WP Ghost (formerly Hide My WP Ghost) is a hack-prevention WordPress security plugin that reduces your site’s attack surface by changing and hiding default WordPress paths, blocking bot traffic with 7G/8G firewall rules, enforcing security headers, enabling two-factor authentication including passkeys, and protecting against brute force attacks. It focuses on preventing hacks before they happen rather than cleaning up after a breach.
How WP Ghost Protects Your Site
Every WordPress installation uses the same predictable paths: /wp-admin, /wp-login.php, /wp-content/plugins/, /wp-json/, and /xmlrpc.php. Automated bots scan millions of sites per day, looking for exactly these paths to confirm a target runs WordPress and to fingerprint installed plugins and themes. Once a bot knows your CMS and your plugins, it checks vulnerability databases and attacks automatically.
WP Ghost breaks this cycle at the first step. It changes all those default paths to custom URLs that bots don’t expect. If a bot probes /wp-login.php and gets a 404 error, it cannot launch a brute force attack. If it scans for /wp-content/plugins/contact-form-7/ and finds nothing, it cannot target that plugin’s vulnerabilities. The bot moves on to an easier target. That is what hack prevention means: you don’t just react to attacks, you make them impossible to start.
Core Security Features
Path security. WP Ghost changes and hides over 30 WordPress paths including the admin, login, register, lost password, logout, activation, admin-ajax.php, wp-includes, wp-content, uploads, plugins (including individual plugin names), themes (including individual theme names), REST API, and author paths. Bots scanning for standard WordPress structure find nothing recognizable.
7G and 8G Firewall. Server-level firewall rules filter incoming requests and block SQL injection, cross-site scripting (XSS), file inclusion exploits, directory traversal, and other malicious patterns before they reach WordPress core. This runs at the rewrite layer, so malicious requests are stopped with minimal server overhead.
Brute force protection. Rate limiting on login, registration, lost password, comments, and WooCommerce login forms. Supports Math reCAPTCHA, Google reCAPTCHA V2, and Google reCAPTCHA V3. Custom attempt limits, timeout settings, and automatic IP blocking for repeat offenders.
Two-factor authentication. 2FA by code (authenticator apps), email, and passkey. Passkey support includes Face ID, Touch ID, Windows Hello, and hardware security keys. Passkeys eliminate phishing risks and credential theft entirely.
Security headers. Strict-Transport-Security, Content-Security-Policy, X-XSS-Protection, X-Content-Type-Options, and X-Frame-Options. These tell browsers how to handle your content securely and prevent clickjacking, content sniffing, and cross-site scripting.
Additional protections. Disable REST API, XML-RPC, embed scripts, directory browsing, right-click, inspect element, and view source. Hide WordPress version, generator meta, RSD header, style IDs, HTML comments, and common files like wp-config.php and readme.html. Text mapping, URL mapping, and CDN mapping for complete fingerprint removal.
Works Alongside Other Security Plugins
WP Ghost is designed to complement, not replace, other security tools. It works alongside Wordfence, Solid Security, Sucuri, WP Cerber, BBQ Firewall, and many others. The recommended approach is to let WP Ghost handle path security and the firewall while the other plugin handles malware scanning or advanced activity monitoring. WP Ghost also works with all major caching plugins, WooCommerce, and page builders like Elementor. See the full compatible plugins list and compatible themes list.
Free vs Premium
WP Ghost Free includes 115+ features: path security for all core paths, 7G and 8G firewall, brute force protection, 2FA with code, email, and passkey support, security headers, text and URL mapping, temporary logins, magic link login, and 115+ hardening options. WP Ghost Premium adds the Security Threats Log, User Events Log, country blocking, file permission management, database prefix changes, SALT regeneration, and priority support. For a full breakdown, see the Free vs Premium comparison.
Getting Started
Install WP Ghost from the WordPress plugin directory or upload it through Plugins > Add New in your dashboard. After activation, go to WP Ghost > Change Paths and load one of the four security presets: Minimal, Safe Mode + Compatibility, Safe Mode + Full Protection, or Ghost Mode + Full Protection. The Safe Mode + Compatibility preset is recommended for most sites. Customize your login path, clear your cache, and run the Security Check to verify everything works. The entire setup takes under five minutes. See the WP Ghost Tutorial for a complete walkthrough.
Frequently Asked Questions
Is WP Ghost the same as Hide My WP Ghost?
Yes. The plugin was renamed from “Hide My WP Ghost” to “WP Ghost” to reflect its expanded focus beyond path hiding. It now covers firewall protection, 2FA, brute force protection, security headers, and more. The plugin slug and all settings remain the same. If you had Hide My WP Ghost installed, the update to WP Ghost is automatic with no configuration changes needed.
Is WP Ghost just about hiding WordPress?
No. While path security is the foundation, WP Ghost is a full hack-prevention suite. It includes a 7G/8G firewall, brute force protection on five form types, 2FA with passkey support, security headers, country blocking (Premium), IP block automation, and security logging. Hiding WordPress paths is one layer of a multi-layer defense strategy.
Will WP Ghost slow down my site?
No. WP Ghost uses lightweight rewrite rules and server-level filtering. It does not perform heavy file scans or database checks on every page load. By blocking bot traffic before it reaches WordPress, WP Ghost can actually reduce your server load. Most users report no measurable performance difference after activation.
Does WP Ghost work with WooCommerce?
Yes. WP Ghost is fully compatible with WooCommerce. Product pages, cart, checkout, and customer login all work normally with path security enabled. Brute force protection also covers WooCommerce login forms.
Does WP Ghost modify WordPress core files?
No. WP Ghost uses rewrite rules, WordPress filters, and output buffering to apply all security features at runtime. No WordPress core files, plugin files, or theme files are modified. Deactivating WP Ghost restores all original paths and settings instantly.