Yes, WP Ghost is compatible with AppMySite. The plugin can stay fully active in Safe Mode or Ghost Mode, it just needs one adjustment: leave the REST API path at its default /wp-json/ and do not disable REST API access. AppMySite uses the WordPress REST API to sync your site’s content into the mobile app, so that endpoint must stay reachable. Every other WP Ghost feature (login path, admin path, firewall, 2FA, brute force protection, version hiding) works normally alongside AppMySite.
Why AppMySite Needs the REST API
AppMySite turns your WordPress or WooCommerce site into a native mobile app for iOS and Android. To do that, the AppMySite service on the other end needs to read your posts, pages, products, menus, and media from your site and display them inside the mobile app. It does all of that through the WordPress REST API at /wp-json/. Every time the app refreshes content, it sends a request to that endpoint.
If WP Ghost changes the REST API path to something like /api/ or disables public REST API access, AppMySite cannot reach the endpoint and your app either shows stale content or breaks entirely. The fix is simply to leave that one path alone. Everything else WP Ghost does stays active.
The Correct WP Ghost Settings for AppMySite
| WP Ghost Setting | Recommended for AppMySite |
|---|---|
| Security Level (Safe Mode or Ghost Mode) | Either works |
| REST API Path (Change Paths > API Security) | Leave at default /wp-json/ |
| Disable REST API Access | Leave OFF |
| Disable rest_route Parameter Access | Leave OFF |
| Custom Login Path | Set freely |
| Custom wp-admin Path | Set freely |
| 7G / 8G Firewall | Enable |
| Brute Force Protection | Enable |
| 2FA (Code, Email, Passkey) | Enable |
| Hide WordPress Common Paths | Enable |
| Security Headers | Enable |
Setup Steps
- Install and activate WP Ghost alongside the AppMySite plugin as normal.
- Choose your security level under WP Ghost > Change Paths > Level of Security (Safe Mode or Ghost Mode).
- Go to WP Ghost > Change Paths > API Security and confirm the REST API path is set to the default
/wp-json/. - On the same screen, make sure Disable REST API Access and Disable rest_route Parameter Access are both switched OFF.
- Configure everything else (login path, firewall, 2FA, brute force, hide common paths) however you want. None of those features interfere with AppMySite.
- Save, clear your cache, and test the AppMySite preview to confirm the app still syncs correctly.
For the deeper dive on the REST API setting, see the Change REST API Path with WP Ghost tutorial.
What If the App Still Cannot Connect
If you followed the steps above and AppMySite still shows connection errors or stale content, a few more things to check. The firewall might be flagging AppMySite’s requests as suspicious, especially if you enabled aggressive header rules. Temporarily switch off Add Security Headers for XSS and Code Injection Attacks under WP Ghost > Firewall > Header Security and retry. If that resolves it, add AppMySite’s server IPs to your WP Ghost whitelist under WP Ghost > Firewall > Whitelists so the headers can stay on for everyone else.
Also check that your AJAX path is not blocking legitimate requests. Go to WP Ghost > Change Paths > Ajax Security and, if you customized the AJAX path, temporarily revert it to the default admin-ajax.php and switch off “Hide wp-admin from Ajax path” to rule out AJAX-related issues. More detailed troubleshooting in the connection issues with third-party apps guide.
Security You Still Get with AppMySite Running
Leaving the REST API path at default does not mean leaving your API unprotected. WP Ghost still blocks REST API abuse through the firewall, which catches malicious patterns in API requests (SQL injection attempts, malformed payloads, etc.) before they hit WordPress. You can also whitelist only AppMySite’s IPs if you want to restrict the REST API to trusted sources, though most AppMySite setups do not require this because AppMySite authenticates its requests.
More importantly, the highest-value WP Ghost features (hidden login path, hidden admin path, blocked XML-RPC, brute force protection with reCAPTCHA, 2FA including passkeys, hidden plugins and themes, 7G/8G firewall) all work at full strength. Path security and API access are separate layers, you lose none of the first by keeping the second default.
Frequently Asked Questions
Does WP Ghost work with AppMySite?
Yes. WP Ghost is fully compatible with AppMySite. The only requirement is to leave the REST API path at /wp-json/ and not disable REST API access, because AppMySite uses the REST API to sync your WordPress content into your mobile app. Every other WP Ghost feature (login path, admin path, firewall, 2FA, brute force) works alongside AppMySite without issues.
Why can’t I change the REST API path when using AppMySite?
AppMySite’s app service connects to your site through the default /wp-json/ endpoint to fetch posts, products, menus, and media. If you change that path, AppMySite sends requests to a URL that no longer exists and the app either breaks or serves stale content. Keeping the path default is the simplest compatibility requirement.
Is the REST API still secure if I keep the default path?
Yes. WP Ghost’s 7G and 8G Firewall still inspect REST API requests for malicious patterns like SQL injection and XSS attempts. If you want an extra layer, whitelist only AppMySite’s server IPs under WP Ghost > Firewall > Whitelists, which restricts REST API access to trusted sources without breaking the app.
Can I use Ghost Mode with AppMySite, or should I stick to Safe Mode?
Both work. Ghost Mode is more aggressive (it also hides /wp-admin and /admin-ajax.php), but as long as the REST API path stays default, it runs fine with AppMySite. If you see issues, start with Safe Mode and enable Ghost Mode features incrementally, testing AppMySite after each change.
Does this apply to other mobile app builders like BuddyBoss App?
Yes, the same rule applies to any WordPress-to-app service that relies on the REST API. BuddyBoss App, WPMobile.App, MobiLoud, and similar platforms all need the default REST API path active. See the WP Ghost with BuddyBoss FAQ for that specific setup.
Does WP Ghost modify WordPress core files?
No. WP Ghost uses server-level rewrite rules and WordPress filters. No core files, theme files, or plugin files (including AppMySite’s) are modified. Deactivating WP Ghost restores every original path and default instantly, without affecting AppMySite’s integration.