Hide your WordPress themes, plugins, and uploads by changing and hiding the wp-content path with WP Ghost. The /wp-content/ directory is the single most revealing folder on any WordPress site. It contains your themes, plugins, uploads, and custom code, and every path inside it tells scanners exactly what you’re running. Change it once, and vulnerability scanners lose their map.
The wp-content directory is the central storage folder for everything that makes your WordPress site unique. Every theme, plugin, uploaded image, video, document, and piece of custom code lives inside this directory.
By default, it sits at: https://yourdomain.com/wp-content/
Inside, WordPress organizes everything into well-known subdirectories. The wp-content/themes folder holds your installed themes, with each theme in its own subfolder. The wp-content/plugins folder contains every plugin, also in individual subfolders. And wp-content/uploads stores all your media files, organized by year and month. Depending on your setup, you might also find cache folders, backup directories, and other custom directories created by specific plugins.
Here’s the problem with all of this: the structure is identical on every WordPress site on the planet. Over 43% of all websites run WordPress (W3Techs), and they all use the same /wp-content/ path. That means anyone, human or bot, can look at your page source, see /wp-content/plugins/elementor/, and immediately know you’re running WordPress with Elementor installed. And from there, they can check if your version has any known vulnerabilities.
The wp-content directory isn’t just a WordPress fingerprint. It’s a complete roadmap of your site’s technology stack. And in security, the less an attacker knows about your setup, the harder it is to exploit. Here’s why this matters as part of your hack prevention strategy:
It reveals every plugin and theme you use. Vulnerability scanners like WPScan work by probing the /wp-content/plugins/ directory to identify installed plugins and their versions. With 64,782 tracked WordPress vulnerabilities as of 2025 (WPScan database), and 7,966 new ones discovered in 2024 alone (a 34% increase over 2023), knowing which plugins you run is step one of any targeted attack. Change the wp-content path, and these scanners come up empty.
Theme detectors rely on wp-content paths. Tools like BuiltWith, Wappalyzer, and WhatWPThemeIsThat scan your page source for /wp-content/themes/theme-name/ patterns. That’s how they identify your theme, your plugins, and your entire WordPress stack. Changing the wp-content path breaks these detection tools completely. For even deeper protection, see our guide on hiding from WordPress theme detectors.
Readme.txt files expose plugin versions. Every WordPress plugin ships with a readme.txt file at /wp-content/plugins/plugin-name/readme.txt. This file contains the exact version number, changelog, and sometimes the minimum WordPress version required. Bots read these files to check if you’re running a vulnerable version. Hiding the wp-content path (and hiding TXT file extensions) makes these files inaccessible.
Directory browsing can expose your entire file structure. If directory listing isn’t disabled on your server, anyone can visit /wp-content/plugins/ in a browser and see a complete list of every plugin installed. Even with directory listing off, knowing the path lets scanners test individual plugin names by URL. Changing the path removes the known entry point.
It’s the starting point for targeted file uploads and code injection. Many WordPress exploits target files inside the wp-content directory, including vulnerable PHP files in plugin folders, writable upload directories, and theme files with code injection flaws. If attackers can’t find the directory, they can’t target the files inside it.
WP Ghost gives you two layers of protection: changing the /wp-content/ path to a custom name, and hiding the original path entirely (with the option to block specific file extensions). Together with changing the plugins path and changing the themes path, you can completely disguise your WordPress file structure.
Before you can change any paths, one of WP Ghost’s security levels must be active.
Need help choosing? Check the Safe Mode vs Ghost Mode comparison.
This replaces every visible instance of /wp-content/ in your page source with a custom name. CSS files, JavaScript files, image URLs, font paths – everything that currently shows /wp-content/ will use the new path instead.
Important: Avoid names that obviously relate to content, like “content”, “assets”, “files”, or “resources”. Choose something random that doesn’t suggest what’s inside.
Good to know: WP Ghost doesn’t physically move or rename any files on your server. The actual wp-content folder stays exactly where it is. WP Ghost uses URL rewrite rules to create the virtual path. Deactivating WP Ghost restores all defaults instantly.
Changing the path gives you a new URL, but the original /wp-content/ might still be accessible if someone types it directly. The Hide WordPress Common Paths option blocks this. Anyone (or any bot) that tries to access the old /wp-content/ path gets a 404 error.
Even better, you can choose which file extensions to hide. This is where it gets powerful.
Once active, trying to access the old wp-content path returns a dead end:
Hiding TXT files is especially effective. With this enabled, bots trying to access /wp-content/plugins/plugin-name/readme.txt get a 404 instead of a file that reveals the exact plugin version. Theme detectors lose their primary detection method.
For more details on hiding common files, see the Hide WordPress Common Paths and Files tutorial.
After saving, run a scan to confirm everything is working.
You can also verify manually: open a private browser window, view your page source, and search for “wp-content”. If the path change is working, you shouldn’t find any instances. For everything the scanner checks, see the Security Check tutorial.
