Yes. WP Ghost and Solid Security (formerly iThemes Security) are fully compatible and complement each other well. WP Ghost handles path security, server-level firewall, brute force protection, and 2FA with passkeys. Solid Security handles WordPress hardening, password policies, and file change detection. They approach security from different angles: WP Ghost blocks bots before they find WordPress, Solid Security hardens WordPress once they do. Running both gives you defense in depth with no major conflicts, as long as you disable overlapping features in one plugin.
How They Work Together
Solid Security (renamed from iThemes Security in November 2023 when the plugin joined the SolidWP brand) is a well-established WordPress security plugin focused on site hardening, login protection, malware scanning in the Pro tier, and a guided onboarding experience. WP Ghost works at a different level: it uses server-level rewrite rules to make WordPress paths invisible to bots before any PHP code runs.
When a hacker bot scans for /wp-login.php, WP Ghost returns 404. The bot never reaches Solid Security’s login protection because there is no login page to reach. When a more sophisticated attacker bypasses path security and finds your actual login URL, Solid Security’s site hardening, password policies, and file monitoring take over. Each plugin handles what the other does not.
Feature Comparison
| Feature | Solid Security | WP Ghost |
|---|---|---|
| Path Security (wp-admin, login, plugins, themes, uploads, REST API) | Login URL only | Full coverage |
| 7G and 8G Firewall (server-level) | No | Yes |
| Security Headers (HSTS, CSP, X-Frame-Options) | Partial | Yes |
| Country Blocking / Geo Security | No | Yes (free) |
| Two-Factor Authentication (Code, Email, Passkeys) | Authenticator codes (Pro) | All methods (free) |
| Magic Link Login and Temporary Logins | No | Yes |
| Brute Force Protection (login, register, lost password, comments) | Login only | All forms |
| reCAPTCHA (Math, V2, V3) | Yes | Yes |
| IP Blacklist / Whitelist | Yes | Yes |
| Text, URL, and CDN Mapping | No | Yes |
| WordPress Hardening (DB prefix, file editor, file permissions) | Yes | Partial |
| Password Policies and Expiration | Yes | No |
| File Change Detection | Yes | No |
| Malware Scanner | Pro | No |
| Version Management and Auto-Updates | Pro | No |
| Activity Log and Email Alerts | Yes | Yes |
How to Configure Both Plugins Together
The two plugins overlap on five features: custom login URL, brute force protection, IP blocking, reCAPTCHA, and WordPress hardening. Enable each feature in the plugin that handles it best, and disable it in the other.
Enable in WP Ghost
All path security features (login, admin, wp-content, plugins, themes, uploads, REST API). 7G and 8G Firewall. Security headers (HSTS, CSP, X-Frame-Options). Country blocking in the free version. 2FA with passkeys (WP Ghost has more methods than Solid Security, and it is free). Magic Link Login and Temporary Logins. Brute force protection on register, lost password, and comment forms (Solid Security handles login only, WP Ghost covers the rest). Hide WordPress common paths and files (readme.html, license.txt, etc.). File permission fixes.
Enable in Solid Security
Database prefix changes. Password policies and password expiration per role. File change detection. Malware scanning (Pro feature, where available). Version management and auto-updates (Pro). Force SSL if you need it. User activity and audit logging.
Disable in Solid Security
Hide Backend / Custom Login URL feature (let WP Ghost handle it, its rewrite rules are more efficient and cover more paths). Solid Security’s 2FA (WP Ghost offers passkeys, which Solid Security does not, and WP Ghost’s 2FA is free). Login attempt limits if you enable WP Ghost’s brute force on login. File permission fix if you enable the equivalent in WP Ghost.
Full configuration walkthrough in the WP Ghost and Solid Security compatibility guide.
The Best-Of-Both Split
Here is the clean division of responsibility:
| Area | Handled By | Why |
|---|---|---|
| Path security and bot blocking | WP Ghost | Server-level rewrite rules, broader path coverage |
| Firewall (7G/8G) | WP Ghost | Built-in, server-level, free |
| 2FA with passkeys | WP Ghost | More methods than Solid Security, free |
| Brute force on all forms | WP Ghost | Covers register, lost password, comments (Solid Security only covers login) |
| Country blocking | WP Ghost | Free in WP Ghost, not available in Solid Security free |
| Password policies | Solid Security | Strong password enforcement and expiration |
| File change detection | Solid Security | Purpose-built for this |
| Database prefix change | Solid Security | Well-tested implementation |
| Malware scanning | Solid Security (Pro) | WP Ghost does not include scanning |
Frequently Asked Questions
Can I use WP Ghost with Solid Security?
Yes. They are fully compatible and complementary. WP Ghost handles path security, server-level firewall, and 2FA. Solid Security handles WordPress hardening, password policies, and file change detection. The two plugins overlap on a few features (custom login URL, brute force, IP blocking, reCAPTCHA), disable those in one plugin to avoid conflicts.
Is this the same plugin as iThemes Security?
Yes. iThemes Security was renamed to Solid Security in November 2023 when it became part of the SolidWP brand. The plugin functionality is the same. WP Ghost has been tested and is compatible with both the old iThemes Security branding and the current Solid Security branding.
Which plugin should handle the custom login path?
WP Ghost. Its path security uses server-level rewrite rules, which are more efficient than Solid Security’s PHP-based rewrites. WP Ghost also covers more paths: while Solid Security only renames /wp-login.php, WP Ghost also covers wp-admin, lost password, register, activation, logout, AJAX, plugins, themes, and uploads. Disable the “Hide Backend” feature in Solid Security and configure your login path in WP Ghost.
Should I use Solid Security’s 2FA or WP Ghost’s 2FA?
WP Ghost. WP Ghost offers 2FA via code (Google Authenticator), email, and passkeys (Face ID, Touch ID, Windows Hello, YubiKey and other hardware keys), all in the free version. Solid Security’s 2FA only offers authenticator codes and is a Pro feature. Enable WP Ghost’s 2FA and disable Solid Security’s authentication features to avoid conflicts.
What about WordPress hardening? Both plugins do this.
Solid Security’s hardening and WP Ghost’s hardening overlap partially. Solid Security has database prefix changes, file permission fixes, and disable file editor. WP Ghost has file permission fixes, SALT regeneration, and disabling debug/editor features. A good split: use Solid Security for database prefix and password policies, use WP Ghost for path security and SALT regeneration. For file permissions, pick one and disable in the other.
Does this work with WooCommerce?
Yes. WP Ghost is fully compatible with WooCommerce, and Solid Security works with WooCommerce too. Both plugins protect WooCommerce login forms and customer accounts. Load the Safe Mode + Firewall + Compatibility preset in WP Ghost for the smoothest setup with WooCommerce.
Does WP Ghost modify WordPress core files?
No. WP Ghost uses server-level rewrite rules (.htaccess on Apache and LiteSpeed, hidemywp.conf on Nginx) and WordPress filters. No core files are modified. Solid Security’s file change detection scanner will not flag WP Ghost as a core modification. Deactivating WP Ghost restores all defaults instantly.