Bravo Wordpress Security - Go To Premium

Bravo WP Security Plugin helps you to hide wordpress side by side Bravo wordpress firewall, wordpress antivirus (wordpress malware scanner),wordpress brute force protection, WP config security, wordpress google reCAPTCHA,error logs and more features.

Multisite Supported.
RTL Supported.

Screenshots | Pre-Sale Questions

The V 2.x Updates

  • Hide wp-includes path from the page source
  • Hide plugins path from the page source
  • Hide themes path from the page source
  • Rename search base and query
  • Rename posts base and query
  • Rename pages base and query
  • Rename categories base and query
  • Rename tags base and query
  • Rename feeds base and query
  • Rename pagination base and query
  • Rename comments file
  • Rename ajax file
  • Rename _wpnonce
  • Remove adminbar for non-admin users
  • Remove WP version
  • Remove feed links from the page source
  • Remove API JSON links from the page source
  • Remove resources hints from the page source
  • Remove weblog client link from the page source
  • Remove windows writer manifest link from the page source
  • Remove post/page shortlink from the page source
  • Fake HTTP Headers for X-Powered-By
  • Fake HTTP Headers for X-Generator
  • Change E-mail Sender E-Mail
  • Change E-mail Sender Name
  • Minfy HTML
  • Minfy CSS
  • Minfy JS


  • Hide WordPress: Hide version from all scripts and styles call inside the pages source.
  • Hide wp-login.php: Create new login link and a 404 error will appear to the default login link.
  • Hide wp-admin: Only the login link can redirect you to the wp-admin dashboard.
  • Prevent Proxy: wp-admin Dashboard will allow real connections only.
  • Allow Custom Connections: wp-admin Dashboard will allow some whitelist countries or/and IPs only.
  • Advanced Firewall: 'Firewall profiles' is advanced option, You are able to choose High, Medium or Low Level of security.
  • 2-Step Verification: You are able to choose from many options when you decide to enable 2 -Step Verification. Available options: Two factor authentication, Facebook Verification, Four numbers pin code and Security question.
  • reCAPTCHA: reCAPTCHA is important to save your host resources and your WordPress safe from spam, You can add it to guest comments, login, register or/and reset password forms.
  • Housekeeping: Clean your WordPress, Just delete unused files, comments, revisions, trashes, transient feed or/and relationships.
  • Database Backups: Manually or Scheduling Database backups, both options are available.
  • Professional Antivirus: Malware scanner, PHPMussel scanner, File Change Detection, Google Safe Browsing Checker, DB scanner and Spam Lisiting checker.
  • Auto Scan Attachments: Attachments will be scanned while it is being uploading.
  • Scan New Plugins & Themes: After you activate your new plugin or theme, Bravo will create a new antivirus process to scan the new files.
  • Brute Force Protection: The complete security for your and users' passwords by activating Bravo brute force protection options.
  • Blacklist Usernames: Prevent some usernames from register or log in.
  • Blacklist email provider: Prevent some email hosting from register like e.g:
  • Min & Max Usernames Length: Minimum and Maximum chars for registered usernames.
  • Moderate New Members: New members will be need admin approval before they can use their dashboard.
  • Accounts Protection: You are able to define the login method (email only or username only or both as default), No weak passwords, Maximum Login Attempts and Whitelist IPs.
  • Who is Online (Live Tracker): Watch your online visitors and what are they doing?!, You will be able to see all their browsing details and block/unblock Ips.
  • Inline Visitors Blocking: Watch your visitors activity using the traffic tracker module and you can block and IP or country when you see unusual activity.
  • Cronjobs (Events Schedules): You have full control to set what is the appropriate time to run your events.
  • DB Prefix Wizard: A wizard was designed to change WP database prefix.
  • Development & Maintenance Mode: There two modes in order to close your site, Development mode will allow some roles to view site as usual as they know it, but Maintenance mode will close site for all.
  • Bandwidth Saver: Bravo lets you prevent 'Hotlinking & iFrames', Your hosted images will not show at other websites, and your website will be not shown in iframe.
  • Plugin Self Protection: You can set password and choose some management roles to give them ability to manage Bravo.
  • Idle Logout: The plugin will clear the current sessions for logged in users if they hold their accounts without using after (n) seconds, you will choose the duration before forcing them to log inagain.
  • Mail Watching: This tool designed for watching outbound email messages in WordPress. It can help if someone using backdoor in your blog to send spam emails.
  • Error Pages: Continuing our efforts to hide WordPress, We designed this tool to use our 404 templates instead of your theme 404 pages.
  • Log Watching: If you set the firewall to 'High' and disable WordPress debug, You can watch the error log using or tool.

