WP GHOST 9.0 - APRIL 2026 UPDATE
115+ free features. 150+ in PRO
No performance cost
The most complete WordPress hack prevention plugin: path security, 7G/8G firewall, brute force protection, full 2FA, AI crawler blocking, and deep security logging. Start free, upgrade when you need more.
What's Included
Everything your site needs to stay secure
Each category targets a distinct class of attack. Enabling all of them removes the surface area most attacks depend on.
Path & URL security
Default WordPress paths like wp-admin and wp-content are the first things automated scanners look for. WP Ghost renames them to custom URLs only you know, ensuring bots find nothing but a dead end. PRO adds Ghost Mode, allowing you to hide every path, file extension, and WordPress signal with a single click.
7G / 8G Firewall
The 7G and 8G firewalls stop threats like SQL injection and XSS at the server level before they ever touch your site. This lightweight approach ensures your security doesn't come at the cost of performance or speed. PRO goes further by automatically blocking repeat-offender IPs and stopping 30+ AI crawlers from scraping your content.
Brute Force Protection
WP Ghost locks down every login, registration, and WooCommerce form against automated password-guessing attacks. You can easily deploy reCAPTCHA or Math CAPTCHA while setting custom lockout rules that fit your needs. All 11 brute force tools are fully included in the free version for complete, day-one coverage.
2FA, Passkeys
& Magic Login
Since WordPress doesn't include two-factor authentication, WP Ghost adds it for free via email, apps, or Passkeys. Your users can log in securely using biometrics like Face ID or Touch ID, removing the need for extra hardware. We’ve also included Magic Links for those who prefer a quick, passwordless email login.
Security Monitoring
& Logs
Keep a pulse on your site’s health with a real-time Security Optimization Score and a visual GEO Threat Map. The free version tracks your last 20 security events and sends a weekly digest straight to your inbox. PRO unlocks the full vault, offering unlimited history, full-text search, and CSV exports for professional audits.
Geo Security
& Country Blocking
Our GEO Threat Map shows exactly which countries are targeting your site so you can take informed action. With PRO, you can block entire countries site-wide or restrict access to sensitive areas like your admin panel. This stops high-risk traffic at the border without the need for expensive third-party services.
Login
Page Designer
First impressions matter, so we built a designer that replaces the generic WordPress login with your own branded experience. Choose from 12 layouts and 10 color schemes to build client trust while removing visual CMS fingerprints. Every design tool is free to use and includes a live preview builder.
Database
& Server Hardening
The Security Check tool hunts down 12 common weaknesses, such as default database prefixes and insecure SALT keys. It highlights your biggest risks with a severity score so you know exactly what to fix first. PRO lets you rename your DB prefix and correct file permissions in just one click.
Content
& Code Protection
Stop casual content theft and site probing by disabling right-click, copy/paste, and "Inspect Element". These simple tweaks make it much harder for attackers to map your site structure or scrape your original work. All 11 protection controls are free and can be assigned to specific user roles.
AI
Crawler Blocking
Don't let AI bots like GPTBot or Claude-Web use your hard-earned content for training without your permission. WP Ghost PRO blocks over 30 AI crawlers at the firewall level and automatically manages your robots.txt rules. We update the list with every release to ensure you stay protected against the latest AI threats.
WordPress
Footprint Removal
Most hackers use automated tools to detect WordPress version tags, generator links, and REST API exposures. WP Ghost scrubs these HTML signals and uses Text Mapping to rewrite class names and IDs in your source code. This ensures your plugins and themes stay hidden from prying eyes, with all 14 footprint removal features included for free.
Setup
& Compatibility
Launch in seconds with three one-click security presets: Lite, Safe Mode, or Ghost Mode. Use the Frontend Test to verify custom paths before saving, plus enjoy full backups and 16 language translations. Compatible with Apache, Nginx, LiteSpeed, and over 50 major tools like WooCommerce, Elementor, and WP Rocket.
Free vs PRO
Exactly what you get at each level
Filter by category to find the features that matter most.
FEATURE
FREE
PRO
Path & URL Security
Change wp-admin path
Change wp-login.php path
Change plugin & theme directory paths
Custom login/logout/register redirects by user role
Hide plugin & theme names with random names
Change paths in cache, sitemaps, RSS, robots.txt
Change REST API wp-json path
Ghost Mode - maximum security presetPRO
Hide common WP files (wp-config, readme, debug.log) PRO
Manually customize individual plugin & theme names PRO
Hide file extensions (PHP, CSS, JS, HTML, JSON…) PRO
Change wp-content, wp-includes, uploads paths
FEATURE
FREE
PRO
Firewall & IP Control
7G Firewall
8G Firewall
SQL injection & script injection protection
IP whitelist / blacklist
Security headers (HSTS, CSP, X-Frame-Options, XSS)
Block theme detector crawlers
User agent, referrer & hostname blacklists
Automate IP blocking (repeat offenders)PRO
Configurable automation rulesPRO
AI Crawler Blocking (30+ crawlers) NewPRO
Auto robots.txt Disallow rules for AI crawlersPRO
FEATURE
FREE
PRO
2FA, Passkeys & Login
Brute force protection on all forms
Google reCAPTCHA v2, v3, Enterprise + Math CAPTCHA
2FA by authenticator code
2FA by email
2FA by passkey (Face ID, Touch ID, Windows Hello)
Magic Link passwordless login
Temporary time-limited logins for collaborators
Trust current browser (skip 2FA on trusted devices)
FEATURE
FREE
PRO
Security Monitoring & Logs
Security Optimization Score (0–100)New
GEO Threats Map - top 5 attack countriesNew
Weekly domain security monitoring email
Security Threats Log (last 20 entries)
User Events Log (last 20 entries)
Full Security Threats Log - unlimited historyPRO
Full User Events Log - unlimited historyPRO
Filter logs by type, status, country, time rangePRO
Full-text search + pagination in logsPRO
Export logs to CSVPRO
Cloud storage for event logs (30-day retention)PRO
Real-time email alerts for suspicious activityPRO
FEATURE
FREE
PRO
Database & Server Hardening
Security Check - identify weak usernames, prefix, SALT, permissions
Fix weak admin/administrator usernames
Regenerate WordPress SALT keysPRO
Fix file & directory permissionsPRO
Change database table prefixPRO
Fix WordPress & script debugging modePRO
Disable plugin/theme editorPRO
FEATURE
FREE
PRO
Geo Security
GEO Threats Map on dashboard
Top 5 threat countries with attack counts
Country Blocking - block entire countriesPRO
Path-based country blockingPRO
Who Is WP Ghost For?
