How Customizable Is WP Ghost?

Q: Can I export my WP Ghost configuration to another site?

Yes. Go to WP Ghost > Backup/Restore to export all settings as a single file. Import on another site to replicate the configuration instantly. Agencies use this to standardize security across client sites.

Q: Is customization safe? What if I break something?

Every setting is reversible. Safe URL rollback lets you bypass WP Ghost without losing admin access. Emergency disable via FTP restores full access as a final fallback. Deactivating WP Ghost restores every default instantly. No risk of permanent damage.

Q: What is the Overview panel?

The WP Ghost > Overview screen is the day-to-day dashboard. It shows your Security Score, the GEO Threat Map, and one-click toggles for the most-used features. For granular configuration, use the submenus under each feature area.

WP Ghost is highly customizable across every layer of WordPress security. You can control 115+ individual settings in the free version and 150+ in premium, including custom paths for every WordPress file and folder, granular firewall rules, role-based feature toggles, custom warning messages, custom login page design, reCAPTCHA type selection, country-level access rules, and much more. At the same time, one-click presets and the Safe Mode / Ghost Mode levels let you skip the micromanagement if you just want reasonable defaults. Customization is available when you want it, never required to get protected.

Three Levels of Customization Depth

Level	Time	Control
Presets (one-click)	Under 2 minutes	Low, decisions already made
Safe Mode / Ghost Mode (with custom paths)	5 to 10 minutes	Medium, customize the paths that matter
Manual configuration (granular)	30 minutes to an hour	Full, every setting individually

You can start with a preset for instant protection, then gradually move deeper into customization as you learn what each setting does. Nothing is locked, every choice is reversible, and you can switch between levels at any time without losing progress.

What You Can Customize

Paths (every WordPress URL)

Every predictable WordPress path can be renamed to something custom: wp-admin, wp-login.php, lost password, register, logout, activation, admin-ajax.php, wp-comments-post.php, wp-includes, wp-content, wp-content/uploads, wp-content/plugins (plus individual plugin folder names), wp-content/themes (plus individual theme folder names), author URLs, and the REST API wp-json endpoint. For each one, you pick the new name. Default suggestions are randomized so you never end up with predictable renames.

Firewall Rules

Four firewall levels (Minimal, Medium, 7G, 8G) let you balance protection against compatibility. IP whitelist and blacklist for allowing or blocking specific addresses. Path whitelist for exempting specific URLs from firewall rules (useful for third-party integrations). Automated IP blocking rules: configure how many attempts trigger a block, the time window, and whether blocks are temporary or permanent. Security headers (HSTS, CSP, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Permissions-Policy, Referrer-Policy) can be individually toggled.

Authentication

Choose which 2FA methods to offer (code via Google Authenticator, email, or passkeys including Face ID, Touch ID, Windows Hello, and hardware keys). Choose which user roles require 2FA. Enable Magic Link login for passwordless access. Create time-limited Temporary Logins for developers or agencies with specific role assignments. Customize the login page design: upload a logo, pick layout presets, set colors, add background images and overlays.

Brute Force Protection

Apply protection to login, register, lost password, comments, and WooCommerce login forms individually. Pick your reCAPTCHA type (Math, Google V2, Google V3). Set custom attempt limits and timeout durations. Customize the warning message shown after blocked attempts. Whitelist specific IPs that bypass brute force rules.

Disable Options (Role-Based)

Disable right-click, Inspect Element, View Source, Copy/Paste, and Drag/Drop Images. Each feature has its own toggle, its own custom warning message, and a role selector so you can apply it only to specific user roles (or all visitors). Blank Screen On Debugging goes further, blanking the page when DevTools opens.

Geo and Bot Controls

Block or allow specific countries. Apply geo rules to specific paths (for example, block logins from countries that never have legitimate users). Block AI crawler bots (GPTBot, ClaudeBot, Google-Extended, etc.) from scraping your content. Block theme-detector crawlers (BuiltWith, WPThemeDetector, IsItWP, Wappalyzer) from identifying your stack.

