This is expected behavior when WP Ghost’s path security is active. The default /wp-admin/ and /wp-login.php URLs are intentionally hidden to block bot attacks, so visiting them returns a 404 or redirects to the homepage. To log in, use the custom login path you set during WP Ghost setup (for example, yourdomain.com/my-login). If you have lost or forgotten your custom path, or cannot access it, WP Ghost includes recovery options: the SAFE URL parameter to bypass path security temporarily, the HMW_DISABLE constant in wp-config.php, and an FTP folder rename to fully deactivate the plugin.
Why /wp-admin/ Redirects to the Homepage
WP Ghost’s Hide “wp-admin” option is active by default when you activate Safe Mode or Ghost Mode. When enabled, requests to /wp-admin/ return a 404 or redirect to the homepage instead of forwarding to the login page. This is exactly what you want from a security perspective, bots scanning for WordPress sites check /wp-admin/ first, and when they get no response, they move on to easier targets.
Option 1. Use Your Custom Login Path (Correct Way)
If you set a custom login path during WP Ghost setup, use that path instead of /wp-admin/. For example, if your custom path is my-login, visit yourdomain.com/my-login. This is how WP Ghost is designed to work, /wp-admin/ is hidden from bots, and your custom path becomes the secure entry point that only you and your team know.
Common places to find your custom login path:
WP Ghost setup text file. When you activated Safe Mode or Ghost Mode, WP Ghost prompted you to download a text file containing your custom paths and the SAFE URL. Check your downloads folder for a file named something like wp-ghost-paths.txt.
Welcome email. On activation, WP Ghost sends an email to the site administrator listing the configured paths.
WP Ghost Dashboard. If your site is connected to the WP Ghost Dashboard (cloud), the paths and SAFE URL are saved there.
See Change and Hide Login Path for the full feature overview.
Option 2. Allow /wp-admin/ to Redirect to Login
If you want the default WordPress behavior where /wp-admin/ redirects non-logged-in users to the login page, disable the Hide option:
1. Go to WP Ghost > Change Paths > Admin Security. 2. Switch off Hide “wp-admin”. 3. Click Save.
With Hide “wp-admin” off, accessing /wp-admin/ redirects non-logged-in users to your custom login page. The admin path itself is still changed to your custom name, so bots scanning for /wp-admin/ are redirected rather than finding the admin dashboard directly, you just get the convenience of the default redirect behavior.
Option 3. Cannot Access the Dashboard at All
If you cannot log in through any path, cannot find your custom URL, or something else is broken, WP Ghost has three layered recovery options.
Recovery 1. The SAFE URL Parameter
When you activated Safe Mode or Ghost Mode, WP Ghost generated a SAFE URL parameter for emergency access. Append this parameter to any admin URL to bypass WP Ghost’s path security for one session. The SAFE URL is stored in the text file you downloaded during setup and in the welcome email.
Format: yourdomain.com/wp-login.php?your-safe-parameter
Recovery 2. The HMW_DISABLE Constant
If the SAFE URL does not work or you cannot find it, disable WP Ghost entirely through wp-config.php via FTP:
1. Connect to your site via FTP or your host’s File Manager. 2. Open wp-config.php in the site root. 3. Add this line anywhere above the “/* That’s all, stop editing! */” comment:
define( 'HMW_DISABLE', true );
4. Save the file. WP Ghost is now fully disabled, and /wp-admin/ and /wp-login.php work with default WordPress behavior. 5. Log in, remove the line from wp-config.php to re-enable WP Ghost.
Recovery 3. Rename the Plugin Folder
If the constant does not work, rename the WP Ghost plugin folder via FTP. WordPress treats this as a missing plugin and automatically deactivates it:
1. Via FTP, navigate to /wp-content/plugins/ (or your custom plugins path if already configured). 2. Rename hide-my-wp to hide-my-wp-disabled or similar. 3. Visit your default WordPress admin URL, yourdomain.com/wp-admin/, which now works again. 4. Log in, optionally rename the folder back to reactivate.
Full recovery documentation in How to Disable WP Ghost in Case of an Error.
Prevent Future Lockouts
Three quick practices reduce the chance of locking yourself out again:
Save your custom paths somewhere persistent. Store the WP Ghost setup text file in a password manager, cloud drive, or team documentation. Do not rely on finding it in your downloads folder six months later.
Whitelist your admin IP. If you work from a stable IP address, add it to WP Ghost’s whitelist so you never get caught by brute force rules during your own work. See Whitelist IPs and Paths.
Enable 2FA with passkeys. Passkeys (Face ID, Touch ID, Windows Hello) provide fast login without remembering passwords, and eliminate the phishing and brute force risks that often cause users to get locked out chasing failed login attempts. See Two-Factor Authentication and Passkey 2FA.
Frequently Asked Questions
Why would I want /wp-admin/ hidden in the first place?
Because /wp-admin/ is the most-scanned URL on WordPress sites. Hacker bots send thousands of requests per minute to default WordPress paths looking for admin dashboards to brute force. When /wp-admin/ returns a 404, your site drops out of the bot target list entirely, no more brute force attempts, no more admin probing, no more background attack traffic.
I lost my custom login URL. How do I recover it?
Check three places in order: your downloads folder for the WP Ghost setup text file (usually named with “paths” or “ghost” in the filename), the welcome email WP Ghost sent on activation, and your WP Ghost Dashboard if the site is connected. If all three fail, use the HMW_DISABLE constant or FTP folder rename to regain access, then check your custom path in WP Ghost > Change Paths and save it properly this time.
Is it safer to leave /wp-admin/ hidden or redirect?
Hiding is safer because it gives zero signal that WordPress exists. Redirecting still reveals the site runs WordPress, because the redirect URL pattern is recognizable. For maximum security, keep Hide “wp-admin” active and remember your custom login path. For convenience (and slightly lower security), allow the redirect.
Does the SAFE URL expire or stop working?
The SAFE URL stays valid as long as WP Ghost is active with the same configuration. If you regenerate paths or reinstall WP Ghost, a new SAFE URL is created. Always keep the latest SAFE URL saved somewhere you can access without logging into WordPress (password manager, email, cloud document).
Does hiding /wp-admin/ affect WordPress functionality?
No. Once you are logged in, all admin functionality works exactly as before. Themes, plugins, WooCommerce, settings, all accessible through your custom admin path. Only the public-facing URL changes, the WordPress admin functionality is unaffected.
Does WP Ghost modify WordPress core files?
No. WP Ghost works through server rewrite rules (.htaccess on Apache, hidemywp.conf on Nginx) and WordPress hooks. The /wp-admin/ block and custom login path are handled by rewrite rules, not file modifications. Deactivating WP Ghost through any of the recovery methods restores the default /wp-admin/ and /wp-login.php behavior instantly.