No. WP Ghost does not write to, modify, or inject code into any PHP file, including WordPress core, theme, or plugin files. It works through server rewrite rules and WordPress filters that run in memory. On Apache and LiteSpeed, WP Ghost writes rewrite rules to your .htaccess file. On Nginx and IIS, it generates a config file you or your host can include. The moment you deactivate WP Ghost, every rule is removed and your site is back to its original state.
Why This Matters
A lot of WordPress security plugins work by patching core files, injecting code into wp-config.php, or dropping must-use PHP files in places WordPress did not expect. That approach creates real problems: WordPress updates can overwrite the patches, leftover code can linger after uninstall, and debugging becomes a nightmare because nobody can tell which plugin changed what. WP Ghost avoids all of that by never touching PHP files in the first place. The result is a clean, auditable, reversible security layer that cannot drift out of sync with your WordPress version.
What WP Ghost Actually Writes To
| Server Type | File WP Ghost Writes To | File Type |
|---|---|---|
| Apache | .htaccess | Server configuration |
| LiteSpeed | .htaccess (same as Apache) | Server configuration |
| Nginx | hidemywp.conf (you or your host includes it) | Server configuration |
| IIS / Windows | web.config | Server configuration |
| WordPress core files (wp-config.php, wp-login.php, etc.) | Never | N/A |
| Theme PHP files | Never | N/A |
| Plugin PHP files | Never | N/A |
Notice the pattern: WP Ghost only writes to server configuration files, the same files your host and WordPress itself already write to for permalinks and caching. No PHP source is ever touched. All the WP Ghost-specific logic runs through standard WordPress filters at request time, which is the officially supported extension model for WordPress plugins.
How WP Ghost Hides Paths Without Moving Files
The /wp-admin, /wp-content, /wp-login.php, and plugin folder paths stay exactly where WordPress installed them. WP Ghost creates virtual paths: URL rewrite rules that say “when a request comes in for /my-custom-admin, silently serve it from /wp-admin.” Your server handles the rewrite, WordPress serves the page as if you requested the original URL, and the visitor never sees the mapping. No file has moved. No folder has been renamed. The .htaccess is doing what .htaccess was designed to do.
This is why WP Ghost is compatible with WordPress updates, all major caching plugins, WooCommerce, Elementor, and anything else that expects WordPress to be structured the way WordPress normally is. From the file system’s perspective, nothing has changed. Only the incoming URLs get rerouted.
What the .htaccess Rules Look Like
WP Ghost wraps its rules in a clearly labeled block so they are easy to identify and audit:
# BEGIN HMWP_RULES
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^([_0-9a-zA-Z-]+/)?ajax$ /wp-admin/admin-ajax.php [QSA,L]
RewriteRule ^([_0-9a-zA-Z-]+/)?custom-admin/(.*) /wp-admin/$2 [QSA,L]
</IfModule>
# END HMWP_RULESEverything between the # BEGIN HMWP_RULES and # END HMWP_RULES markers belongs to WP Ghost. Everything outside that block is untouched. When you deactivate the plugin, the whole block is removed automatically. For more on controlling where these rules are placed, see the Rewrites Rules Location guide.
Nginx and Windows IIS
On Nginx, WP Ghost cannot write to server config files directly (Nginx does not use .htaccess), so it generates a hidemywp.conf file in your WordPress root. You or your host adds one include line to your Nginx server block, and Nginx picks up the rules. The Nginx setup guide walks through this for common managed hosts like Kinsta, WP Engine, Flywheel, and RunCloud.
On Windows IIS, WP Ghost writes rules to web.config instead of .htaccess. Same principle, different file format. See the Windows IIS setup guide for details.
Frequently Asked Questions
Does WP Ghost write codes into PHP files?
No. WP Ghost does not write, modify, or inject code into any PHP file. It works through server rewrite rules (in .htaccess, hidemywp.conf, or web.config) and WordPress filters that run in memory. PHP files on disk are never altered.
Does WP Ghost modify wp-config.php?
No. WP Ghost never modifies wp-config.php. You can optionally add WP Ghost constants to wp-config.php yourself to enforce certain behaviors (for example HMW_RULES_IN_WP_RULES), but that is something you do manually, not the plugin. See the full list in the WP Ghost constants in wp-config.php reference.
Does WP Ghost change my WordPress core files during updates?
No. WordPress core updates are completely unaffected by WP Ghost. Since WP Ghost does not modify any core file, WordPress can update itself, your themes, and your plugins normally. Core updates also do not overwrite WP Ghost’s rewrite rules, because those rules live in .htaccess, not in any PHP file WordPress updates.
Is the .htaccess file considered a WordPress core file?
No. .htaccess is an Apache server configuration file that WordPress uses for permalink rewriting. WordPress itself writes to it when you save permalink settings. WP Ghost adding its own block to .htaccess is the same standard mechanism, not core modification.
What gets removed when I deactivate WP Ghost?
The entire # BEGIN HMWP_RULES to # END HMWP_RULES block in .htaccess. On Nginx, the generated hidemywp.conf file is no longer referenced (you may delete it manually). All WordPress filters that WP Ghost registers stop running because the plugin is inactive. Your site reverts to default WordPress behavior instantly.
Is WP Ghost safe for production sites?
Yes, and the no-PHP-modification design is one of the main reasons. Production-safe plugins need to be predictable, auditable, and reversible. WP Ghost’s server-side rewrite architecture means you can deploy it, audit the .htaccess changes with any SysAdmin tool, and roll it back without touching WordPress itself.
Does WP Ghost modify WordPress core files?
No. This FAQ is the long-form version of that answer. WP Ghost uses server-level rewrite rules and WordPress filters. No core files, no theme files, no plugin files, and no PHP code anywhere on your server are modified. Deactivating WP Ghost restores every original path and default instantly.