WP Ghost is available in two versions: a free version on WordPress.org with over 115 security features, and a Premium version with over 150 security features focused on security intelligence, automated response, and advanced site hardening. Both versions share the same core hack-prevention engine.
Paths Security
| Feature | Free | Premium |
|---|---|---|
| Change wp-admin path | Yes | Yes |
| Change wp-login.php path | Yes | Yes |
| Change lost password, register, activation, logout paths | Yes | Yes |
| Change wp-content path | Yes | Yes |
| Change wp-includes path | Yes | Yes |
| Change uploads path | Yes | Yes |
| Change author path | Yes | Yes |
| Change comments path | Yes | Yes |
| Change admin-ajax.php path | Yes | Yes |
| Change REST API wp-json path | Yes | Yes |
| Change plugin directory path | Yes | Yes |
| Change theme directory path | Yes | Yes |
| Hide plugin names with random names | Yes | Yes |
| Hide theme names with random names | Yes | Yes |
| Hide WordPress old plugins path | Yes | Yes |
| Hide WordPress old themes path | Yes | Yes |
| Hide WordPress common paths | Yes | Yes |
| Custom theme style name | Yes | Yes |
| Custom login/logout/register redirects by user role | Yes | Yes |
| Frontend Test to verify paths load correctly | Yes | Yes |
| Change paths in cache files | Yes | Yes |
| Change paths in sitemaps | Yes | Yes |
| Change paths in robots.txt | Yes | Yes |
| Change paths in RSS feeds | Yes | Yes |
| Ghost Mode (maximum path security preset) | – | Yes |
| Hide file extensions (PHP, CSS, JS, JSON, HTML, TXT, LOCK, media) | – | Yes |
| Hide WordPress common files (wp-config.php, readme.html, license.txt, php.ini, debug.log) | – | Yes |
| Manually customize each individual plugin name | – | Yes |
| Manually customize each individual theme name | – | Yes |
Firewall
| Feature | Free | Premium |
|---|---|---|
| 7G Firewall filter | Yes | Yes |
| 8G Firewall filter | Yes | Yes |
| Script injection protection | Yes | Yes |
| SQL injection protection | Yes | Yes |
| Security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection) | Yes | Yes |
| Remove unsafe headers (PHP version, server info, server signature) | Yes | Yes |
| Block Theme Detector crawlers | Yes | Yes |
| IP whitelist | Yes | Yes |
| IP blacklist | Yes | Yes |
| User agent blacklist | Yes | Yes |
| Referrer blacklist | Yes | Yes |
| Hostname blacklist | Yes | Yes |
| Whitelist paths | Yes | Yes |
| Automate IP blocking (auto-block repeat offenders) | – | Yes |
| Configure automation rules (attacks, time window, block duration) | – | Yes |
| Block AI Crawler Bots at firewall level (30+ crawlers) | – | Yes |
| Automatic robots.txt Disallow rules for AI crawlers | – | Yes |
| AI crawler list updated automatically with each release | – | Yes |
Brute Force Protection
| Feature | Free | Premium |
|---|---|---|
| Protection on login form | Yes | Yes |
| Protection on lost password form | Yes | Yes |
| Protection on signup form | Yes | Yes |
| Protection on comments form | Yes | Yes |
| Protection on WooCommerce login, signup, lost password | Yes | Yes |
| Google reCAPTCHA v2, v3, Enterprise | Yes | Yes |
| Math reCAPTCHA | Yes | Yes |
| Custom attempt limits | Yes | Yes |
| Custom lockout duration | Yes | Yes |
| Custom warning messages | Yes | Yes |
| Block wrong usernames immediately | Yes | Yes |
Authentication (2FA, Passkeys, Magic Login)
| Feature | Free | Premium |
|---|---|---|
| Two-Factor Authentication by code | Yes | Yes |
| Two-Factor Authentication by email | Yes | Yes |
| Two-Factor Authentication by passkey (Face ID, Touch ID, Windows Hello) | Yes | Yes |
| User selects preferred 2FA method in profile | Yes | Yes |
| Trust current browser (skip 2FA on trusted devices) | Yes | Yes |
| Magic Link login (one-time passwordless email link) | Yes | Yes |
