Hide your WordPress theme from detectors by changing the themes path, renaming theme directories, and customizing the style.css filename with WP Ghost. Your theme is one of the easiest things to identify on a WordPress site. The path /wp-content/themes/theme-name/ appears in every CSS and JavaScript reference, and tools like BuiltWith, Wappalyzer, and WhatWPThemeIsThat can identify it in seconds. WP Ghost gives you six layers of theme security to shut this down completely.
The themes path is the directory where WordPress stores all installed themes and their files. Each theme lives in its own subfolder containing PHP templates, CSS stylesheets, JavaScript files, images, and configuration files.
By default, it sits at: https://yourdomain.com/wp-content/themes/
Your active theme’s directory name appears throughout your page source. Every stylesheet loaded from /wp-content/themes/astra/style.css tells the world you’re using Astra. Every template part loaded from /wp-content/themes/generatepress/template-parts/ confirms GeneratePress. And the style.css file in every theme’s root directory contains the theme name, version, author, and description in its header comments – a complete fingerprint readable by any tool that requests the file.
Theme detectors don’t need to be clever. They read your page source, find /wp-content/themes/, extract the directory name, and look up the theme. Done. That’s why the themes path is one of the most important paths to secure.
Your theme identity is one of the most valuable pieces of intelligence an attacker can gather. It tells them exactly which vulnerabilities to check for, which exploit scripts to run, and which attack patterns to use. Here’s why this matters as part of your hack prevention strategy:
Themes have vulnerabilities too, not just plugins. According to the WPScan vulnerability database, themes account for a significant portion of the 64,782 tracked WordPress vulnerabilities. Popular themes like Avada, Divi, and Astra have all had documented security issues. When a scanner identifies your theme name and version, it immediately cross-references that against known CVEs. If your version matches a vulnerability, the automated exploit follows in milliseconds. Change the theme path and name, and the scanner can’t identify what to exploit.
Theme detectors are freely available and widely used. Tools like WhatWPThemeIsThat, BuiltWith, and Wappalyzer can identify your theme name, version, and often your child theme in seconds. They work by scanning your page source for /wp-content/themes/ patterns and reading the style.css header. Competitors, scrapers, and attackers all use these tools. WP Ghost’s theme security makes these tools return nothing. For the complete approach, see our guide to hiding from WordPress theme detectors.
The style.css file is a complete fingerprint. Every WordPress theme has a style.css file with a standardized header that includes the theme name, URI, version, author, and description. Requesting this file gives attackers everything they need without even looking at your page source. WP Ghost lets you rename this file to break this detection method entirely.
Inactive themes are targets too. WordPress keeps inactive themes on the server. If those themes have known vulnerabilities, attackers can target their files directly through the /wp-content/themes/ path, even though the theme isn’t active. Hiding all theme names (not just active ones) blocks this vector.
WP Ghost offers six layers of theme protection under the Themes Security tab. Each targets a different detection method. For maximum invisibility, enable all of them.
Before you can change any paths, one of WP Ghost’s security levels must be active.
Need help choosing? Check the Safe Mode vs Ghost Mode comparison.
This replaces the /themes/ subdirectory name within wp-content. Instead of /wp-content/themes/your-theme/, your CSS and JS files will load from /wp-content/your-custom-name/your-theme/. This alone breaks every scanner that looks for the /themes/ keyword.
Changing the themes path hides the word “themes” but still shows your actual theme directory name (like “astra” or “generatepress”). This option replaces all active theme directory names with randomly generated codes. The directory /astra/ becomes something like /t7k2m/ in your page source.
Hide Theme Names only renames active themes. But inactive themes still sit on your server with their real names. If an inactive theme has a known vulnerability, attackers can target its files directly. This option renames both active and inactive theme directories.
After changing the themes path, the original /wp-content/themes/ URL might still respond to direct requests. This option blocks it. Any request to the old path returns a 404.
Bots hitting the old themes path now get a dead end:
Every WordPress theme has a style.css file that theme detectors specifically look for. This file contains the theme name, version, author, and URI in its header. WP Ghost lets you rename this file to break that detection method.
.css extension.Important: Always keep the .css extension so the file is included in cached and minified file loading. Changing it to something like .txt would break your theme’s styling.
By default, Hide Theme Names assigns random codes to each theme directory. If you want to control what those names are (useful for developers who need to identify themes in the source code), the Advanced Options let you assign custom names to individual themes.
This section is optional. Most users should skip it and let WP Ghost generate random names automatically.
Note: Use unique names that don’t match any of your custom path names. To remove a custom name and revert to a random code, click the X next to the theme name.
After saving all your theme security settings, run a scan to confirm everything works.
Quick manual check: view your page source and search for your theme name (e.g., “astra”, “generatepress”, “flavor”). If it doesn’t appear anywhere, theme security is working. For everything the scanner checks, see the Security Check tutorial.
