Safe Mode changes the most commonly targeted WordPress paths with zero risk of plugin or theme incompatibility. Ghost Mode changes everything Safe Mode does, plus wp-admin, admin-ajax.php, and activates additional security features for maximum protection. Both modes work by creating virtual paths through rewrite rules – no files are physically moved or renamed. Safe Mode is the recommended starting point for all sites. Ghost Mode is for users who want the highest level of path security and are comfortable testing compatibility. Both modes are free.
Is your website secure? Run a free Website Security Check for your website now.
WP Ghost has three security levels: Default (no protection, all original paths accessible), Safe Mode (changes core paths while keeping wp-admin and admin-ajax.php unchanged for maximum compatibility), and Ghost Mode (changes all paths including wp-admin and admin-ajax.php, plus activates additional security features). Each mode sets predefined custom paths that you can further customize after activation. The modes build on each other – Ghost Mode includes everything Safe Mode does, plus more.
No physical file changes. Neither mode moves, renames, or modifies any files on your server. All path changes are handled through rewrite rules and redirects. Deactivating WP Ghost instantly restores all original paths.
Safe Mode is the recommended starting point. It changes the paths that bots and scanners target most, while leaving wp-admin and admin-ajax.php at their defaults to ensure compatibility with all plugins and themes.
Paths changed in Safe Mode: wp-login.php, wp-content, wp-includes, wp-content/uploads, wp-content/plugins, wp-content/themes, author, and wp-comments-post.php. Each gets a new custom path name.
Paths NOT changed in Safe Mode: wp-admin and admin-ajax.php remain at their default locations. However, wp-admin is hidden from non-logged-in visitors (returns 404), and only AJAX calls remain accessible through the default admin-ajax path.
After selecting Safe Mode, you can customize any of the generated path names and save. For additional protection, go to WP Ghost > Tweaks > Hide Options and enable version hiding, generator META removal, DNS prefetch removal, and HTML comment stripping. See Hide from Theme Detectors for the complete path security checklist.
Ghost Mode provides maximum path protection. It changes everything Safe Mode does, plus wp-admin and admin-ajax.php, and activates additional security features for deeper WordPress identity hiding.
Paths changed in Ghost Mode: Everything in Safe Mode plus wp-admin and admin-ajax.php. This means every standard WordPress path is replaced with a custom name.
Additional features activated: Ghost Mode enables firewall rules, security headers, and extended path protection that Safe Mode doesn’t activate by default.
Important: Some themes and plugins may not be compatible with Ghost Mode because they hardcode the wp-admin or admin-ajax.php paths. Always test your site after activating Ghost Mode. If anything breaks, switch back to Safe Mode using the Safe URL parameter or the emergency disable guide.
API Security: Both Safe Mode and Ghost Mode leave the default wp-json as the REST API path, since many plugins rely on this default to access the REST API index. You can customize the REST API path separately in REST API settings.
After selecting Ghost Mode, customize the paths and save. Use WP Ghost > Mapping > Text Mapping to replace WordPress class names in the source code, and URL Mapping to replace any remaining URLs that still reveal your WordPress structure.
What each mode changes and protects:
| Feature | Safe Mode | Ghost Mode |
|---|---|---|
| wp-login.php path | Changed | Changed |
| wp-content path | Changed | Changed |
| wp-includes path | Changed | Changed |
| Uploads path | Changed | Changed |
| Plugins path | Changed | Changed |
| Themes path | Changed | Changed |
| Author path | Changed | Changed |
| Comments path | Changed | Changed |
| wp-admin path | Hidden (404) but not renamed | Changed to custom path |
| admin-ajax.php | Default (unchanged) | Changed to custom path |
| REST API (wp-json) | Default (customizable separately) | Default (customizable separately) |
| Firewall auto-activation | No | Yes |
| Security headers | No | Yes |
| Plugin compatibility risk | None | Low (test after activating) |
Start with Safe Mode if you’re setting up WP Ghost for the first time, if you use many plugins, if you run WooCommerce, or if you’re not comfortable troubleshooting compatibility issues. Safe Mode covers the critical paths with zero risk.
Switch to Ghost Mode if you want maximum path security, if you’ve confirmed Safe Mode works on your site and want to go further, or if you need to pass theme detector tools. Ghost Mode’s additional wp-admin and admin-ajax changes give you the most complete WordPress identity hiding.
The recommended path: Start with Safe Mode, verify your site works, then switch to Ghost Mode and test again. If Ghost Mode causes any issues, switch back to Safe Mode. You don’t lose any configuration when switching between modes – only the security level and which paths are changed.
For a one-click setup instead of manual configuration, see Preset Security Options which includes tested presets for both Safe Mode and Ghost Mode.
Yes. You can switch at any time from WP Ghost > Change Paths > Level of Security. Switching modes changes which paths are affected and which features are auto-activated. Your custom path names are preserved.
Yes. Both Safe Mode and Ghost Mode are available in the free version of WP Ghost. Premium adds features like Events Log, Threats Log, geo blocking, and extended file extension hiding, but the core security levels are free.
Yes. Safe Mode is fully compatible with WooCommerce with no configuration needed. Ghost Mode also works with WooCommerce, but since it changes wp-admin and admin-ajax.php, test your cart, checkout, and AJAX-powered features after activating. WP Ghost is designed for WooCommerce compatibility.
Yes. WP Ghost works alongside Wordfence, Sucuri, Solid Security, and other security plugins. They handle different protection layers. WP Ghost focuses on reducing attack surface through path security, while other plugins handle malware scanning, login monitoring, and additional firewall rules.
No. Neither Safe Mode nor Ghost Mode modifies any WordPress core files. All path changes are handled through server rewrite rules (.htaccess on Apache, config blocks on Nginx). Deactivating WP Ghost removes all rules and restores default WordPress behavior instantly.
Configure and customize your security level:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…