To hide your plugins from WordPress detectors, you need to remove every signal that reveals them in your public source code: the /wp-content/plugins/ path, individual plugin directory names (like elementor, woocommerce, contact-form-7), version numbers from CSS/JS files, plugin-specific class names in HTML, and the plugin-authored generator meta tags. WP Ghost handles all five layers through its Plugins Security settings. This matters because plugins account for the vast majority of WordPress vulnerabilities (Patchstack’s 2025 report documented 22 new plugin vulnerabilities per day in 2024), and scanners like WPScan enumerate your installed plugins to check each one against their vulnerability database. Hide the plugin names and that entire attack chain breaks.
Why Hiding Plugins Is the Most Important Path Security Layer
The average WordPress site has 22 installed plugins (WPScan). Every single one creates a named directory inside /wp-content/plugins/ that appears in your page source through CSS, JavaScript, and image URLs. If you use Contact Form 7, your source shows /wp-content/plugins/contact-form-7/. If you use Elementor, it shows /wp-content/plugins/elementor/. WooCommerce, Yoast SEO, Wordfence, they all announce themselves through their directory names.
Vulnerability scanners exploit this predictability ruthlessly. WPScan makes one API request per installed plugin to check for known vulnerabilities against its database of 64,000+ tracked flaws. It finds your plugins by probing /wp-content/plugins/ with known directory names, or by reading your page source. The entire process takes seconds. Once it has your plugin list and versions, it knows exactly which exploits to aim at your site.
Hide the plugin names and the scanner’s map disappears. WPScan reports zero detected plugins. No detection means no targeted exploits. Of the 7,966 new WordPress vulnerabilities discovered in 2024, the overwhelming majority were in plugins, hiding them is the highest-impact security step you can take.
Five Signals Detectors Use to Identify Your Plugins
| Detection Signal | Example | How to Hide |
|---|---|---|
| Plugin directory paths | /wp-content/plugins/elementor/ | Change plugins path + Hide Plugin Names |
| Version numbers in asset URLs | ?ver=3.21.2 on CSS/JS files | Hide WordPress Version |
| Plugin readme files | /wp-content/plugins/plugin/readme.txt | Hide WordPress Common Paths and Files |
| Plugin class names in HTML | class="woocommerce-product", class="elementor-widget" | Text Mapping |
| Plugin generator meta tags | <meta name="generator" content="WooCommerce 9.5"> | Hide WordPress Generator META Tags |
To completely hide plugins from detectors, you need to address all five signals. Changing just the path while leaving version tags visible, or hiding the directory but leaving plugin class names, will still result in detection.
How to Hide Plugins With WP Ghost
WP Ghost covers every detection signal through one plugin. Work through these five layers in order:
Layer 1: Change the Plugins Path and Hide Plugin Names
- Go to WP Ghost > Change Paths > Level of Security. Select Safe Mode or Ghost Mode. Click Save.
- Go to WP Ghost > Change Paths > Plugins Security. Enter a custom name in the Custom Plugins Path field (replaces
/plugins/with your chosen name). - Switch on Hide Plugin Names. Each active plugin directory name (
elementor,woocommerce, etc.) gets replaced with a random code likep3x9k. - Switch on Hide All the Plugins. This renames deactivated plugins too, not just active ones. Deactivated plugins are still exploitable because their PHP files remain on the server.
- Switch on Hide WordPress Old Plugins Path. Blocks the original
/wp-content/plugins/URL with a 404.
Full walkthrough in the Change Plugins Path guide.
Layer 2: Hide Version Numbers in CSS and JS URLs
Even after hiding the plugin directory, version parameters like ?ver=3.21.2 appended to CSS and JS URLs reveal plugin versions. Scanners cross-reference these against the vulnerability database.
Go to WP Ghost > Tweaks > Hide Options, switch on Hide Version from Images, CSS and JS, then save.
Layer 3: Block Access to readme.txt Files
Every WordPress plugin ships with a readme.txt containing the exact plugin version, changelog, and compatibility information. Scanners read these files directly.
At WP Ghost > Change Paths > WP Core Security, enable Hide WordPress Common Paths and Hide WordPress Common Files, then select TXT files in the Hide File Extensions list. All readme.txt requests now return a 404.
