country blocking features

Threat Intelligence (api.urlvoid.com, www.virustotal.com, checkurl.phishtank.com) * URL reputation checking and threat validation

Vulnerability Databases (services.nvd.nist.gov, wpscan.com, cvedetails.com, cve.mitre.org) * Check for known security vulnerabilities during scans

All malware scanning happens on YOUR server. We do not upload your files or database content to external services except for certain features used by the user.

🛠️ Advanced Tools

Professional-grade tools for site management and troubleshooting.

Diagnostics Tool

Comprehensive system health check to troubleshoot issues quickly.

Run 15+ diagnostic tests to verify your site’s security configuration and identify potential problems:

  • Plugin Status – Check if VMP Security is working correctly
  • File Permissions – Verify read/write access to critical directories
  • Connectivity Tests – Ensure your site can communicate with security services
  • Time Sync – Verify server time is accurate for security features
  • WordPress Health – Complete audit of WordPress configuration
  • Plugins & Themes – View all installed plugins and themes with versions
  • Scheduled Tasks – Monitor cron jobs to ensure scans run on time
  • PHP Environment – Check PHP version and required extensions
  • Firewall Status – Verify WAF is protecting your site

Settings Export/Import

Backup and migrate your security configuration easily.

Cloud-based configuration backup and migration using secure tokens:

  • Generate Export Token – Upload settings to VMP server and receive a unique token
  • Cloud Storage – Your settings are securely stored on VMP servers
  • Easy Import – Use the token to download settings on any site
  • Site Migration – Quickly migrate security settings between sites
  • Configuration Backup – Keep your settings safe in the cloud
  • Flexible Import – Choose to merge with or replace existing settings
Freeon Business plan
Get started
By installing, you agree to WordPress.com Terms of Service and Third-Party plugin Terms.
Tested up to
WordPress 6.9.1
This plugin is available for download for your site.
Download