WP Ghost (short for Hide My WP Ghost) is a comprehensive hack-prevention solution for WordPress websites, adding multiple layers of security to block hacker bots and prevent unauthorized access.
It works by changing and hiding common vulnerabilities, making it difficult for bots and hackers to exploit weak points in plugins, themes, and the WordPress core itself.
A reason to change the common paths in WordPress is to be able to hide and secure these paths and prevent script injections into your vulnerable plugins and themes.
Is your website secure? Run a free Website Security Check for your website now.
Note! The plugin does not physically change the paths, which means all the previous settings will return to normal if you decide to deactivate WP Ghost.
After testing the compatibility with other themes and plugins, we established two levels of security in WP Ghost: Safe Mode and Ghost Mode.
Each option customizes the plugin’s settings; they don’t cancel each other out but activate different security features and create different/more customizations for the common WordPress paths.
Next, we’ll provide more details about the configurations set in each mode and give you a few recommendations to help you choose the best Mode for your site.
Set WP Ghost in Safe Mode
With Safe Mode, there is no risk of incompatibilities with other plugins or themes. We encourage you to use Safe Mode to ensure that the plugin works on your website regardless of the themes and plugins you are using and that website security is not affected.
By Activating Safe Mode, WP Ghost will change the following paths (for each path listed below, it will set a new, predefined path)
- Login Path: /wp-login.php
- Core Contents Path: /wp-content
- Core Includes Path: /wp-includes
- Uploads Path: /wp-content/uploads
- Author Path: /author
- Plugins Path: /wp-content/plugins
- Themes Path: /wp-content/themes
- Comments Path: /wp-comments-post.php
All the common paths in WordPress you see listed above will be changed.
However, the wp-admin and admin-ajax.php paths will remain unchanged.
By default, when setting the plugin in Safe Mode:
- wp-admin path will be hidden from visitors
- a 404 Not Found Error will show when visitors access the default wp-admin path
- only the ajax calls will be available.
After you select Safe Mode, you can also customize the paths as desire and save the settings.
For more protection, you can also go to WP Ghost > Tweaks and switch on options like Hide Version from Images, CSS, and JS in WordPress, Hide WordPress DNS Prefetch META Tags, Hide WordPress Generator META Tags, and Hide HTML Comments.
Set WP Ghost in Ghost Mode
If you want to hide your WordPress from hackers’ bots and theme detectors, you can set the plugin in Ghost Mode.
Note! Your theme or plugin may NOT be compatible with Ghost Mode so please check your website functionality and go back to Safe Mode in case of errors.
By Activating Ghost Mode, WP Ghost will change the following paths (for each path listed below, it will set a new, predefined path)
- Admin Path: /wp-admin
- Login Path: /wp-login.php
- Ajax URL: /wp-admin/admin-ajax.php
- Core Contents Path: /wp-content
- Core Includes Path: /wp-includes
- Uploads Path: /wp-content/uploads
- Author Path: /author
- Plugins Path: /wp-content/plugins
- Themes Path: /wp-content/themes
- Comments Path: /wp-comments-post.php
As you can see, unlike Safe Mode, Ghost Mode will also change the wp-admin path and the Ajax URL, ensuring broader protection of your WordPress site. The Ghost Mode will also activate more security features to secure the WordPress common paths, firewall, header security, etc.
API Security: For both Safe Mode and Ghost Mode, WP Ghost will leave the default wp-json as the custom wp-json Path (many plugins still use this default path to access the REST API’s index).
Once you select Ghost Mode, you can customize the paths and save the settings.
You can also go to WP Ghost > Tweaks > Hide Options and switch on the options for more protection. If you want to hide the Admin Toolbar, you can activate that option as well.
You can use the WP Ghost > Mapping > Text Mapping feature to hide some class names from the source code. However, it’s important to know that some plugins may use those classes, in which case using this feature may affect website functionality.
If you find some URLs you want to change in the frontend, use WP Ghost > Mapping > URL Mapping to replace them with your custom ones.
Conclusion
The difference between Safe Mode and Ghost Mode involves the predefined settings each mode enables.
If you are not familiar with hap-prevention security and how to change and secure the paths to protect your website, we recommend choosing the Safe Mode.
If you are confident that you can deactivate the plugin in case of an error and test the website functionality, then switch to Ghost Mode to hide as many WP CMS trails as possible.