Convert relative URL paths to absolute URLs so WP Ghost can rewrite them consistently across your entire site. Some WordPress themes and plugins use relative paths (like /wp-content/themes/flavor/style.css) instead of full absolute URLs (like https://yourdomain.com/wp-content/themes/flavor/style.css). Relative paths can slip past WP Ghost’s path rewriting because they don’t include the domain prefix that WP Ghost looks for when replacing paths. One toggle converts them all to absolute URLs that WP Ghost can process.
A relative URL defines a path without the domain name. The browser resolves it relative to the current page. An absolute URL includes the full domain, protocol, and path – the complete address of the resource.
For example, the same stylesheet can be referenced two ways:
Relative: /wp-content/themes/flavor/style.css
Absolute: https://yourdomain.com/wp-content/themes/flavor/style.css
Both load the same file. But they behave very differently when WP Ghost tries to rewrite paths. WP Ghost scans the HTML output for full URL patterns that include your domain. Relative paths don’t contain the domain, so they can slip through the rewriting process unchanged – leaving default WordPress paths visible in your source code.
This is one of the most common reasons why some WordPress paths remain visible in the page source even after WP Ghost is properly configured. Here’s why it matters for your hack prevention strategy:
Relative paths bypass WP Ghost’s rewriting. WP Ghost replaces full URL patterns like https://yourdomain.com/wp-content/ with your custom path. If a theme outputs the same reference as /wp-content/themes/flavor/style.css (without the domain), WP Ghost doesn’t match it. The default /wp-content/ path appears in your page source unchanged. You’ve done everything right – changed the path, enabled hiding – but one relative reference leaks the original structure.
Different themes and plugins use different URL styles. There’s no WordPress standard enforcing absolute or relative URLs. Some theme developers use relative paths for stylesheets, scripts, and images. Some plugins output relative URLs for their assets. Even within the same theme, some files may use absolute URLs while others use relative. This inconsistency means WP Ghost may rewrite some paths but miss others – creating a patchwork where some resources show custom paths and others reveal the originals.
Cached files amplify the problem. If your caching plugin stores a page that contains relative URLs, those relative references are baked into the cache. Even if WP Ghost later rewrites the dynamic output, the cached version still serves the original relative paths. Converting to absolute URLs before caching ensures the cached files contain rewritable URLs from the start.
It reveals your WordPress structure to scanners. A relative path like /wp-content/plugins/woocommerce/assets/css/woocommerce.css tells scanners three things: you use WordPress, you use WooCommerce, and the default directory structure is intact. One missed relative URL can undo the hiding work of twenty other WP Ghost features.
One toggle. WP Ghost automatically converts all relative paths in your HTML output to absolute URLs before applying path rewriting.
After saving, open your site in a private browser window and view the page source. Search for relative paths like /wp-content/ or /wp-includes/. If the feature is working, all paths should appear as full absolute URLs using your custom paths.
If you’ve activated path changes in WP Ghost but the frontend still shows original WordPress paths (like /wp-content/ or /wp-includes/), the changes aren’t being applied. Work through these checks.
This is the most common cause. Your cache plugin is serving a cached version of the page from before the path changes. Clear your WordPress cache plugin (WP Rocket, LiteSpeed Cache, W3 Total Cache, etc.), CDN cache (Cloudflare, etc.), and browser cache. Then check the frontend in an incognito window. Also enable Change Paths in Cached Files at WP Ghost > Change Paths so future cached CSS and JS files include the new paths.
Go to WP Ghost > Change Paths > Level of Security and confirm that Safe Mode or Ghost Mode is selected (not Default). If Default is selected, no path changes are applied. After selecting a mode, click Save and clear caches again.
On Apache servers, WP Ghost writes rewrite rules to .htaccess. If the file isn’t writable or mod_rewrite is disabled, path changes silently fail. Check that .htaccess is writable (permissions 644) and mod_rewrite is enabled. On Nginx servers, the hidemywp.conf file must be included in your Nginx config and the service restarted. See Nginx Config Setup.
Other plugins can interfere with WP Ghost’s output buffer processing. Deactivate other plugins one at a time and check the frontend after each. Common conflicts include other security plugins with their own rewrite rules, optimization plugins that process HTML output, and cache plugins that bypass WordPress entirely (full-page caching at server level). See Plugin or Theme Conflicts for the full conflict isolation process.
By default, WP Ghost does not change paths in the admin dashboard when logged in as an administrator. Test the frontend in a logged-out incognito window to see the actual visitor experience. If you need paths changed in the admin area too, see Change Paths in Admin Dashboard.
If you’ve lost access to the admin dashboard, see the emergency disable guide.
Clear all caches – WordPress caching plugin, CDN, server cache – and test again in a private browser. If you use a caching plugin, make sure Change Paths in Cached Files is also enabled. Some paths may be generated by JavaScript after page load (client-side rendering), which WP Ghost can’t intercept since it processes server-side HTML output. These are rare and typically don’t affect security scanners, which read the initial HTML response.
If you’ve lost access or something broke, check the emergency disable guide, use the rollback settings, or add a constant in wp-config.php to disable WP Ghost temporarily.
If you’re seeing default WordPress paths in your page source despite having WP Ghost properly configured, relative URLs are the most likely cause. Enable this feature and check again. If all your paths are already showing as custom after WP Ghost’s rewriting, your theme and plugins are already using absolute URLs and you may not need it – but enabling it doesn’t hurt.
The impact is negligible. WP Ghost converts relative URLs to absolute during page generation, which adds a tiny amount of processing time. The difference is undetectable in practice. If you use a caching plugin, the conversion only happens once when the cache is built – subsequent page loads serve the cached version with no additional processing.
It can slightly help SEO. Search engines handle both relative and absolute URLs, but absolute URLs are more explicit and eliminate any ambiguity about which resource is being referenced. Some SEO best practices recommend absolute URLs for canonical clarity. The change won’t dramatically affect rankings, but it removes a potential source of URL confusion.
Yes. WooCommerce assets, stylesheets, and scripts that use relative paths are converted to absolute URLs just like any other theme or plugin output. WP Ghost is fully compatible with WooCommerce.
No. The conversion happens at runtime through WordPress output filters. No files are modified on disk. The original relative URLs in your theme and plugin files remain unchanged. WP Ghost only converts them in the HTML output sent to the browser. Disabling the feature restores the original relative URLs instantly.
Ensure all your paths are rewritten consistently:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…