Partly, but not fully. WP Ghost can replace Solid Security’s login path customization, 2FA (in fact, WP Ghost has stronger 2FA with passkey support that Solid’s free version lacks), firewall rules, and path security, with a more comprehensive implementation at the server level. What WP Ghost does not replace is Solid Security’s file integrity monitoring, malware scanning (Solid Pro), password policies, and user security enforcement. If you value site hardening and user policy controls, keep Solid Security and run WP Ghost alongside it. If you value path security and prevention-first defense, WP Ghost alone may be sufficient.
Where WP Ghost Matches or Exceeds Solid Security
Several Solid Security features are duplicated in WP Ghost, and in some cases WP Ghost’s implementation is more thorough:
Custom login path. Solid Security’s “Hide Backend” only changes wp-login.php. WP Ghost changes wp-login, wp-admin, lost password, register, activation, logout, admin-ajax, plus wp-content, plugins, themes, uploads, and REST API. The path security is also applied at the server level through rewrite rules, which is more efficient than PHP-based path rewriting.
Two-factor authentication. Solid Security’s free version does not include 2FA at all (it is a Pro feature). WP Ghost includes 2FA in the free version with three methods: authenticator code (Google Authenticator, Authy), email verification, and passkeys (Face ID, Touch ID, Windows Hello, hardware security keys).
Firewall. WP Ghost includes the 7G and 8G firewall at the server level, blocking SQL injection, XSS, file inclusion, and directory traversal before WordPress loads. Solid Security’s firewall is application-level and runs inside WordPress. The two approaches can coexist, but WP Ghost’s server-level firewall is usually sufficient for prevention.
Brute force protection. Both plugins offer login attempt limits. WP Ghost adds reCAPTCHA (Math, Google V2, V3, Enterprise) and protects more forms: login, lost password, register, comments, and WooCommerce login.
Where Solid Security Goes Further
Solid Security has features WP Ghost does not include, which is why most users run both:
File integrity monitoring. Solid Security scans your WordPress files against known-good versions and alerts you to changes. This catches malware injection that path security cannot prevent.
Malware scanning (Solid Pro). Scheduled malware scans of your file system, looking for known signatures and suspicious code patterns.
Password policies. Enforce minimum password strength, require regular password changes, block known-compromised passwords.
Guided onboarding. Solid Security walks new users through security setup step by step, which some users appreciate.
User security logs. Detailed logging of user security events (logins, permission changes, failed attempts).
Side-by-Side Feature Comparison
| Feature | Solid Security Free | Solid Security Pro | WP Ghost |
|---|---|---|---|
| Path Security (wp-login only) | Yes | Yes | Yes |
| Path Security (wp-admin, wp-content, plugins, themes, uploads, REST API) | No | No | Yes |
| Server-level rewrite rules | No | No | Yes |
| Two-Factor Authentication | No | Yes (code, email) | Yes (code, email, passkeys) |
| Passkey support (Face ID, Touch ID, Windows Hello) | No | No | Yes |
| 7G / 8G Firewall | No | No | Yes |
| Application-level Firewall | Basic | Yes | Yes |
| Brute Force Protection + reCAPTCHA | Basic | Yes | Yes (4 reCAPTCHA types) |
| File Integrity Monitoring | Yes | Yes | No |
| Malware Scanning | No | Yes | No |
| Password Policies | Yes | Yes | No |
| Security Headers (HSTS, CSP, X-Frame-Options) | Partial | Yes | Yes |
| Country Blocking | No | Yes (geolocation) | Yes (Premium) |
| Magic Link Login / Temporary Logins | Magic Links | Magic Links | Both |
Three Scenarios, Three Answers
Scenario 1, You Want Prevention-Focused Security
If your priority is stopping attacks before they happen (path security, firewall, brute force, 2FA), WP Ghost alone is sufficient for most sites. It covers the prevention layer more comprehensively than Solid Security, with 115+ free features and 150+ premium features dedicated to hack prevention. If your hosting already includes malware scanning (common on managed WordPress hosts), WP Ghost may be all you need.
Scenario 2, You Want Full Detection and Hardening
If your priority includes file integrity checks, malware scanning, password policies, and user security logs, keep Solid Security. Add WP Ghost alongside it to handle the prevention layer that Solid Security does not cover well (comprehensive path security, 7G/8G firewall, passkey 2FA). Details on the combined setup in the WP Ghost and Solid Security guide.
Scenario 3, You Want to Switch From Solid Security to WP Ghost
Some users switch away from Solid Security entirely because WP Ghost’s prevention layer blocks most attacks before detection is even needed, and hosting-level malware scanning handles the rare cases that slip through. If you go this route, export your Solid Security settings first (just in case), deactivate Solid Security, activate WP Ghost, and run a Security Check at WP Ghost > Security Check to confirm complete coverage.
How to Run Both Together Without Conflicts
If you decide to keep both, split the features so no two plugins do the same job:
Enable in WP Ghost: All path security features (login, admin, wp-content, plugins, themes, uploads, REST API), 7G/8G firewall, security headers, 2FA with passkeys, Magic Link Login, Temporary Logins, brute force protection on register/lost password/comment forms, hide WordPress common files.
Enable in Solid Security: File integrity monitoring, malware scanning (Pro), password policies, user security logs, database prefix change, and user activity tracking.
Disable in Solid Security: Hide Backend (Solid’s login URL change), 2FA (use WP Ghost’s instead), and any brute force protection on the login form to avoid duplicate reCAPTCHA.
Frequently Asked Questions
Is Solid Security the same as iThemes Security?
Yes. iThemes Security was renamed to Solid Security in November 2023 when it became part of the SolidWP brand. The plugin functionality is the same. WP Ghost is compatible with both the old iThemes branding and current Solid Security branding.
Which plugin should handle the custom login path?
WP Ghost. Its path security uses server-level rewrite rules (.htaccess on Apache, config on Nginx), which is more efficient than PHP-based path changes. WP Ghost also covers more paths than Solid Security. Disable Hide Backend in Solid Security and configure your custom login path in WP Ghost instead.
Should I use Solid Security’s 2FA or WP Ghost’s 2FA?
WP Ghost. Its 2FA is in the free version (Solid’s 2FA requires Pro), and it supports passkeys (Face ID, Touch ID, Windows Hello, hardware keys) which eliminate phishing risks. Use WP Ghost’s 2FA and disable Solid Security’s authentication features to avoid conflicts.
What about WordPress hardening? Both plugins do this.
They overlap partially. Avoid enabling the same hardening step in both plugins. A good split: use Solid Security for database prefix changes and password policies, use WP Ghost for file permissions, SALT regeneration, and path security.
Does this work with WooCommerce?
Yes. WP Ghost is fully compatible with WooCommerce, and Solid Security works with WooCommerce too. Both plugins protect WooCommerce login forms and customer accounts without interfering with cart, checkout, or product pages.
Will running both plugins slow my site down?
Minimally. WP Ghost runs at the server level with near-zero overhead on legitimate traffic. Solid Security runs inside WordPress and adds modest overhead for its scanning and logging features. Combined impact is typically under 100ms per request, less if you have caching enabled.
Does WP Ghost modify WordPress core files?
No. WP Ghost works through server rewrite rules (.htaccess on Apache, hidemywp.conf on Nginx) and WordPress hooks. No core files are modified, so Solid Security’s file integrity monitoring will not flag WP Ghost as a core modification. Deactivating WP Ghost restores every default path and behavior instantly.