| Temporary Logins (time-limited access links) | Yes | Yes |
Security Monitoring & Logs
| Feature | Free | Premium |
|---|---|---|
| Security Optimization Score (0-100) with dynamic gauge | Yes | Yes |
| GEO Threats Map with top 5 threat countries | Yes | Yes |
| Threats prevented chart (7-day view) | Yes | Yes |
| Lifetime attacks blocked counter | Yes | Yes |
| Weekly domain security monitoring email | Yes | Yes |
| Security Check with numeric score and task list | Yes | Yes |
| Notification to activate firewall when unblocked threats detected | Yes | Yes |
| Security Threats Log (last 20 entries) | Yes | Yes |
| User Events Log (last 20 entries) | Yes | Yes |
| Security Threats Log with full history, unlimited entries | – | Yes |
| User Events Log with full history, unlimited entries | – | Yes |
| Filter logs by threat type | – | Yes |
| Filter logs by status | – | Yes |
| Filter logs by country | – | Yes |
| Filter logs by time range | – | Yes |
| Full-text search in logs | – | Yes |
| Log pagination | – | Yes |
| Export Security Threats Log to CSV | – | Yes |
| Export User Events Log to CSV | – | Yes |
| Click GEO map country to open filtered threats log | – | Yes |
| Extended log retention (configurable) | – | Yes |
| Cloud storage for events log (30-day retention) | – | Yes |
| Log user roles filter | – | Yes |
| Real-time email alerts for brute force and suspicious activity | – | Yes |
Geo Security
| Feature | Free | Premium |
|---|---|---|
| GEO Threats Map on Overview dashboard | Yes | Yes |
| Top 5 threat countries with attack counts | Yes | Yes |
| Country Blocking (block entire countries) | – | Yes |
| Path-based country blocking (block countries on specific paths) | – | Yes |
Login Page Designer
| Feature | Free | Premium |
|---|---|---|
| Custom logo with live preview | Yes | Yes |
| Custom logo link URL | Yes | Yes |
| Background image with blur and overlay controls | Yes | Yes |
| Page background color | Yes | Yes |
| Form background color | Yes | Yes |
| Button color | Yes | Yes |
| Text color | Yes | Yes |
| Link color | Yes | Yes |
| 12 layout presets | Yes | Yes |
| 10 color scheme presets | Yes | Yes |
| Balanced Split layout preset | – | Yes |
Hiding & Footprint Removal
| Feature | Free | Premium |
|---|---|---|
| Remove WordPress version tags | Yes | Yes |
| Remove Generator meta tag | Yes | Yes |
| Remove RSD header | Yes | Yes |
| Remove WLW Manifest link | Yes | Yes |
| Remove WordPress HTML comments | Yes | Yes |
| Hide admin toolbar by user role | Yes | Yes |
| Hide REST API URL link | Yes | Yes |
| Hide rest_route parameter | Yes | Yes |
| Disable emoticons script | Yes | Yes |
| Text Mapping (change class names and IDs in source code) | Yes | Yes |
| URL Mapping (change URLs dynamically) | Yes | Yes |
| CDN Mapping | Yes | Yes |
| Hide Source Map References | Yes | Yes |
| Hide User Enumeration | Yes | Yes |
Disable Options
| Feature | Free | Premium |
|---|---|---|
| Disable XML-RPC | Yes | Yes |
| Disable REST API access for non-authenticated users | Yes | Yes |
| Disable rest_route parameter access | Yes | Yes |
| Disable embed scripts | Yes | Yes |
| Disable database debug | Yes | Yes |
| Disable directory browsing | Yes | Yes |
| Disable right-click (for visitors and by user role) | Yes | Yes |
| Disable Inspect Element (for visitors and by user role) | Yes | Yes |
| Disable View Source (for visitors and by user role) | Yes | Yes |
| Disable Copy/Paste (for visitors and by user role) | Yes | Yes |
| Disable Drag/Drop (for visitors and by user role) | Yes | Yes |
Database & Server Hardening
| Feature | Free | Premium |
|---|---|---|
| Security Check identifies permission, prefix, username, SALT issues | Yes | Yes |
| Fix weak admin/administrator usernames | Yes | Yes |
| Fix file and directory permissions (quick and complete) | – | Yes |