Subscribe to our list

Wordpress Firewall Rules

  • Max Connections Per IP:
    It means, What are the maximum connections for one visitor per five minutes.
  • Action on Max Connections:
    It means, What is the punishment for the visitor which reached the maximum connections.
  • Block IP:
    It means, If the punishment for any rule was 'block', Bravo should block the visitor IP address.
  • Block Country:
    It means, If the punishment for any rule was 'block', Bravo should block that country.
  • PHP Security Level:
    It always depends on the firewall profile level.
  • Detect 404 Pages:
    404 pages detection in order to calculate these attempts per IP address per (n) minutes to take an action.
  • 404 Pages Maximum Attempts:
    It means, How many attempts before taking action.
  • Action on 404 Maximum Attempts:
    Take action / punishment for this visitor which reached the maximum 404 visits attempts.
  • Disable XMLRPC:
    Disable the xmlrpc.php file in order to protect your WordPress from any random brute force attacks.
  • Disable Pingback:
    Some SEO plugins use this option to post automatic comments, This option also created for remote linking to other blogs.
  • Create indexes for non-indexed directories:
    When you click to save Firewall settings, Bravo creats index.php for the directories which have no indexes.
  • Disable BOTs Comments:
    It means, disable all non-human comments.
  • Disable Comments From Proxy:
    It means, disable all comments from non-real connections.
  • Block Fake Google Crawlers and Bots:
    It means, disable all fake google connections.
  • Query Filtering:
    This filter should protect your Wordpress front end from XSS and SQL injection attempts.
  • Maximum Attempts for Bad Queries:
    If bravo detects bad query attempts through query filters, How many attempts before taking action per IP address?.
  • Action on Maximum Attempts for Bad Queries:
    The action / punishment for the 'bad queries call' per IP address.
  • Block for reCAPTCHA error attempts:
    It means, Bravo detects reCAPTCHA wrong attempts (if enabled) and taking action.
  • Maximum reCAPTCHA error Attempts:
    The maximum reCAPTCHA wrong attempts before taking action.

Two Factor Authentication

An extra layer of Wordpress security, The Wordpress two factor authentication by Bravo has a new generation.
You should enable this protection step, By enabling it, Your Wordpress security should be grow up to a higher level.

With Bravo you are able to choose from many options when you decide to enable 2-Step Verification.
Available options: Two factor authentication, Facebook Verification, Four numbers pin code and Security question.

wordpress two factor authentication

You may want to choose some groups of users based on capability roles, Well, Bravo helps you to enable this module for some roles or all.
These four options are available, But you should choose one of them.

  1. 2-Factor Authentication
  2. Facebook App
  3. 4 Numbers Pin Code
  4. Security Question

Hide Wordpress

In order to hide wordpress, You should not only hide or remove wordpress version, also you should hide wp-login and wp-admin as additional security layer for your wordpress.
Bravo leads you to more WordPress security, From many security layers, You can easily hide the important parts of WordPress.

Hide / Remove Wordpress Version

To remove wordpress version, There are many of locations which show wordpress version.
At the source of page, there is the meta generator, Like this:

<meta name="generator" content="WordPress 4.8.x">

Bravo helps you to remove this line easy.

Wordpress version also appears in the last part of some scripts and css links which called at the source of the page, Like this:

<script type='text/javascript' src=''></script>

Bravo helps you to hide the WP version and encode it.

Hide WP Login Page

Hiding the wp-login.php is the most powerful trick to make hackers confused, they cannot reach your real login path to the admin area or member area if they are using the random attack.

The default WP login page is 'wp-login.php', with the huge number of WP installs, You may be on of the hacker targets.
So, You should rename this link not the file, Bravo let you choose a new name for the login page and the default page will show a 404 error page for anyone.

If you choose to hide 'wp-login.php' with Bravo, You will able to cross to the dashboard using the new login name only.
Please be careful while you choose the new name, Be sure you know and remember it very good.

hide wordpress

Hide WP Admin Dashboad

The admin area is the most dangerous area, so you must make it in the best security level. If you change its name from WP-admin to anything, that means all guests will be denied to reach it, only logged in users who can reach it after using the hidden WP-login new path.
By the way, Wordpress does not let developers to change the name of the wp-admin folder, because so many core functions need it.

