Yes, WP Ghost works on shared hosting. On Apache-based shared hosts (which is most of them), installation is the same as any WordPress plugin: install, activate, done. WP Ghost writes its rewrite rules to your .htaccess file, which every Apache shared host supports. On Nginx-based shared hosts where you cannot edit the server config, WP Ghost still works through its Minimal preset, which gives you custom login paths, brute force protection, firewall, 2FA, and version hiding without touching the server.
How Shared Hosting Affects WP Ghost
Shared hosting just means you share a server with other websites. Your WordPress install still runs on either Apache, Nginx, LiteSpeed, or (rarely) IIS underneath. WP Ghost’s compatibility depends on which of those four server types you are on, not on whether the plan is “shared” or “VPS” or “managed”. The real question is whether you can edit server config files or not. Most shared Apache hosts let you write to .htaccess, and that is all WP Ghost needs.
Compatibility by Shared Hosting Type
| Shared Hosting Server | Works? | Setup Required |
|---|---|---|
| Apache shared hosting (cPanel, Plesk, hPanel) | Yes, full features | Install and activate, no config changes |
| LiteSpeed shared hosting | Yes, full features | Install and activate, no config changes |
| Nginx shared hosting with config access | Yes, full features | Add one include line to nginx.conf, restart service |
| Nginx shared hosting without config access | Yes, via Minimal preset | Load Minimal preset, no server changes needed |
| Windows IIS shared hosting | Yes | Writes to web.config automatically |
Apache Shared Hosting: The Easy Path
Most shared hosting plans run Apache. Bluehost, HostGator, InMotion, SiteGround shared plans, DreamHost shared, GoDaddy shared with cPanel, Hostinger, Namecheap, A2 Hosting, and many others fall in this bucket. On these hosts, WP Ghost installs and works right away. Your .htaccess file is writable, which is the only requirement.
One thing to double-check: Apache needs AllowOverride All set on your directory so .htaccess rules are honored. Most shared hosts already have this on by default, but if your custom paths return 404 after activation, this is the first thing to check. See the AllowOverride All guide for the fix.
Nginx Shared Hosting: Two Workflows
Nginx does not use .htaccess, so the setup depends on whether you can edit the Nginx config (nginx.conf or the site’s server block). You have two paths:
Path 1: You Can Edit the Nginx Config (or Your Host Will)
WP Ghost generates a hidemywp.conf file in your WordPress root with all the rewrite rules. Then you (or your host) add one line to your Nginx server block:
include path_to_file/hidemywp.conf;Restart Nginx, and all path-hiding features work just like on Apache. Full walkthrough in the Nginx setup guide. If you cannot edit the config yourself, contact your host’s support and send them the hidemywp.conf file, most managed hosts (Kinsta, WP Engine, Flywheel, WPMU DEV) will add the include for you on request.
Path 2: No Config Access (Minimal Preset)
If you are on shared Nginx hosting with no config access and your host will not help, WP Ghost still protects your site through the Minimal preset. Go to WP Ghost > Change Paths and select Minimal (No Config Rewrites). This gives you custom login paths, brute force protection with reCAPTCHA, the 7G and 8G Firewall, 2FA (code, email, passkeys), security headers, and WordPress version hiding, all without any server config changes.
What you lose with Minimal is the ability to hide /wp-admin, /wp-content, and other core WordPress directory paths. You still cover the most important attack vector (the login page) and stop the vast majority of automated attacks. Full walkthrough in the use WP Ghost on Nginx without config changes guide.
How to Find Out What Your Shared Host Runs
If you are not sure whether you are on Apache, Nginx, or LiteSpeed, check one of these:
WordPress Site Health. Go to Tools > Site Health > Info > Server. The “Web server” field shows your server software and version. This is the fastest check.
Your hosting dashboard. cPanel, Plesk, and hPanel all display the server software on the main panel or under server information.
Your host’s support. Open a quick chat and ask “what web server software do I run, Apache, Nginx, or LiteSpeed?” They will tell you in under a minute.
Quick reference for popular shared hosts: Bluehost, HostGator, InMotion, A2 Hosting, Namecheap, and GoDaddy cPanel all use Apache. Hostinger, SiteGround, WP Engine, and Flywheel use Nginx. Cloudways and some Hostinger plans use LiteSpeed. For a full hosting-specific setup list, see the hosting and server types reference.
Frequently Asked Questions
Does WP Ghost work on Bluehost, HostGator, or other cPanel shared hosts?
Yes. These are all Apache-based and WP Ghost works out of the box with no config changes. Install like any other plugin, activate, and configure through the dashboard. If custom paths return 404, verify that AllowOverride All is enabled on your directory.
Does WP Ghost work on Hostinger or SiteGround shared hosting?
Yes. Both run Nginx, so you have two options: ask support to add the hidemywp.conf include (many Nginx hosts do this on request) for full path hiding, or load the Minimal preset for protection without any server changes. SiteGround also has a dedicated compatibility guide in the SiteGround Security setup.
Do I need SSH or root access to use WP Ghost?
No. On Apache hosts you need nothing beyond normal WordPress admin access. On Nginx hosts with config access you need either SSH to edit nginx.conf yourself, or a support contact who can do it. On Nginx hosts without config access, the Minimal preset needs nothing outside the WordPress dashboard.
Will WP Ghost slow down my shared hosting site?
No. WP Ghost adds roughly 0.05 seconds per request and the work happens at the server rewrite level, which is negligible. On shared hosting specifically, WP Ghost can actually speed things up because its firewall blocks bot traffic before WordPress loads, freeing up the limited PHP workers shared hosts give you. See the loading speed FAQ for details.
Is the free version enough on shared hosting?
For most shared hosting sites, yes. The free version includes 115+ features, 7G and 8G Firewall, path security, 2FA with passkeys, brute force protection, security headers, and more. Premium adds advanced logs, country blocking, file permission fix, and vulnerability management for agencies and high-value sites.
What if my shared host runs Nginx as a reverse proxy in front of Apache?
This is a common setup on some hosts (Cloudways, certain optimized shared plans). WP Ghost might auto-detect the wrong layer. Go to WP Ghost > Advanced > Compatibility and manually select the server type that matches where .htaccess rules are actually processed (usually Apache in this stack). If paths still return 404, try Nginx instead and test. See the hosting and server types guide for reverse proxy setups.
Does WP Ghost modify WordPress core files?
No. WP Ghost uses server-level rewrite rules and WordPress filters. No core files are modified, which is important on shared hosting where file system permissions are often locked down. Deactivating WP Ghost restores every default instantly.