Save your settings and the changes take effect immediately. Here’s what to expect:
Every URL that referenced /wp-content/ now uses your custom path. Check your page source. Images, CSS, JS, fonts – all the asset URLs update to the new path. Where you used to see /wp-content/themes/your-theme/style.css, you’ll now see /your-custom-name/themes/your-theme/style.css (or fully custom paths if you’ve also changed the themes path).
Vulnerability scanners lose their entry point. Tools like WPScan that enumerate plugins by probing /wp-content/plugins/ can’t find the directory. No directory means no plugin detection, which means no targeted exploit attempts based on your installed plugins.
Theme detectors come up empty. BuiltWith, Wappalyzer, WhatWPThemeIsThat, and similar tools rely on the /wp-content/themes/ path to identify your theme. With a custom path, these tools either fail to detect WordPress entirely or can’t identify your theme. For maximum invisibility, also hide from theme detectors and hide from Wappalyzer.
Images, media, and all uploaded files continue working. Your images still load, your videos still play, and your downloadable files still work. Only the visible URL path changes. The actual files remain in the same physical location on your server.
AJAX calls may need additional configuration. If you’ve changed the wp-content path, make sure you’ve also enabled Change Paths in Ajax Calls so that AJAX responses don’t leak the original wp-content paths.
If plugins break, display errors, or lose functionality after changing the wp-content path in WP Ghost, the plugins are loading assets from /wp-content/ and the server isn’t correctly rewriting the custom path back to the original directory.
Cached pages still reference the old /wp-content/ path in script, stylesheet, and image URLs. Clear your WordPress cache plugin, CDN cache, and browser cache. Enable Change Paths in Cached Files at WP Ghost > Change Paths so cached CSS and JS files are rewritten with the new paths. Check in an incognito window.
Go to WP Ghost > Change Paths and click the Frontend Test button. If the test fails for the wp-content path, your server’s rewrite rules aren’t correctly mapping the custom path. Follow the configuration instructions shown for your server type (Apache, Nginx, LiteSpeed, etc.).
Go to WP Ghost > Change Paths and review the custom wp-content path for typos, spaces, or special characters. The path should be a simple alphanumeric name like content or assets.
To confirm the custom path is causing the issue, go to WP Ghost > Change Paths and set the wp-content path back to wp-content. Save and test. If plugins work again with the default path, the issue is server rewrite rules not handling the custom path.
If the Frontend Test passes but a specific plugin still breaks, that plugin may hardcode references to /wp-content/ instead of using WordPress constants like WP_CONTENT_URL. Deactivate plugins one at a time and test after each. Common conflicts include plugins that enqueue assets with hardcoded paths, plugins that write to wp-content subdirectories directly (like backup or cache plugins), and plugins that reference /wp-content/plugins/plugin-name/ in inline JavaScript. For the conflicting plugin, try adding its specific paths to WP Ghost > Change Paths > Whitelist Paths.
If you’ve lost access to the admin dashboard, see the emergency disable guide.
If images or media files are broken, missing, or not loading after changing the wp-content path in WP Ghost, the image URLs in your HTML, CSS, or cached files still reference the old /wp-content/ path. Work through these checks.
Cached pages and CSS files contain the old /wp-content/uploads/ image URLs. Clear your WordPress cache plugin, CDN cache, and browser cache. Also enable Change Paths in Cached Files at WP Ghost > Change Paths so cached CSS and JS files are rewritten with the new paths. Check the frontend in an incognito window after clearing.
Go to WP Ghost > Change Paths and click the Frontend Test button. If the test fails for the wp-content path, your server’s rewrite rules aren’t mapping the custom path to the original directory. Follow the configuration instructions shown for your server type.
If images break specifically after enabling the relative-to-absolute URL option, this conversion may be conflicting with your theme’s image handling. Go to WP Ghost > Tweaks > Change Options and switch off Change Relative URLs to Absolute URLs.
If you’ve selected MEDIA Files in the Hide File Extensions list, old image URLs are being redirected or blocked. This can break images referenced by external sites, RSS feeds, or email newsletters that still use the old path. Go to WP Ghost > Change Paths > WP Core Security > Hide WordPress Common Paths > Hide File Extensions and deselect MEDIA Files.
Right-click on a broken image and select “Open image in new tab” or “Inspect” to see the actual URL the browser is requesting. If the URL still shows /wp-content/uploads/ instead of your custom path, the HTML output isn’t being rewritten. Check that your security mode (Safe Mode or Ghost Mode) is active and that “Change Paths in Cached Files” is enabled.
Image optimization plugins, lazy-loading plugins, and CDN plugins can hardcode /wp-content/uploads/ paths in their output. Deactivate these plugins one at a time and test. For a conflicting plugin, try adding its image paths to WP Ghost > Change Paths > Whitelist Paths.
If you’ve lost access to the admin dashboard, see the emergency disable guide.
If your theme’s layout is broken, CSS styles are missing, or the site looks unstyled after changing paths in WP Ghost, the custom paths for CSS and JS files aren’t resolving on your server. The browser can’t load stylesheets and scripts from the new paths, so the theme renders without styling.