| Change database table prefix | – | Yes |
| Regenerate WordPress SALT keys | – | Yes |
| Fix WordPress debugging mode | – | Yes |
| Fix script debugging mode | – | Yes |
| Disable plugin/theme editor | – | Yes |
Setup & Compatibility
| Feature | Free | Premium |
|---|---|---|
| One-click security presets (3 levels) | Yes | Yes |
| Frontend Test and Login Check | Yes | Yes |
| Backup and restore settings | Yes | Yes |
| Pause plugin for 5 minutes for safe testing | Yes | Yes |
| Dark mode support | Yes | Yes |
| Translations in 16 languages | Yes | Yes |
| Compatible with Apache, Nginx, LiteSpeed, IIS | Yes | Yes |
| Compatible with 20+ hosting providers | Yes | Yes |
| Compatible with WooCommerce, Elementor, Divi, WPML, and 50+ plugins | Yes | Yes |
| Compatible with WP Rocket, LiteSpeed Cache, Cloudflare, and 15+ cache plugins | Yes | Yes |
Support
| Feature | Free | Premium |
|---|---|---|
| Knowledge base (wpghost.com/kb) | Yes | Yes |
| Community support (WordPress.org forums) | Yes | Yes |
| Free setup assistance | Yes | Yes |
| Priority support with direct access to security experts | – | Yes |
| Faster response times | – | Yes |
Frequently Asked Questions
Is the free version of WP Ghost enough to protect my site?
Yes, for most WordPress sites. The free version includes full path security, the 7G and 8G Firewall, brute force protection with reCAPTCHA, three types of two-factor authentication including passkeys, security headers, and basic security monitoring. This blocks the majority of automated bot attacks. Premium is recommended for sites that need automated IP blocking, country blocking, full security logs with filters and export, or priority support.
What features are only in WP Ghost Premium?
The main Premium-exclusive features are IP Block Automation, full Security Threats Log and User Events Log with filters, search, pagination, and CSV export, Country Blocking (entire site and path-based), AI Crawler Blocking at the firewall level, Ghost Mode, extended file and path hiding (file extensions, common files), database prefix change, SALT key regeneration, file permission fixes, cloud event storage, real-time email alerts, and priority support.
Can I upgrade from Free to Premium without losing my settings?
Yes. All settings from the free version are preserved when you upgrade. Premium installs as an extension that unlocks additional features while keeping your existing configuration intact.
Does WP Ghost Free include a firewall?
Yes. Both the 7G and 8G Firewall filters are fully included in the free version with no limitations. The firewall blocks SQL injection, XSS, script injection, file inclusion, directory traversal, and automated vulnerability scans at the server edge before they reach WordPress.
Does WP Ghost Free include two-factor authentication?
Yes. The free version includes 2FA by code, 2FA by email, and 2FA by passkey (Face ID, Touch ID, Windows Hello). All three methods are fully functional with no limitations.
What is the difference between Lite Mode and Ghost Mode?
Lite Mode is available in the free version and changes the most important WordPress paths to custom URLs. Ghost Mode is a Premium feature that applies the maximum security configuration, changing all paths, hiding all file extensions, and enabling all available hiding options in a single click.
Does WP Ghost slow down my website?
No. WP Ghost is engineered for zero-bloat performance. The firewall operates at the server edge using lightweight rules, and path security works through rewrite rules and filters rather than heavy database scans.
How much does WP Ghost Premium cost?
Visit https://wpghost.com/pricing for current pricing. Premium is licensed per site per year with volume discounts for agencies managing multiple sites.