Find the right plan for your situation
Different sites have different risk profiles and different needs. Here’s what each type of user actually relies on, and what WP Ghost provides for them.
Blogger
& personal site owner
Solid protection for one or two sites, free forever. No subscription, no complexity.
- Custom login URL - eliminates the #1 automated scan target
- Brute force protection on all login forms
- Passkey or email 2FA - no app needed
- 7G/8G Firewall at server level
- Full WordPress footprint removal
Most popular
Small business & WooCommerce
Your site generates revenue. You need to know when something happens, and prevent it before it does.
- Full security logs - searchable, filterable
- Real-time alerts for brute force and suspicious activity
- Country blocking for high-risk regions
- Automated IP blocking - no manual work
- DB prefix change & SALT regeneration - one click each
- CSV export for compliance and incident records
Developer
& agency
You manage multiple client sites. You need consistent security, safe contractor access, and a trail you can show clients.
- Ghost Mode - maximum hardening in one click, per site
- Temporary Logins - time limited, no shared credentials
- AI Crawler Blocking - protect client content from scraping
- Country blocking per site or per path
- Priority support - direct access to the security team
- Ghost 5, Ghost 10, Ghost All - volume licensing
Frequently asked questions
Is WP Ghost Free enough to protect my WordPress site?
Yes, for most sites. WP Ghost Free includes 115+ features: full path and URL security, the 7G and 8G Firewall, brute force protection with reCAPTCHA on all login forms, all three 2FA methods including passkeys, security headers, and basic monitoring. This stops the vast majority of automated bot attacks. Upgrade to PRO if you need automated IP blocking, country blocking, full security logs with CSV export, AI crawler blocking, or one-click database hardening.
What is Ghost Mode, and how is it different from Lite Mode?
Lite Mode (Free) changes the most critical WordPress paths – wp-admin, wp-login.php, and the main content directories.
Ghost Mode (PRO) provides advanced path security in a single click: it renames every path, hides file extensions (PHP, CSS, JS, HTML, JSON), and restricts access to core files like wp-config.php and readme.html. The result is a site with no detectable WordPress fingerprint, making it invisible to automated vulnerability scanners, crawlers, and targeted bots.
Does WP Ghost include two-factor authentication for free?
Yes. All three 2FA methods are fully included in the free version with no limitations: TOTP authenticator code, email verification, and passkey authentication via Face ID, Touch ID, or Windows Hello. Users select their preferred method from their WordPress profile. Trusted devices can skip 2FA after first verification. Note: WordPress core does not ship with 2FA – WP Ghost adds it at no additional cost.
Does WP Ghost block AI crawlers like GPTBot?
Yes, in PRO. WP Ghost PRO blocks 30+ AI training and scraping crawlers at the server firewall level, including GPTBot, Claude-Web, CCBot, and others; before they reach your WordPress application. It automatically generates robots.txt Disallow rules for each blocked crawler. The list is maintained and updated with every plugin release so newly identified crawlers are covered automatically.
What are the main differences between WP Ghost Free and PRO?
WP Ghost Free covers path and URL security, the 7G/8G firewall, complete brute force protection, all 2FA methods, basic security monitoring, and WordPress footprint removal (115 features in total). WP Ghost PRO adds: Ghost Mode (maximum security preset), AI Crawler Blocking (30+ bots), automated IP blocking with configurable rules, country blocking site-wide or per path, full Security Threats and User Events Logs with filters, full-text search, and CSV export, database prefix change, SALT regeneration, file permission fixes, 30-day cloud log storage, real-time email alerts, and priority support.
Does WP Ghost slow down WordPress?
No. The 7G/8G firewall runs at the web server level as Apache or Nginx rewrite rules, before any PHP process is invoked. Path security operates through rewrite rules and WordPress filters, not database queries or file scanning. WP Ghost is fully compatible with WP Rocket, LiteSpeed Cache, Cloudflare, and all major caching configurations.
Can I upgrade from WP Ghost Free to PRO without losing my settings?
Yes. WP Ghost PRO is a plugin that installs replacing the free plugin during the installation. All existing settings, custom paths, and configurations are preserved. No reconfiguration is needed, and there is no downtime during the upgrade.
Protect your WordPress site
before it's too late
Join 250,000+ site owners who’ve stopped brute force attacks, hidden their WordPress install, and secured their logins with WP Ghost.
Free forever · 30-day money-back guarantee on PRO · No credit card required