Layer 4: Replace WordPress-Exclusive Plugin Class Names
Some plugins exist only on WordPress: WooCommerce, Elementor, Contact Form 7, Gravity Forms, Yoast SEO, WPBakery. When your HTML source contains classes like woocommerce-product-gallery or elementor-widget-container, detectors identify both WordPress AND the specific plugin in a single match, even if every path has been changed.
Use Text Mapping at WP Ghost > Mapping > Text Mapping to replace these class names:
- Add
woocommercein the left field,shopin the right - Add
elementorin the left field,lpin the right - Switch on Text Mapping in CSS and JS files so styles and scripts match the new class names
This is an advanced layer with performance considerations (use a caching plugin like WP Rocket or LiteSpeed Cache). Full walkthrough including caveats in the Hide Plugins Like WooCommerce and Elementor guide.
Layer 5: Hide Plugin Generator Meta Tags
Several plugins add their own generator meta tags to your HTML head. WooCommerce adds <meta name="generator" content="WooCommerce 9.5.1">. These reveal exact plugin versions in one line.
At WP Ghost > Tweaks > Hide Options, switch on Hide WordPress Generator META Tags. This removes all generator tags, WordPress core and plugin-added.
How to Verify Plugins Are Hidden
Test with real-time detectors that scan your site fresh each time:
wpthemedetector.com, whatwpthemeisthat.com, whatcms.org. These should report no WordPress and no plugins after the hiding setup is complete.
Avoid BuiltWith and IsItWP for testing, they cache CMS results for months and may continue reporting WordPress even after you’ve hidden everything. Submit a removal request at BuiltWith’s Removals page if needed.
Quick manual check: view your page source (Ctrl+U or Cmd+Option+U) and search for known plugin names like elementor, woocommerce, contact-form-7. Nothing should appear. Also check CSS/JS URLs for version parameters (?ver=). None should be present.
Complete checklist and verification walkthrough in the Hide from WordPress Theme Detectors guide.
Frequently Asked Questions
How can I hide plugins from WordPress detectors?
Address all five detection signals: change the plugins path, hide plugin directory names (both active and deactivated), strip version numbers from CSS/JS URLs, block readme.txt access, and replace plugin-specific class names (like woocommerce or elementor) in HTML with Text Mapping. WP Ghost handles all five through its Plugins Security and Text Mapping features.
Will hiding plugins break them?
No. WP Ghost never moves, renames, or modifies plugin files. Plugins stay in /wp-content/plugins/ where WordPress expects them. WP Ghost creates virtual paths through rewrite rules that serve files from the original directories through the new URLs. Contact forms submit normally, page builders render, WooCommerce cart and checkout work, everything continues functioning.
Why should I hide deactivated plugins too?
Because deactivated plugins are still exploitable. Their PHP files remain on the server and are accessible through the default path even when not active. If a deactivated plugin has a known vulnerability, attackers can still target its files directly. Enable Hide All the Plugins to rename both active and deactivated directories. Even better: delete any plugins you no longer use.
Do I need to hide class names for WooCommerce and Elementor?
Only for sites where maximum concealment is the priority. Class name hiding is an advanced layer because these plugins are WordPress-exclusive, their class names are a direct WordPress signal. But it requires dynamic CSS/JS rewriting with a caching plugin for performance, and thorough testing afterward (especially for WooCommerce checkout flows). For most sites, path hiding + version removal + readme blocking is sufficient.
Does hiding plugins affect SEO?
No. Plugin path changes affect asset URLs (CSS, JavaScript, plugin images), not your public page URLs or content. Search engines don’t index or rank based on plugin file paths. Your posts, pages, sitemaps, and canonical URLs remain unchanged. If anything, removing unnecessary version query strings can slightly improve Core Web Vitals.
Does this work with WooCommerce?
Yes. WP Ghost is fully compatible with WooCommerce. Layer 1 (path hiding) works out of the box, your shop, cart, checkout, and account pages continue functioning normally. Layer 4 (class name replacement) requires more care with WooCommerce because its JavaScript relies heavily on class names for cart updates and checkout validation. Enable Text Mapping in CSS and JS files and use a caching plugin to ensure all references stay synchronized.
Does WP Ghost modify WordPress core files?
No. WP Ghost never touches, moves, or renames any file or folder. Plugin files stay in /wp-content/plugins/. Virtual paths are created through URL rewrite rules. Class name replacement happens in dynamically generated HTML and processed copies of CSS/JS, original files remain untouched. Deactivating WP Ghost restores every default instantly.