hide my wp logo

Hide My WP Ghost Plugin

What Hide My WP Ghost can do for you?

Hide My WP Ghost helps YOU hide your WordPress
website from hackers, bots and detectors.

Rank Math helps you to improve your website ranking
After
Before
Your website ranking before using the Rank Math
4.8/5

over 600k downloads | over 50k active installs

It’s working perfectly and I’m glad there are still some good developers that are on WordPress that actually care about their plugins. Most just try to blame it on other things and don’t even bother to see what the issue is. Anyways. It’s got a lot of options to it and perfect for a security plugin and really simple to use. USE IT.
@destructiveburn

Hide My WP Ghost is Packed
with Awesome FREE Features

Hide My WP gives you the best security solutions with its powerful and easy-to-use features.  Without physically changing any directory or file, Hide My WP can take your website’s security to the next level.

Hide Wp Admin Path

Hide wp-admin

Protecting the admin area from unauthorized access allows you to block many common security threats.

If visitors know you are using WordPress, they can easily find out the default Admin & Login pages, thus making your site an easier target.

Hackers regularly target wpadmin and brute force it using a list of usernames and passwords.

Changing your admin page URL benefits:

  1. hackers will not know it and you will reduce the Brute Force to 0% on the wp-admin path.
  2. you will save a lot of resources and eliminate any possible hack.

Hide wp-login.php

Login page URL is the web address you visit when you want to access the backend of your website.

Every WordPress website has the same structure. You can login to a website by visiting:

https://www.yourwebsite.com/wp-login.php

Hiding your wp-login.php page is a great way to secure your site from targeted hackers and automated brute force attacks. Attackers cannot identify your website’s point of entry. Hide My WP Ghost enables you to create a new URL for your login page and hide the default one. 

By changing the wp-login page you provide an extra layer of security for your website.

Hide Wp Login Path
Custom wp-admin Path
Custom Wp Login Path

Custom wp-admin URL &
wp-login Paths

By default, we all login into WordPress at https://www.yoursite.com/wp-admin/ or directly to https://www.yoursite.com/wp-login.php.

I know that, you know that, hackers know it. Brute Force Attacks on login pages is one of the common types of web attacks that your website is likely to face.

By changing these URLs, hackers will not be able to find these links. This reduces with up to 100% the chance of getting attacked.

Note! No file or directory is physically changed. All the changes are made by redirects. All the actions are done automatically by the plugin.

Brute Force Attacks Protection

A successful brute force attack can give hackers access to your websites’ admin area & credentials. They can install backdoor, malware, steal sensitive information, delete everything on your website, make your website inaccessible. 

An unsuccessful brute force attack can slow down your website and even crash your wp hosting server.

The attacks begin with multiple requests to /xmlprc.php and /wp-login.php with different combinations of usernames and passwords. Once a combination matches, the hackers have access to your admin interface.

There are many strategies for dealing with brute force attacks. One of the simplest ways is to hide the wp-login.php page and xmlrpc.php pages.

Custom Wp Content Path

Change wp-content Path

By default WordPress stores all the installed website themes and plugins in /wp-content/ directory.  Unfortunately, this directory is not protected when there are vulnerable plugins or themes installed. 

A person, bot or hacker who wants to see all your library content could read the directory content in the browser: http://websitename/wp-content/uploads.

In many cases, WordPress websites crashed because a hacker had access to the wp-content directory. So, wp-content is an ideal spot for hackers.

Giving the wp-content a custom name is one of the most easiest ways to make your WordPress safer.

Manage Blacklist IPs

An IP address is a unique numeric code allocated to a device that is connected to the internet.

IP address blacklisting is a method of protecting your website from malicious attacks: comment spam, email spam, hacking attempts, and DDOS (denial of service) attacks.

With Hide My WP Ghost you can ban the IP addresses or a range of IP addresses that you never want to be able to access the login page.

Manage Whitelist IPs

IP whitelisting is a security feature often used for limiting and controlling access only to trusted users.

An easy and useful WordPress security plugin to protect your WordPress admin area using IP Whitelist is Hide My WP Ghost.  You can Whitelist the IP addresses or range of IP addresses that you want to have access to the login page on your website.

Limit Login Fail Attempts​​

The hackers try to run some login credentials’ combinations to enter your website. If you limit the login attempts, after the limit exceeds, the user gets blocked for a certain amount of time.

Hide My WP Ghost plugin will allow you to configure the amount of failed login attempts you’d like to permit before blocking that user from further attempts for an amount of time.

Disable XML-RPC Access

The XML-RPC is a system that allows remote access and updates to WordPress from other applications. 

An attacker will try to access your site using xmlrpc.php by using various username and password combinations. They can effectively use a single command to test hundreds of different passwords. This allows them to bypass security tools that typically detect and block brute force attacks.