Save your settings and the protections activate immediately:
Theme detectors return nothing. BuiltWith, Wappalyzer, WhatWPThemeIsThat, and similar tools rely on the /themes/ keyword and theme directory names to identify your theme. With a custom path, hidden names, and a renamed style.css, every detection method they use fails simultaneously. For complete invisibility, also hide from theme detectors and hide from Wappalyzer.
Your site looks and functions identically. Nothing changes for your visitors. Your theme’s design, layout, fonts, colors, and functionality all work exactly the same. WP Ghost serves files from the original location through the new URLs. Only the paths in the page source change.
Vulnerability scanners can’t target your theme. Without knowing your theme name and version, automated tools can’t cross-reference against known CVEs. Their exploit scripts have nothing to target. The attack chain breaks at the reconnaissance step.
Child themes are protected too. If you use a child theme, WP Ghost hides both the parent and child theme names. Both directory names are replaced with random codes (or your custom names if you use Advanced Options).
Clear your cache after making changes. Cached pages may still contain old theme paths until the cache is refreshed. If you use WP Rocket, LiteSpeed Cache, or other caching plugins, clear the cache after saving. For minified CSS/JS, also enable Change Paths in Cached Files.
If your theme’s layout is broken, CSS styles are missing, or the site looks unstyled after changing paths in WP Ghost, the custom paths for CSS and JS files aren’t resolving on your server. The browser can’t load stylesheets and scripts from the new paths, so the theme renders without styling.
This is the most common cause. Cached pages still reference the old CSS and JS paths. Clear your WordPress cache plugin, CDN cache, and browser cache. Enable Change Paths in Cached Files at WP Ghost > Change Paths so cached CSS/JS files are rewritten with the new paths. Check in an incognito window after clearing.
Go to WP Ghost > Change Paths and click the Frontend Test button. If the test fails, your server’s rewrite rules aren’t mapping the custom paths to the original directories. Follow the configuration instructions shown for your server type.
Nginx: The hidemywp.conf file must be included in your Nginx server block and the service restarted. Without this, Nginx returns 404 for all custom paths. See Setup WP Ghost on Nginx Server.
Apache: Verify that AllowOverride is set to All in your server configuration. Without this, Apache ignores the .htaccess rewrite rules WP Ghost writes. See How to Set AllowOverride All.
If you’ve renamed CSS class names using WP Ghost > Mapping > Text Mapping but didn’t enable Text Mapping in CSS and JS files, the HTML uses the new class names while stylesheets still reference the old ones. This breaks styling. Either enable the CSS/JS mapping option, or remove the class name mapping that’s causing the issue.
Open your browser’s developer console (F12 > Console or Network tab) and look for red 404 errors on CSS and JS files. The URLs will show which custom paths aren’t resolving. If all custom paths return 404, it’s a server configuration issue (see above). If only specific paths fail, those paths may have typos in the WP Ghost settings.
For a comprehensive guide on server configuration for theme loading, see Theme Not Loading Correctly. If you’ve lost access to the admin dashboard, see the emergency disable guide.
If you’ve lost access or something broke, check the emergency disable guide, use the rollback settings, or add a constant in wp-config.php to disable WP Ghost temporarily.
No. Your theme’s CSS, JavaScript, images, and templates all continue loading normally. WP Ghost uses rewrite rules that serve files from the original location through the new URL. Only the path visible in the page source changes. Your visitors see the exact same design.
Yes. WP Ghost detects and hides both parent and child theme names. If you’re using a child theme of Astra, both the Astra directory and your child theme directory get renamed. The Advanced Options panel shows all detected themes including child themes, so you can assign custom names to each.
Yes. WooCommerce templates that load from your theme directory use the new path automatically. Storefront and any WooCommerce-compatible theme works normally. WP Ghost is fully compatible with WooCommerce.
Because inactive themes can still be exploited. Their PHP files are accessible on the server even though the theme isn’t active. If an inactive theme has a known vulnerability, attackers can target its files directly through the /wp-content/themes/ path. Hiding all themes removes this risk. Even better: delete any themes you don’t use.
Because style.css is the primary detection target for theme identification tools. Its header contains the theme name, version, author URL, and description in a standardized format. Renaming it to something like main.css breaks every theme detector that looks for this specific file.
Absolutely. Themes and plugins are both inside /wp-content/. If you’ve changed the themes path but left the plugins path at default, scanners can still identify your site as WordPress through plugin paths. For complete path security, also change the plugins path and change the wp-content path.
No. WP Ghost never touches, moves, or renames any file or folder on your server. Theme files stay in /wp-content/themes/ exactly where WordPress expects them. WP Ghost creates virtual paths through URL rewrite rules. Deactivating the plugin restores all original paths instantly.
Continue building complete WordPress invisibility:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…