We should trick the attackers when they request wp-admin page, So Bravo helps you to hide this page 'wp-admin' and a 404 page appears.
No way to cross to the wp-admin dashboard except the wp-login page or the new wp-login page (if you hide wp-login).

Wordpress Antivirus

With Bravo Wordpress antivirus you can scan multiple times with different scanners, Bravo provides you with six scanners.

  1. Malware Scanner:
    Scan for web malicious codes like e.g: shell files.
  2. PHPMussel Scanner:
    Scan for viruses and malware files like e.g: uploaded files from affected computer.
  3. Google Safe Browsing Scanner:
    Scan for pages which marked by browsers as malware or phishing pages.
  4. Spam Listing Scanner:
    Check if your domain or URLs marked as spam.
  5. Database Scanner:
    Scan database to check if it contains any XSS codes via any SQL Injection bugs at your Wordpress.
  6. File Change Detection Scanner:
    Scan directories and files to check if there are any changes (new, altered or deleted files).

Attachments Auto Scan

If it is enabled, The attachment auto scan will be a good idea, If you have editors which they have the ability to write articles (posts) and upload attachments.
For this reason bravo adds this option! Because we may do not trust our editors or the freelance writers.

This screen of the settings, How to enable or disable it:
Wordpress antivirus

This an example for the auto-scan process:
wordpress scan attachments for malware

Wordpress Antivirus Scan Process

When you decide to check your files, database or the website link, You should choose the appropriate scanner.
The Malware Scanner Will help you to detect the Shell files and the php files which have some dangerous functions.

You may have some suspected files while it are not viruses or malware, You should add it to Whitelist in order to avoid to catch it agian.

The Wordpress Antivirus Process Example:
wordpress antivirus

The Wordpress Antivirus Scanner Process Example:
wordpress antivirus scanner

File Change Detection

The file change detection scanner can run manually or automatically by adding a new event to cronjobs.
- More details about Bravo Wordpress Cronjobs

The comparison runs based on the past scan results and the current process, This tool compares file size and modification date between the current files and the past files,
Then it tells you the results (new files, modified files and deleted files).

If you add the file change event to Wordpress cronjob through Bravo, Every time it runs and catch some changes, It will send you an email to notify you to check the last file change results.

Email Notification Example:
wordpress file change scanner

Wordpress Malware Scanner

Like we mentioned at the Wordpress Antivirus article, Bravo provides you with six scanners to get a clean Wordpress website.
The Wordpress malware scanner is an important security tool, We designed it to make suspection list to you, You will decide what are the whitelist files and what are the malware and unwanted files?!

Wordpress wp-admin Dashboard >> Admin Bar (Bravo) >> Start Scan
wordpress malware scanner

Then click on the "Malware Scanner", You should see the directories screen.
wordpress antivirues

Manullay select the directories or/and the files you want to check, Then click "Start Scan" button below the files and directories list.
Here is the scanner, It is running ...
wordpress antivirues scanner

After the scanner finish his task, The buttons will changed to "Start Over" and "Take Action", If you have suspection files, You should click on "Take Action" button in order to put some files in whitelist ot delete it.
wordpress malware scanner done

The 'take action' screen should be like this ...
wordpress malware take action

With the Bravo Wordpress malware scanner, you could catch more of the malicious files, The strategy is the dangerous codes and the non-PHP files which contain PHP codes.

Change Wordpress DB Prefix

Every Wordpress developer, the bad guys and most of Wordpress users know the default Wordpress DB prefix "wp_".
The Wordpress database is the important part if you want to be on the safe side with your blog, So all Wordpress websites should change their WP DB prefix.
After you finish this article you could know how to change Wordpress DB prefix.

Bravo includes amazing DB prefix modification wizard, All what you need to do is taking the decision.

Now, I am teaching you how to change Wordpress DB prefix using Bravo wizard.
First, make sure you already installed Bravo security plugin and finish it through the configuration wizard.

Wordpress wp-admin Dashboard >> Bravo Menu >> WPConfig Tweak >> Database Table Prefix
change wordpress db prefix

Automatically, Bravo takes a fresh and new backup of your Wordpress database, So please make sure that the Bravo Backups Directory is writable.

There are many options for a complex prefix, You can choose prefix for the DB prefix, It means, If you want to change the default DB prefix to 'WE4W', you can do this with another prefix like 'wp_WE4W'.

You can choose from many options :

  1. wp_
  2. wp
  3. bravo_
  4. bravo
  5. none Without part 1

Bravo needs a writable 'wp-config.php' in order to be able to replace the old prefix with new prefix, So .. If you can not change your wp-config permissions or you do not know what are the writable permissions,
You should click 'Try Now' button beside the 'wp-config.php' row in the wizard (it appears only if it is not writable).
If the wizard cannot change the permissions, you should change it manually to be able to continue.

