Hiding your WordPress site means stripping every clue that tells visitors and bots you are running WordPress. That includes the login URL, the wp-admin path, the version number, the theme and plugin names, the class prefixes in your HTML, and the default file paths like /wp-content/ and /wp-includes/. WP Ghost does all of this from one dashboard, no code editing, no .htaccess surgery.
Why Hide Your WordPress Site?
WordPress powers over 43% of the web, which makes it the single biggest target for automated attacks. Almost every hack you hear about starts the same way: a bot scans millions of domains looking for /wp-login.php, /wp-admin, and default plugin paths. If your site responds at those URLs, you enter the queue. Hiding WordPress breaks that pattern. The bot moves on, looking for an easier target.
Beyond hack prevention, hiding WordPress gives you a few other wins: privacy from competitors snooping your tech stack, protection for vulnerable plugins while you wait on a patch, and a cleaner source code that does not shout “I am a standard WordPress install” to every visitor.
Default WordPress vs a Site Hidden with WP Ghost
| Signal | Default WordPress | Hidden with WP Ghost |
|---|---|---|
| Login URL | /wp-login.php | Custom path, default returns 404 |
| Admin URL | /wp-admin | Custom path, default returns 404 |
| Content directory | /wp-content/ | Renamed and hidden |
| Plugin paths | /wp-content/plugins/ | Renamed or randomized |
| Theme paths | /wp-content/themes/ | Renamed or randomized |
| WordPress version | Visible in meta generator | Removed |
| Readme and license files | Publicly accessible | 404 error |
| HTML class names | wp-block, wp-image | Replaced with custom values |
| XML-RPC endpoint | Open by default | Disabled or blocked |
The Six Methods That Actually Hide WordPress
1. Change the Default Login URL
Your login page is the front door to everything. Out of the box, every WordPress site uses /wp-login.php and bots hammer it with brute force attempts all day. Change it to something only you know and the entire category of login attacks stops working. In WP Ghost, go to Change Paths > Login Security, set your custom URL, and enable the option to return 404 on the default path. See the change and hide wp-login path guide for the walkthrough.
2. Hide the WordPress Version
WordPress injects a <meta name="generator"> tag into every page showing your exact version. Bots use that version number to match your site against known vulnerability databases. Hide it under WP Ghost > Tweaks > Hide Options by enabling Hide WordPress Generator META Tags. While you are there, also enable Hide Version from Images, CSS and JS to strip the ?ver= query strings that leak version info through asset URLs.
3. Rename Theme and Plugin Paths
If an attacker can see you are running a specific theme at version X.Y and plugin Z at version A.B, they can pull up the matching exploits in seconds. Rename the /wp-content/plugins/ and /wp-content/themes/ paths in WP Ghost > Change Paths > WP Core Security, and even change individual plugin folder names to generic values. Bots can no longer fingerprint what you run, so they cannot pick the right exploit.
4. Protect the wp-admin Directory
The admin dashboard is the prize. Change /wp-admin to a custom path under Change Paths > Admin URL and enable Hide WordPress Common Paths so the default returns a 404. Add 2FA on top under WP Ghost > 2FA Login (code, email, or passkey) and brute force protection on the login form. That is three overlapping layers, any one of which would stop most automated attacks alone.
5. Disable Directory Browsing
Directory browsing is what happens when a server lists folder contents because there is no index file. An attacker hitting /wp-content/uploads/2024/ should not see every file inside. WP Ghost blocks this automatically when you enable Hide WordPress Common Paths, which forces a 404 on any direct directory access from unauthenticated visitors.
6. Clean the HTML and Block Detector Crawlers
This is what separates a partial hide from a complete one. Under Tweaks > Hide Options, enable Hide HTML Comments, Hide Emoji Icons, Hide WLW Manifest Scripts, and Hide DNS Prefetch META Tags. Then go to Firewall > Header Security and switch on Block Theme Detectors Crawlers to stop tools like BuiltWith, IsItWP, and Wappalyzer from scanning you in the first place. For the full nine-step checklist, follow the Hide from WordPress Theme Detectors guide.
How to Verify Your Site Is Actually Hidden
Configuring the options is only half the job. You need to confirm the site looks hidden from the outside. Go to WP Ghost > Security Check and run the scan. The plugin runs dozens of path checks and flags anything still leaking. After that, open your site in an incognito window (always logged out) and test with real-time detectors like WPThemeDetector, WhatWPThemeIsThat, or WhatCMS. Skip IsItWP and BuiltWith for testing, they cache results for up to 30 days and will still show WordPress from an old scan. The full verification process is covered in the Website Security Check tutorial.
Why Hiding Is Prevention, Not Obscurity
Skeptics sometimes argue that hiding WordPress is just security through obscurity. That misses how automated attacks actually work. Bots do not manually investigate your site, they run scripts that check default paths and move on when nothing responds. Every WordPress path you hide, every version number you strip, every class name you rename is one more check that fails and one more script that skips your site. This is path security: reduce the predictable surface, and the majority of attacks, which depend on predictability, simply never reach you. Real-world WP Ghost deployments consistently see a drop of around 99% in attack traffic after a full configuration. That is not obscurity, that is hack prevention.
Frequently Asked Questions
Can I completely hide a WordPress site without breaking it?
Yes, if you use a plugin designed for it. WP Ghost changes paths through server rewrite rules and WordPress filters, so the underlying functionality keeps working. You just see custom URLs where the defaults used to be. If something does break, Safe Mode and Ghost Mode let you pick a compatibility level that matches your hosting and theme setup, and the emergency disable option restores everything instantly.
Will hiding my WordPress site affect SEO?
No. Google indexes your content by URL, not by CMS fingerprint. Public pages, sitemaps, and robots.txt continue to work normally. WP Ghost only hides internal paths like /wp-admin and /wp-content, which search engines never need to access anyway. Existing images and PDFs stay accessible at their old URLs too, so previously indexed assets keep working.
Can I hide WordPress without editing code or .htaccess manually?
Yes, that is the whole point of WP Ghost. Every option is a toggle in the dashboard. Behind the scenes, WP Ghost writes the rewrite rules for you. On Nginx hosts, it generates a hidemywp.conf file that your server admin or WP Ghost itself can include. Nothing in WordPress core gets modified.
What if I do not want to hide everything, just the login page?
That is a perfectly valid starting point. Changing the login URL and enabling brute force protection already blocks the majority of automated login attacks. You can layer on theme detection hiding and HTML cleanup later if you want to go further. WP Ghost’s Security Presets under the Overview dashboard let you pick a protection level (Default, Safe Mode, Ghost Mode) that matches how much you want to hide.
Does hiding WordPress stop all hacker attacks?
It stops the vast majority, not all. Bot-driven attacks that rely on default paths simply cannot find your site anymore. Targeted attacks from a human attacker who really wants into your specific site are a different problem, and that is why WP Ghost pairs path security with firewall rules (7G and 8G), 2FA, brute force protection, and security headers. The goal is layers: reduce the attack surface, then harden what remains.
Does WP Ghost modify WordPress core files?
No. WP Ghost uses server-level rewrite rules and WordPress filters to hide paths and clean the HTML output. No core files are touched. Deactivating WP Ghost restores every original WordPress default instantly.