Mapping Engine

Text Mapping replaces class names and IDs in your HTML source. URL Mapping replaces entire URLs (useful for custom integrations). CDN Mapping configures how paths appear in your CDN URLs. You can also enable mapping in AJAX responses, RSS feeds, XML sitemaps, robots.txt, and cached files. Each mapping rule is individually controllable.

Hardening Toggles

Disable REST API for non-logged-in users, disable XML-RPC, disable embed scripts, disable DB debug, disable WLW Manifest. Fix file and folder permissions automatically. Change the WordPress database prefix. Regenerate SALT keys. Toggle WordPress debugging and script debugging. Each hardening setting is a single toggle you control.

Logs, Alerts, and Monitoring

Configure what events get logged (Security Threats, User Events). Set up email alerts for specific risky actions. Configure retention periods and cloud monitoring. Pick which user actions to track (logins, failed logins, plugin activations, theme changes, user role changes, etc.).

The Overview Panel: Fast Customization

For quick adjustments, the WP Ghost > Overview panel gives you one-click toggles for the most-used features without navigating through submenus. Turn the firewall on or off, switch between Safe Mode and Ghost Mode, enable or disable 2FA, toggle path security, and see your current Security Score at a glance. The Overview is designed for day-to-day management, the submenus are where you go when you want granular control.

Backup and Restore Your Configuration

All your customizations can be exported to a single backup file under WP Ghost > Backup/Restore. Import it on another site to replicate your configuration in seconds. This is especially useful for agencies managing multiple WordPress sites with standardized security settings. See the Backup and Restore guide.

Customization Without the Risk

Experimenting with settings is safe because every change is reversible. The Safe URL rollback lets you bypass WP Ghost temporarily if a setting locks you out. The emergency disable via FTP restores full access if even that fails. Deactivating the plugin restores every WordPress default instantly, no cleanup needed. You can push customization as far as you want without worrying about getting stuck. See the rollback settings and emergency disable guides.

Video Walkthroughs

For visual walkthroughs of specific customization options, the WP Ghost YouTube channel has video tutorials covering every major feature, from basic preset selection to advanced firewall rule configuration. Useful if you want to see the interface before committing to a particular workflow.

Frequently Asked Questions

How customizable is WP Ghost?

Extremely. WP Ghost has 115+ individual settings in the free version and 150+ in premium, spanning path security, firewall rules, 2FA methods, brute force protection, geo blocking, role-based disable options, mapping engines, and hardening toggles. You can also skip the customization and use one-click presets for instant protection, customization is optional, never required.

Do I need to customize every setting to be protected?

No. Loading a preset (Minimal, Safe Mode + Firewall + Compatibility, Safe Mode + Full Protection, or Ghost Mode + Full Protection) configures dozens of settings at once with tested values. You can stop there for solid default protection, or dive into individual settings if you want more control.

Can I customize settings per user role?

Yes. Disable Options (right-click, Inspect Element, View Source, Copy/Paste, Drag/Drop) each have a separate “for Logged Users” toggle with role selection. 2FA can be required per role. Temporary Logins are created with specific role assignments. Role-based control is built into the features where it matters.

Can I export my WP Ghost configuration to another site?

Yes. Go to WP Ghost > Backup/Restore to export all your settings as a single file. Import it on another site to replicate the configuration instantly. Agencies use this to standardize security across client sites. See the Backup and Restore guide.

Is customization safe? What if I break something?

Every setting is reversible. The Safe URL rollback lets you bypass WP Ghost temporarily without losing admin access. Emergency disable via FTP restores full access as a final fallback. Deactivating WP Ghost restores every default instantly. You can experiment freely with no risk of permanent damage.

What is the Overview panel?

The WP Ghost > Overview screen is the dashboard for day-to-day management. It shows your Security Score, the GEO Threat Map, and one-click toggles for the most-used features (firewall, 2FA, path security, security level). For granular configuration of individual settings, use the submenus under each feature area.

Does WP Ghost modify WordPress core files?

No. All customizations are stored in the WordPress database options table or applied through server-level rewrite rules (.htaccess on Apache and LiteSpeed, hidemywp.conf on Nginx). No core files, theme files, or plugin files are modified. Deactivating WP Ghost restores every default instantly.