When you click the 'Start' button, You will see the comparison between the old tables and the new tables, this means the wizard need confirmation from you to continue changing the Wordpress database prefix.

Click 'Continue' if you sure, or click 'Start Over'
change db prefix wordpress

99.99% with no errors, but if you have an error you can easily restore your old database and wp-config.php, You should find the backups inside the Bravo backup directory.

Wordpress Salts & Keys

Easily you can change WordPress salts and keys with Bravo, It is only just a button click for more secure encryption. But, Why should I change the Wordpress salts? and what are these salts?!
When we want to answer these questions we should know more about Wordpress Cookies.

Wordpress Cookies

The defination of the Wordpress cookie comes from Wordpress itself.

WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.

Wordpress Salts

WordPress created a helpful (keys and salts) to make its cookies in a higher level of security, The WordPress cookies should be encrypted before storing it in the users browser.
The Wordpress salts and keys should be unique, for this reason you should change it. But in order to change it you should replace it with correct salts or keys. Wordpress provides an API to change these salts which you can use it to change it manullay from 'wp-config.php'.

How to change Wordpress salts?

Using Bravo, All you need is just a click on the 'update now', check the next screenshot...

Wordpress wp-admin Dashboard >> Bravo Menu >> WPConfig Tweak >> Authentication Unique Keys and Salts
wordpress salts

WordPress depends on the safety of these salts, once they are compromised the security behind authentication is relatively weak. So, you must update these SALTs or keys periodically.
Alert: You and all logged in users will be logged out once the change has been done!

Wordpress Config Security

The wp-config.php is the brain of Wordpress, We should protect the brain to set the body with a good health.
You should take this seriously, You should follow the next steps to be in a better level of security.

Wordpress wp-admin Dashboard >> Bravo Menu >> WPConfig Tweak
wordpress config security

Change Wordpress Database Prefix

As I mentioned at the Change Wordpress DB Prefix article, A lot of Wordpress users and all developers know the default 'wp_' DB prefix.
For this reason, You should change it to a unique one using the Bravo wizard.

Wordpress wp-admin Dashboard >> Bravo Menu >> WPConfig Tweak >> Themes and Plugins Editor
change wordpress db prefix

Themes and Plugins Editor

As a security measure it is recommended to disable the theme and plugin editors in WordPress, Why? to protect your files from injecting with malware, blackhat SEO links or inserting SHELL scripts.
Just one click to enable/disable editor.

Wordpress wp-admin Dashboard >> Bravo Menu >> WPConfig Tweak >> Database Table Prefix
wordpress disable file editor

WPConfig File Permissions 'wp-config.php'

The permissions you as the owner will give to the file, read , write or both.
We highly recommend to change wp-config.php permissions to read-only '0400' or '0444'.

Wordpress wp-admin Dashboard >> Bravo Menu >> WPConfig Tweak >> WPConfig File Permissions 'wp-config.php'
wordpress config read only

Wordpress Automatic Updates

Keep your Wordpress core files, themes and/or plugins up to date. Always Wordpress and other themes and plugins developer receives problems and bugs in their codes, So we should update the code.
This action can be automatically if you enable the 'auto update' options using Bravo.

Wordpress wp-admin Dashboard >> Bravo Menu >> WPConfig Tweak >> Wordpress Automatic Updates
wordpress auto updates

Display Errors & Debug

Debug and error display is a dangerous tool for a public website, but it is a useful tool for developers.
So, If you do not need it, please disable it to prevent hackers from knowing what's errors and bugs in your code or files.

Do not worry, BRAVO will enable a local and secure debug you'll browse it under 'Log Watching' menu.

Wordpress wp-admin Dashboard >> Bravo Menu >> WPConfig Tweak >> Display Errors & Debug
wordpress disable debug

Authentication Unique Keys and Salts

We have talk about Authentication Unique Keys and Salts and we told you and readers what is the importance and why should we change it.
Please read the full article [read more].