By disabling xmlrpc.php access, you’ll eliminate the risk of external attacks gaining access to your website.

Change Paths In The Robots.txt​

The robots.txt file is used to tell web crawlers and other well-meaning robots a few things about the structure of a website.

Robots.txt files tell search engines which directories on a web server they can and cannot read.  But also tells hackers the places you don’t want them to look.

This feature in the Hide My WP Ghost plugin will change and remove any path to WordPress common paths that show you’re using a WordPress CMS.

Robots.txt will have the minimum requirements for Google Search Engine to index the website.

Save Your Website & Your Business from Hackers

Upgrade Your Website Security With Hide My WP Ghost

Custom Admin Ajax Path

Change admin-ajax Path

WordPress default ajax URL is /wp-admin/admin-ajax.php. Even though it is located in the wp-admin folder, non-administrative users and also the guests can send requests to them.

There are a few actions that are submitted via WordPress’s admin-ajax.php: make requests to access data and/or delete them.

All the ajax calls in the frontend are made by the default URL /wp-admin/admin-ajax.php. This URL is also used by hackers to upload viruses and scrips on your website.

Using Hide My WP Ghost you can change the ajax path and remove the wp-admin path from ajax URL.

Brute Force with Math Captcha

A CAPTCHA is a feature that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot. 

Websites use forms for registration and signups and to provide services to their users. Bots usually target such forms and fill them with junk information. CAPTCHA is usually implemented to stop such spam registrations from bots.

The Math CAPTCHA feature requests the user to solve a mathematical problem in order to prove human. 

Change Paths in the Sitemap XML

The Sitemap XML is used to improve SEO and will help search engines like Google, Bing, Yahoo, Yandex, and more to better index your site. In simple terms, an XML sitemap is a list of your website’s URLs.

For better Search Engine Optimization we recommend using this feature and change all the images path with the custom ones in sitemap.xml.

Hide My WP Ghost will remove all the Sitemap style added by SEO plugins like Yoast SEO, Squirrly SEO, Google Sitemap XML, that reveal the plugin’s author. The sitemap will be shown as required by Google and other search engines.

Backup/Restore Settings

By creating regular backups, you can secure your custom paths in Hide My WP Ghost are saved in case you reinstall the plugin or you want to setup multiple websites with the same paths and features.

The backup file is encrypted so that the paths are not visible in the backup. 

Once the backup is restored, all the custom paths are automatically applied to the config file.

Weekly Security Check and Reports

Most sites get hacked from entirely preventable issues, like not keeping things updates or using insecure passwords. You can test the vulnerabilities of a WordPress installation and detect any holes and weaknesses of your website.

Hide My WP Security Check will help you :

  • Detect potential security breaches on your site.
  • Identify security or access issues on your website before they become a problem.
  • Determine whether any of your plugins or themes have security vulnerabilities.
  • Verify your site integrity for you.
  • Take preventive measures against attacks.
  • Teaches you how to fix these potential breaches.

Cache & Optimize Speed

Hide My WP Ghost is a speed-optimized plugin.

The average loading time is 0.03s which is faster than 90% of the WordPress plugins.

This will help your website rank better in Search Engine.

If this option is activated, Hide My WP Ghost will activate the caching process for the website static files like CSS, JS, and Images.

Remove pingbacks

Prevent Pingbacks

Pingbacks are modes of communication between WordPress blogs

The functionality should be used to generate cross-references between blogs, but it can just as easily be used for a single machine to originate millions of requests from multiple locations.

According to WPBeginner, 99% of all trackbacks and pingbacks are spam. This is the easiest way for spammers to get a backlink from your site.

It can expose your site’s security to the risk of a DDoS attack, which can interrupt your site and online connection.

When your site is down customers searching for you will be lost and any E-commerce website could become vulnerable.

You can protect against WordPress Pingback vulnerability using Hide My WP Ghost.

Change Register Path

Changing the WordPress register URL has two main benefits:

  • It can strengthen your website’s security by making it slightly harder or even impossible for bots to find your registration page.
  • It’s more user-friendly and offers an opportunity for better branding.

 

Change the register path to prevent spam emails with new user requests.

Custom Register Path

Hide & Change Common Paths

You can hide the fact that you’re using WordPress CMS from Theme Detectors or hackers by changing your permalinks without making changes to the actual locations of your website files.

An important action in protecting your website from hacker attacks is by hiding the WordPress common paths after the path names are changed.

Hide My WP Ghost will add a filter in the config file to show 404 error when the user is not logged on the website and access these paths.

The main paths this option hides are: /wp-content/wp-include/plugins/themes. It will also hide files like upgrade.php and install.php for visitors.

Hide WordPress Version Number

It’s important to hide the version info from all plugins, themes, and WordPress core in order to hide from Theme Detectors.

