What is WP Ghost?

WP Ghost
Table of Contents

Introduction

WP Ghost (short for Hide My WP Ghost) is a comprehensive hack-prevention security solution for WordPress websites. It adds multiple layers of security to block hacker bots and prevent unauthorized access.

It works by changing and hiding common vulnerabilities, making it difficult for bots and hackers to exploit weak points in plugins, themes, and the WordPress core itself.

What is Hack Prevention?

Hack prevention is the proactive approach to secure a website against unauthorized access, data breaches, and malware infections.

It involves implementing multiple layers of security measures to block common attack vectors such as:

  • Brute Force Attacks
  • SQL Injection Attacks
  • Script Injection Attacks
  • Malware Injection
  • XML-RPC attacks
  • File Inclusion Exploits
  • Vulnerability Exploits
  • Directory Traversal Attacks
  • Default WP Paths Exploits
  • Cross-Site Scripting (XSS)
  • Throttling of Access Attempts to Entry Points
  • Signup and Comment Spams
  • and more

Hack prevention minimizes vulnerabilities, strengthens login protections, and reduces visibility to potential attackers, ensuring a secure and resilient WordPress site.

Key Security Features

  • Path Security: WP Ghost changes and hides critical paths (such as common paths, plugin paths, theme paths, and login URLs), preventing bots from exploiting well-known WordPress entry points.
  • 8G Firewall Protection: Blocks harmful traffic before it reaches your site by filtering malicious IPs, bad bots, and common attack patterns at the server edge.
  • Header Security: Enforces secure HTTP headers to protect against attacks such as clickjacking, MIME sniffing, and cross-site scripting (XSS).
  • Anti-Spam Blocking: Filters and blocks bad bots, eliminating spam and preventing unnecessary crawling. This saves bandwidth, reduces server load, and improves overall site performance.
  • Brute Force Protection: Limits login attempts and blocks suspicious IPs to prevent brute-force attacks and credential-stuffing attempts.
  • Two-Factor Authentication (2FA): Adds an extra verification layer to user logins, protecting accounts even if passwords are compromised.
  • Passkey Authentication (Passwordless 2FA): Enables secure, passwordless login using device-based passkeys such as Face ID, Touch ID, Windows Hello, or hardware security keys. Passkeys eliminate phishing risks, prevent credential theft, and provide stronger authentication than traditional passwords or one-time codes.
  • Security Threats Log: Provides a detailed log of blocked and attempted attacks, including brute-force attempts, bot scans, firewall blocks, and suspicious behavior. This gives site owners visibility into real attack activity and helps validate the effectiveness of WP Ghost’s hack prevention mechanisms.
  • Country Blocking: Allows blocking access from specific countries to reduce exposure to high-risk regions and targeted attack traffic.

In addition to these core features, WP Ghost monitors for vulnerabilities and sends email alerts for fail attempts or risky actions, providing users with a proactive, easy-to-manage security solution. It’s designed to work with popular plugins and themes without disrupting your site, delivering an effective shield against common WordPress threats.

Security Features

Change Paths

  • Change wp-admin path
  • Change wp-login.php path
  • Change lost password path
  • Change register path
  • Change logout path
  • Change activation path
  • Change admin-ajax.php path
  • Change wp-comments-posts.php path
  • Change wp-includes path
  • Change wp-content/uploads path
  • Change comments path
  • Change author path
  • Change wp-content/plugins path
  • Change plugins name (customize each plugin name)
  • Change wp-content/themes path
  • Change themes name (customize each theme name)
  • Custom theme style.css name
  • Change REST API wp-json path

Path Security

  • Hide wp-admin path and show 404 error or a custom page
  • Hide wp-admin path for non-admin users
  • Hide wp-login.php and show 404 error or a custom page
  • Hide wp-login path and show 404 error or a custom page
  • Hide login path and show 404 error or a custom page
  • Hide admin-ajax path
  • Hide wp-admin from admin-ajax.php path
  • Hide wp-content path
  • Hide wp-includes path
  • Hide wp-content/uploads path and sub paths
  • Hide wp-comments-posts.php
  • Hide author path
  • Hide author ID access
  • Hide wp-content/plugins path and sub paths
  • Hide wp-content/themes path and sub paths
  • Hide REST API wp-json path
  • Hide rest_route parameter
  • Hide wp-config.php & wp-config-sample.php
  • Hide wp-load.php
  • Hide wp-settings.php
  • Hide wp-blog-header.php
  • Hide bb-config.php
  • Hide install.php
  • Hide license.txt, readme.txt & readme.html
  • Hide php.ini, error-log & debug.log
  • Hide WordPress Common Paths by Extension
  • Hide Admin Toolbar based on user role
  • Hide style IDs and META IDs
  • Hide WordPress HTML comments
  • Hide Version and WordPress Tags
  • Hide WordPress Generator Meta
  • Hide RSD (Really Simple Directory) header
  • Hide Emoticons if you don’t use them