Wordpress HouseKeeping

In order to clean Wordpress, you should use the Bravo Wordpress housekeeping module, Like as the house, It should be clean to work fine.
There are some unused files you may want to delete it if you remember it, Bravo refer to it and you the decision owner to delete or let it.
There are also some rows in the Wordpress database, In order to clean wordpress database you should use software, Bravo helps you to remove unwanted rows like:

  • Posts (Revision)
  • Posts (Draft)
  • Posts (Auto Draft)
  • Posts (Meta)
  • Moderated Comments
  • Trash Comments
  • Spam Comments
  • Comment Meta
  • Relationships
  • Dashboard Transient Feed

The Bravo TMP files, You should remove it. Just click the '/tmp [delete]' button and Bravo will finish this task.
Check the Wordpress Housekeeping from the Bravo menu every week at least to keep your Wordpress works fine.

wordpress housekeeping

reCAPTCHA Wordpress

reCAPTCHA Wordpress is important to save your host resources and your Wordpress safe from spam. Add reCAPTCHA to comments, login, register and/or reset password.

what is recaptcha

It is a google free tool or service, It designed to help your website from spam and random attacks. It is just a tester to check if this visitor is a human or not.

reCAPTCHA Key & Secret

You must have the reCAPTCHA key and secret to enable and merge it with your website, Bravo design a form to enable/disable it and to insert the key and secret, Bravo will include its code if it is enabled.

Go to Google reCPATCHA and create your own key and secret.
wordpress google recaptcha

reCAPTCHA Wordpress Positions With Bravo

There many available position you can enable/disable any of it by clicking just a click.
  • Posting New Comments:
    reCAPTCHA field will appear for guests while they are posting new comments.
  • Members Login:
    reCAPTCHA field will appear for guests while they are trying to login.
  • New Accounts (Register):
    reCAPTCHA field will appear for guests while they are trying to register new accounts.
  • Reset Passwords:
    reCAPTCHA field will appear for guests while they are trying to get new passwords.

Go to wp-admin Dashboard >> Bravo Menu or (settings) >> reCAPTCHA
recaptcha wordpress

Wordpress Crons

The Wordpress crons or cron jobs are the scheduled events you or the developer need to add it to run at a specified date and time to some tasks through running codes or some scripts.

If you are not a Wordpress developer you will not able to add events to the WP cron, You can use some plugins to these tasks for you.
Bravo Security has some events, It had included under Cronjobs Module with the Bravo, You can disable or enable any Bravo events.

Bravo Wordpress Cron Jobs

Not just enable or disable some events, You can choose the specified time to recurring these scheduled events.

Current Bravo Events

  1. Database Backup: Recommeded: Daily
  2. Database Scan (antivirus): Recommeded: Daily
  3. File Change Detection (antivirus): Recommeded: Hourly
  4. Traffic Tracker Monitor Update: Recommeded: Every 1 Minute

Bravo Crons Recurring Times

  1. Once every minute
  2. Once every 5 minutes
  3. Once every 30 minutes (twice hour)
  4. Once every hour
  5. Twice Daily (every 12 hours)
  6. Twice every week
  7. Once every week

Wordpress wp-admin Dashboard >> Bravo Menu >> Cronjobs
wordpress cron

How To Run Cron Jobs On Your Host?!

Make sure that your host has a command to run the wp-cron.php every minute or less (if available).

* * * * * php -q /home/host-username/path-to-wordpress/wp-cron.php > /dev/null 2>&1

Wordpress Backup

The most useful thing in Bravo Security is the recurring wordpress database backup,
With the Bravo Wordpress Crons you can schedule some events like Wordpress database backup every day, twice daily or every week.
The Bravo crons events are more than one, Be sure you will find what you need in the Wordpress DB backups and Crons using Bravo.

Wordpress Database Backup

There two ways to take a new DB backup, The manual way and the scheduled way.
Both methods will store the backups in the Bravo backup folder which protected. You may need to download backups, Yes, you can download any stored backups from the Wordpress backups dashboard through the Bravo security plugin.

Wordpress wp-admin Dashboard >> Bravo Menu >> Database Backups
wordpress backups

Wordpress Error Pages

Every Wordpress theme design the WordPress error pages or Wordpress 404 pages to be in a good look when the page not found. Bravo also makes the same, but to hide Wordpress.

Bravo lets you choose which template you want to see when the Wordpress page not found, Many nice templates available.
The Bravo Wordpress error pages technique is for hiding Wordpress not only to be in a good look, You can include the search box in any of these templates, But it is not recommended, because the main aim is hiding WP.

Bravo lets you to add a custom message to be the error message when the guest gets the Wordpress 404 pages.
Note: These templates are available for the 404 and 403 error pages if you enabled the Bravo error pages.

Wordpress wp-admin Dashboard >> Bravo Menu >> Error Pages
wordpress error pages

Screenshots | Pre-Sale Questions