Your current WordPress version number can be found very easily. It’s basically sitting right there in your site’s source view.

It only takes a couple of minutes for a malicious attacker to run an automated tool that can discover these vulnerabilities and exploit them.

Remove pingbacks

Save Your Website & Your Business from Hackers

Upgrade Your Website Security With Hide My WP Ghost

Custom wp-include Path

Change wp-includes Path

Files in the wp-includes are responsible for how WordPress looks. This folder is large in size, and most of the WordPress core files are stored here.

This folder basically stores the files that enable your WordPress site to function.

WP-includes directory gives away a lot of information about your WordPress to hackers.

It is important to restrict access to the WP-includes folder and files as it contains files strictly meant to run the core version of WordPress.

Custom Plugins Path

Vulnerable plugins and themes are exploited to gain access to your site. Then your pages are injected with something that hackers want.

The easy way to completely hide your WordPress core files, login page, theme, and plugins paths from being shown on the front side. 

Change Plugins Path
Change Themes Path

Change Themes Path

Vulnerable plugins and themes are exploited to gain access to your site. Then your pages are injected with something that hackers want.

The easy way to completely hide your WordPress core files, login page, theme, and plugins paths from being shown on the front side. 

Text Mapping

Changing the class names in the source code will hide the CMS from themes detectors.

With the Text Mapping feature, you can change classes like wp-blocks, wp-post, wp-custom, wp-smiley and more.

With Hide My WP Ghost you can also change classes like Elementor or Woocommerce who need deep CSS and JS mapping

Brute Force - Block Message

Custom attempts, lockout message

By default, when a hacker gets locked out because of too many logins fail attempts, will get the message “Your IP has been flagged for potential security violations. Please try again in a little while…“.

With Hide My Wp Ghost you can change the lockout message and the lockout time. 

Change Logout Path

Changing the logout path will hide the fact that you are using WordPress CMS by customers and subscribers who have access to a custom user panel. 

Is often used when Woocommerce, bbPress, BuddyPress plugins are installed or when the theme has a custom member page.

Custom Logout Path
Custom Login Logout Redirects

Custom login & logout redirects

Hide My WP Ghost comes with custom redirects for each user role. This will come in handy when you need to redirect the members to a member page and the editors or authors to another page once they log in to your website.
 
You can also redirect the hackers to a specific page or show an error message when the hackers access /wp-admin or /wp-login.php.
 
Redirect the protected paths /wp-admin, /wp-login to Front Page or 404 page.

Disable Embed scripts

This feature is useful for many themes, and you may want to keep it enabled on your website.

However, what this means is that it also generates an additional HTTP request on your WordPress site now to load the wp-embed.min.js file. And this loads on every single page.

Hide My WP Ghost comes with the option to disable the embed scripts if you don’t use it.

Disable Embed Scripts

Disable DB-Debug in Frontend

Many plugins come with the option to debug the WordPress admin to find what functions slow it down.

Not all the plugins are disabling the Debug for the database or scripts on the frontend and this may show other WordPress data like version, installed plugins, installed themes, etc.

Hide My WP Ghost will make sure that the Debug is not shown on the frontend for the visitors.

Change Activation Path

The activation process only works in WP Multisite.

Changing the WordPress Activation Path has two main benefits:

  • It can strengthen your security by making it slightly harder for bots to find your activation page.
  • It’s more user friendly and offers an opportunity for better branding.
Custom Activation Path

Save Your Website & Your Business from Hackers

Upgrade Your Website Security With Hide My WP Ghost

Disable WLW Access

Disable WLW Manifest Scripts

If you don’t use Windows Live Writer, then this code is completely useless to you and should be removed.

Hide My WP Ghost will help you disable this function and remove the wlwmanifest link Meta from source code.

Change Comments Path

By default, WordPress has the comments enabled in all posts and the comments.php as the default file to post the comments.

By changing the comments path you will:

  • get rid of the automatic comments posts on the comments.php file.
  • hide the custom path that shows you’re using WordPress CMS
Custom Comments Path
Custom Category Path

Change Category Path

By default, WordPress automatically adds /category/ as a prefix to URLs for all category pages.

With Hide My WP Ghost you can add a custom category prefix for the post category and hide the default one that shows you’re using WordPress.

Change Tags Path

By default, WordPress automatically adds /tags/ as a prefix to URLs for all post tags.

With Hide My WP Ghost you can add a custom tag prefix for the post tags and hide the default one that shows you’re using WordPress.

Custom Tags Path
Custom Lost Password Path

Change Lost Password Path

Even if the lost password parameter is attached to the login page, adding a custom login path will help you have a more user-friendly link

The Lost Password link can help the customers or members to reset the password for their accounts on your website.

Change Register Path

If you activate the register user option on your website you will need to protect it very well.