Disable Options

  • Disable REST API access
  • Disable XML-RPC access
  • Disable Embed scripts
  • Disable DB-Debug in Frontend
  • Disable WLW Manifest scripts
  • Disable Select All – Ctrl+A (Windows and Linux), ⌘+A (macOS)
  • Disable Copy – Ctrl+C (Windows and Linux), ⌘+C (macOS)
  • Disable Cut – Ctrl+X (Windows and Linux), ⌘+X (macOS)
  • Disable Paste – Ctrl+V (Windows and Linux), ⌘+V (macOS)
  • Disable Save – Ctrl+S (Windows and Linux), ⌘+S (macOS)
  • Disable Inspect Element/Developer Tool – Ctrl+Shift+I (Windows and Linux), ⌘+⌥+I (macOS)
  • Disable View Source – Ctrl+U (Windows and Linux), ⌘+U (macOS)
  • Disable Right Click
  • Disable Drag-Drop
  • Disable Image Dragging by Mouse
  • Disable Text Selection
  • Disable Directory Browsing

Redirects

  • Custom login redirects based on user role
  • Custom logout redirects based on user role
  • Custom redirects for hidden paths
  • Automatically redirect logged users to dashboard

Mapping & Changing

  • Change class names & IDs using Text Mapping
  • Change URLs using URL Mapping
  • Change CDN domains using CDN Mapping
  • Change URLs from Relative to Absolute
  • Change paths in Ajax calls
  • Change paths for Logged Users
  • Change paths in Cache Files
  • Change paths in the Sitemap XML
  • Change paths in the Robots.txt

Firewall

  • 7G Firewall Security Filter
  • 8G Firewall Security Filter
  • Firewall against Script Injections and SQL Injection
  • Two-Factor Authentication by Code (2FA)
  • Two-Factor Authentication by Email (2FA)
  • Two-Factor Authentication by Passkey (2FA)
  • Security Headers against XSS & Code Injections
  • Security Header Strict-Transport-Security
  • Security Header Content-Security-Policy
  • Security Header X-XSS-Protection
  • Security Header X-Content-Type-Options
  • Security Header X-Frame-Options
  • Block by IP Addresses
  • Block by User Agents
  • Block by Referrers
  • Block by Hostnames
  • Hide Website from Theme Detectors
  • Security Threats Filters

Brute Force Protection

  • Brute Force Protection with Math reCaptcha
  • Brute Force Protection with Google reCaptcha V2
  • Brute Force Protection with Google reCaptcha V3
  • Brute Force Protection on Login
  • Brute Force Protection on Password Lost
  • Brute Force Protection on Signup
  • Brute Force Protection on Comment
  • Brute Force Protection on Woocommerce Login
  • Brute Force Protection shortcode 
  • Custom attempts, timeout, message
  • Manage Blacklist and Whitelist IPs

Geo Security

  • Country Blocking
  • Path based country blocking

Security Check & Fix

  • Files & Folders Permission Fix
  • Database ‘wp’ Prefix Fix
  • Weak username login Fix
  • SALT keys Fix
  • WordPress debugging Fix
  • Script debugging Fix
  • Plugin editing Fix

Extra Features

  • Temporary Logins Without Password
  • Fix relative URLs
  • Backup and Restore settings
  • Change classes on source code using Text Mapping
  • Change URLs on source code using URL Mapping
  • Cache CSS, JS, and Images to optimize the loading speed
  • Load Security Presets for quick configuration
  • Weekly security checks and reports
  • Events/Actions Monitoring (Cloud Support)
  • Security Threats Monitoring
  • Brute Force Monitoring
  • Hide My WP Premium Feature

Free & Pro Features

While WP Ghost’s free version offers robust protection, the premium version provides additional advanced features for enhanced security, such as:

Security Threats Log (Advanced Hack Prevention)
Provides an extended and detailed security threats log, showing blocked attacks, exploit attempts, bot scans, and suspicious behavior. This advanced logging helps validate protection efficiency, analyze attack patterns, and proactively harden your site against future threats.

Extended Hiding Options: Pro users have the option to hide additional WordPress elements, such as wp-content, wp-includes, wp-content/uploads, and other identifiable WordPress paths and files, providing an even higher level of protection.

Country Blocking: allows you to restrict access to your WordPress site based on geographic locations, blocking traffic from specific countries to reduce hacking attempts, spam, and malicious activities while improving security and performance.

User Events Log: tracks and records security-related activities on your WordPress site, including login attempts, plugin install and removal, brute force attacks, blocked requests, and other suspicious actions, providing detailed logs to monitor activity and quickly detect potential threats.

Priority Support: With the Pro version, users get access to priority support, ensuring timely assistance for any issues or questions that arise during use.

Why Choose WP Ghost?

WP Ghost is designed for simplicity and security, making it an attractive choice for website owners, bloggers, e-commerce store owners, and enterprise-level administrators.

Here are some reasons why WP Ghost is the ideal WordPress security solution:

Ease of Use: WP Ghost’s intuitive interface and setup wizard mean that even beginners can enhance their website security without feeling overwhelmed. The plugin’s preconfigured settings ensure that users can start with secure defaults and gradually explore more advanced options as they gain confidence.

Fast & Robust: WP Ghost is engineered to provide powerful security features without compromising site performance. By avoiding direct alterations to WordPress core files, it remains lightweight and compatible with core updates, ensuring that your site stays secure without unnecessary slowdowns.

Update and Support: WP Ghost is actively maintained and updated, with regular updates that address emerging security threats and improve functionality. The plugin’s support team is available to assist with any questions or issues, ensuring a smooth and effective security experience.

Tagged: