WP Ghost is a proactive hack-prevention plugin that reduces your WordPress attack surface before exploitation happens. WordPress powers 43% of all websites, making its default structure the most targeted in the world. WPScan tracks over 64,000 known WordPress vulnerabilities, and thousands of new ones are disclosed every year. Bots don’t need a genius hacker behind them – they follow scripts that target predictable WordPress paths, exploit known plugin vulnerabilities, and brute force login pages. WP Ghost blocks these bots before they reach your plugins, themes, and WordPress core by changing the paths they rely on, filtering malicious requests through firewall rules, and enforcing login security with 2FA and reCAPTCHA.
Is your website secure? Run a free Website Security Check for your website now.
Why WordPress Sites Get Hacked
Most WordPress attacks are automated. Bots scan the internet for sites running WordPress, identify the plugins and themes installed by checking default paths like /wp-content/plugins/plugin-name/, and then run known exploits against vulnerable versions. The entire process is scripted. The bot doesn’t need to know anything about your specific site – it just needs WordPress to be in its default configuration. Every WordPress site that uses standard paths is equally easy to target.
The problem isn’t WordPress itself – it’s the predictability. Every WordPress installation uses the same directory structure: /wp-admin/ for the dashboard, /wp-login.php for login, /wp-content/plugins/ for plugins, /wp-content/themes/ for themes. Many plugin and theme authors don’t secure their code completely, creating vulnerabilities that bots exploit through these known paths.
How WP Ghost Prevents Attacks
WP Ghost takes a different approach from most security plugins. Instead of scanning for malware after a breach or monitoring for suspicious activity during an attack, WP Ghost prevents attacks from succeeding in the first place by eliminating the paths and patterns that bots rely on.
If bots can’t find the door, they can’t break it.
WP Ghost replaces every default WordPress path with custom names. The login page moves to a URL only you know. Plugin and theme directories get random names. The wp-admin, wp-includes, and wp-content directories are all renamed. When a bot scans for /wp-login.php, it gets a 404. When it tries to access /wp-content/plugins/vulnerable-plugin/, the path doesn’t exist. The bot’s script fails before any vulnerable code is reached.
On top of path security, WP Ghost adds firewall rules that block SQL injection, script injection, and other common attack vectors. Brute force protection with reCAPTCHA stops automated password guessing. Two-factor authentication ensures that even a compromised password isn’t enough to gain access.
The Security Layers
WP Ghost protects your site through five complementary security layers. Each layer blocks a different type of attack. Together, they provide comprehensive hack prevention.
Path Security
The core of WP Ghost. Change and secure every default WordPress path so bots and scanners can’t identify or target your site’s structure.
Safe Mode vs Ghost Mode – Understand the two security levels and which to choose.
Customize Paths with WP Ghost – Change all default WordPress paths in Safe Mode or Ghost Mode.
Change the Login Path – Move wp-login.php to a custom URL only you know.
Change the wp-admin Path – Rename the admin dashboard URL.
Change the wp-content Path, Plugins Path, Themes Path, wp-includes Path – Rename every core directory.
Hide Common Paths and Files – Block access to readme.html, license.txt, wp-config.php, and default directories.
Hide from Theme Detectors – The complete checklist for passing all detection tools.
Firewall Protection
Block malicious requests before they reach your WordPress installation.
Firewall Security – 7G and 8G firewall rules for injection protection.
Security Headers – HSTS, CSP, X-Frame-Options, and other protective headers.
Geo Security – Block traffic from specific countries (Premium).
Login and Authentication Security
Protect the login process from brute force attacks and unauthorized access.
Brute Force Protection – Login attempt limits with Math reCAPTCHA, Google V2, V3, or Enterprise.
Two-Factor Authentication – Code, Email, and Passkey (Face ID, Touch ID, Windows Hello) verification.
Temporary Logins – Time-limited access links without sharing passwords.
Magic Link Login – Passwordless login via email link.
Monitoring and Logging
Track what’s happening on your site so you can respond to threats quickly.
Security Threats Log – Monitor blocked attacks and firewall activity (Premium).
User Events Log – Track dashboard user actions with cloud storage (Premium).
Security Monitor – Weekly cloud-based scanning from the WP Ghost Dashboard (Premium).
Security Check – Run 39 security tasks to verify your configuration.
Hardening and Cleanup
Remove secondary signals and lock down WordPress features that attackers exploit.
Hide WordPress Version – Strip version numbers from source code.
Text Mapping – Replace WordPress class names in HTML source.
Disable XML-RPC – Block the XML-RPC endpoint used for brute force attacks.
Clean Sitemap and Robots.txt – Remove WordPress fingerprints from sitemaps and crawl rules.
Getting Started
Follow these guides in order for a complete security setup:
- Customize your WordPress paths in Safe Mode or Ghost Mode.
- Activate brute force protection on your login page.
- Verify your site passes theme detectors with the complete hiding checklist.
- Run a Security Check to confirm your configuration.
For a one-click setup instead of manual configuration, use Preset Security Options. For the complete manual reference, see WP Ghost Settings Best Practice.
Works With Other Security Plugins
WP Ghost is designed to work alongside other security plugins, not replace them. Each handles a different layer of protection:
WP Ghost reduces the attack surface by changing paths and blocking bots before they reach vulnerable code. It focuses on prevention.
Wordfence, Solid Security, Shield Security, and similar plugins focus on malware scanning, real-time threat intelligence, and post-breach detection.
You don’t need to deactivate other security plugins when installing WP Ghost. They complement each other. WP Ghost stops attacks at the door. Other plugins monitor what happens inside.
Frequently Asked Questions
How is WP Ghost different from Wordfence or Sucuri?
Most security plugins react to attacks – they scan for malware, monitor for suspicious activity, and alert you when something goes wrong. WP Ghost prevents attacks from succeeding in the first place by eliminating the paths and patterns that bots use to find and exploit vulnerabilities. It’s proactive prevention vs reactive detection. Use them together for the best protection.
Are bots really the main threat?
Yes. The vast majority of WordPress attacks are automated. Bots scan millions of sites looking for known vulnerabilities in plugins and themes. They don’t specifically target your site – they target every site running WordPress with default paths. By changing those paths, your site drops off their radar entirely.
Is changing paths enough to be secure?
Path security is the foundation, but it shouldn’t be your only layer. WP Ghost also includes firewall rules, brute force protection, 2FA, security headers, and monitoring. Beyond WP Ghost, keep WordPress, plugins, and themes updated. Use strong passwords. Maintain regular backups. Security works best as multiple overlapping layers.
Does this work with WooCommerce?
Yes. WP Ghost is fully compatible with WooCommerce. Cart, checkout, product pages, and customer accounts all work normally with changed paths.
Does WP Ghost modify WordPress core files?
No. WP Ghost never modifies, moves, or renames any file on your server. All path changes use server rewrite rules and WordPress hooks. Deactivating the plugin restores all defaults instantly.