Changing the WordPress Register Path has two main benefits:

  • It can strengthen your security by making it slightly harder for bots to find your registration page.
  • It’s more user friendly and offers an opportunity for better branding.
Custom Register Path
Custom Uploads Path

Custom Uploads Path

By default WordPress stores all the images in the /uploads/ directory.  

A person, bot or hacker who wants to see all your directory content could read the directory content in the browser like: http://websitename/wp-content/uploads.

In many cases, WordPress websites crashed because a hacker had access to /uploads directory.

Giving the /uploads a custom name is one of the easiest ways to make your WordPress safer.

Hide DNS Prefetch WP Link

DNS prefetching it’s used to resolve domain names (or perform a DNS lookup in the background) before a user clicks on a link. This can improve website performance.

This link will also tell others that you are using WordPress.

Disabling this option will definitely help you hide from theme detectors.

Hide RSD Header
Custom Rest API Path

Hide Rest API (wp-json)

WordPress REST API provides a built-in API that can be integrated with your themes, plugins, mobile apps, etc.

It also lets WordPress to interact with any application, and developers can even use it to build their own APIs.

As xmlrpc, wp-json is a path that is known by hackers and they will try to brute force it in order to obtain data or to break into your website.

Hide My WP Ghost helps you change its name without affecting the website functionality. 

Hide WP Generator Meta

WordPress comes with many headers that point to WordPress CMS. 

One of them is the generator meta that does exactly what is says. Adds a WordPress generator meta in your website’s header side.

Hide My WP Ghost helps you to easily remove that Meta and break any link to WordPress.org.

Hide Generator Meta

Save Your Website & Your Business from Hackers

Upgrade Your Website Security With Hide My WP Ghost

Hide RSD (Really Simple Directory) Header

Really Simple Discovery (RSD) is an XML format and a publishing convention for making services exposed by a blog, or other web software, discoverable by client software.

In our case this header will expose the WordPress service on every website call.

Hiding the RSD header is mandatory when you want to hide the WordPress CSM from Theme Detectors.

This feature also:

  • removes all the WordPress cache plugins headers
  • removes the x-cf-powered-by header
  • removes the Link header
  • removes the rsd_link header
  • removes the PHP info header

Hide Emojicons

Emojis are little icons used to express ideas or emotions. If you don’t use them into your website you don’t need to load them.

Another reason to disable Emojicons is for speed optimization.

You will notice a significant improvement in your page loading when these libraries are not loaded.

Disable Emojicons

Hide wp-image and wp-post classes

Hiding/Changing IDs and Classes in source-code may affect the website’s functionality so this is not recommended if you don’t test the frontend after mapping.

Theme detectors are looking for WordPress common classes and IDs like wp-image, wp-post, wp-blocks, wp-emoji, etc.

With Hide My WP Ghost > Text Mapping you can easily change them with custom names or even remove them.

Change URLs in Ajax Calls

Some plugins are using Lazy Load options to load videos and images only when the user scrolls to that specific image. In this case, the images are usually called through Ajax and you need to be sure that these images’ paths are also changed.

If some themes are loading CSS styles through Ajax you may have CSS duplicates if the paths are not always the same.

Change Paths Ajax Calls
Change Relative URL

Fix Relative URLs

Having all the WordPress common paths changed with the custom ones will avoid any relative URL to point to the old paths.

We recommend using this feature and change all the HTML URLs into absolute URLs.

Do you want to protect your business?

you can do it in just minutes

Hide My WP Ghost

How to Hide From Theme Detectors?

With Hide My WP Ghost you can hide your website from Theme Detectos like 

whatwpthemeisthat.com, wpthemedetector.com, whatcms.org, wpplugins.tips

Rank Math helps you to improve your website ranking
After
Before
Your website ranking before using the Rank Math

Hide My WP Ghost works with
popular WordPress Security Plugins

wpml logo
wp-rocket logo
sucuri logo
wordfence logo
Services
Why is important
to protect your WordPress website from hackers​

Your website is not safe because you’re business is small. Hackers don’t choose the site they attack.

  • There is an attack every 39 seconds on average on the web
  • On average 30,000 new websites are hacked every day
  • WordPress is used by over 35% of all websites

WordPress is one of the main targets for hackers and it may be because it has a massive user-base.

Security of the website is the responsibility of the business, because they control the website. Web security must be taken seriously by businesses. Web security require to protect your website from malicious attacks against your site or users.

Web security problems can lead to the loss of customers’ personal info and financial data. Being secure in the online world becomes more and more important every day and it is vital to protect your website and the data it holds now.

Hide My WP Ghost is a WordPress Security plugin. It changes and hides WP common paths for the Best WP Security against hacker bots.

Don’t let hackers know that you use a WordPress CMS!

Save Your Website & Your Business from Hackers

Upgrade Your Website Security With Hide My WP Ghost