This is the most common cause. Cached pages still reference the old CSS and JS paths. Clear your WordPress cache plugin, CDN cache, and browser cache. Enable Change Paths in Cached Files at WP Ghost > Change Paths so cached CSS/JS files are rewritten with the new paths. Check in an incognito window after clearing.
Go to WP Ghost > Change Paths and click the Frontend Test button. If the test fails, your server’s rewrite rules aren’t mapping the custom paths to the original directories. Follow the configuration instructions shown for your server type.
Nginx: The hidemywp.conf file must be included in your Nginx server block and the service restarted. Without this, Nginx returns 404 for all custom paths. See Setup WP Ghost on Nginx Server.
Apache: Verify that AllowOverride is set to All in your server configuration. Without this, Apache ignores the .htaccess rewrite rules WP Ghost writes. See How to Set AllowOverride All.
If you’ve renamed CSS class names using WP Ghost > Mapping > Text Mapping but didn’t enable Text Mapping in CSS and JS files, the HTML uses the new class names while stylesheets still reference the old ones. This breaks styling. Either enable the CSS/JS mapping option, or remove the class name mapping that’s causing the issue.
Open your browser’s developer console (F12 > Console or Network tab) and look for red 404 errors on CSS and JS files. The URLs will show which custom paths aren’t resolving. If all custom paths return 404, it’s a server configuration issue (see above). If only specific paths fail, those paths may have typos in the WP Ghost settings.
For a comprehensive guide on server configuration for theme loading, see Theme Not Loading Correctly. If you’ve lost access to the admin dashboard, see the emergency disable guide.
If something breaks after activating WP Ghost, the issue is likely a conflict with another plugin or your theme. Follow this process to isolate the conflict.
Deactivate all plugins except WP Ghost. If the issue disappears, reactivate plugins one at a time, testing after each one. The plugin that brings back the issue is the conflict. Common conflicts involve cache plugins that haven’t cleared their cache after path changes, security plugins with overlapping firewall rules, and page builders that hardcode WordPress paths in their output.
If deactivating plugins doesn’t help, switch to a default WordPress theme (Twenty Twenty-Four or similar) to check if your theme is the conflict source. Do this on a staging site to avoid losing theme customizations. If the issue disappears with the default theme, the conflict is in your theme’s code (usually hardcoded paths or non-standard asset loading).
If you’ve identified the conflicting plugin or theme but need both to work, try whitelisting the paths it uses. Go to WP Ghost > Change Paths > Whitelist Paths and add the URL paths the conflicting plugin relies on. This tells WP Ghost to skip path changes on those specific URLs.
WP Ghost is tested with over 1,000 plugins and themes. Check the compatibility list for known issues and specific configuration instructions for your plugin or theme. If the conflict isn’t listed, contact WP Ghost support with the conflicting plugin name and a description of the issue.
If you’ve lost access to the admin dashboard due to a conflict, see the emergency disable guide.
If you’ve lost access or something broke, check the emergency disable guide, use the rollback settings, or add a constant in wp-config.php to disable WP Ghost temporarily.
No. Your images continue loading normally. WP Ghost uses rewrite rules that transparently serve files from the original location through the new URL. The physical files don’t move. If you’re using a CDN, make sure it’s configured to serve from the new path. See the CDN URL Mapping tutorial for details.
Yes. WP Ghost is compatible with all major caching plugins including WP Rocket, LiteSpeed Cache, Autoptimize, and others. After changing the wp-content path, clear your cache so the new paths are reflected in cached files. If you use a caching plugin that minifies CSS and JS, see Change Paths in Cached Files for additional configuration.
For maximum protection, yes. Changing the wp-content path changes the parent directory, but the /plugins/ and /themes/ subdirectory names are still visible within the new path. WP Ghost lets you change the plugins path and change the themes path independently for complete hiding. You can even rename individual plugin directories.
Yes. WooCommerce’s product images, CSS, and JavaScript files are served from wp-content/plugins/woocommerce/. When you change the wp-content path, all WooCommerce assets automatically use the new path. Cart, checkout, and product pages continue working normally. WP Ghost is fully compatible with WooCommerce.
At minimum, hide PHP and TXT files. PHP files are what attackers target for code injection and remote execution. TXT files include readme.txt, which reveals plugin versions and makes it easy for scanners to check for known vulnerabilities. Hiding JS files adds another layer by preventing direct access to JavaScript files that can reveal your plugin structure. The more extensions you hide, the less information you expose.
No. The wp-content path change affects asset URLs (CSS, JS, images), not your public page URLs. Search engines don’t index or rank based on your asset folder structure. Your posts, pages, sitemaps, and canonical URLs remain exactly the same. Image URLs in your content will use the new path, but since the images still load correctly, there’s no SEO impact.
No. WP Ghost never moves, renames, or modifies any file or folder on your server. The wp-content directory stays exactly where WordPress expects it. WP Ghost creates virtual paths through URL rewrite rules. Deactivating the plugin restores all original paths instantly.
Continue hiding your WordPress file structure:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…