Yes, there are two ways to hide a WordPress site. You can do it manually by editing WordPress files and .htaccess rules (requires PHP knowledge and ongoing maintenance) or use WP Ghost to automate the entire process through the dashboard. WP Ghost handles everything the manual method covers: hides WordPress headers, removes version tags and HTML comments, changes wp-content, wp-includes, plugin and theme paths, hides files like readme.html, xmlrpc.php, and wp-config.php, and strips identifying classes from source code, without touching any core file. The plugin approach is faster, more thorough, and reversible.
Why Hide WordPress in the First Place
Hacker bots target WordPress sites because WordPress powers a huge share of the web and has predictable default paths every bot knows by heart. Bots do not care whether you run WordPress, Drupal, or Joomla, they fire WordPress-specific exploits at every site they find. If your site responds to /wp-login.php or /wp-content/plugins/ with anything other than a 404, the bot confirms WordPress and moves to the exploitation phase: SQL injection, script injection, plugin vulnerability probing, brute force on the login.
Hiding WordPress removes those signals. When bots cannot confirm your site runs WordPress, they skip the WordPress exploit chain entirely and move to easier targets. This is the foundation of proactive hack prevention, the core idea behind WP Ghost.
Two Ways to Hide a WordPress Site
| Method | Skill Required | Coverage | Maintenance |
|---|---|---|---|
| Manual (PHP, .htaccess, code edits) | High, PHP and server config knowledge | Partial, easy to miss signals | High, must re-apply after every WordPress update |
| WP Ghost plugin | None, toggle switches | Complete, 115+ features | Zero, auto-updates with plugin |
The Manual Method (Not Recommended for Most Users)
If you prefer the DIY route and have PHP knowledge, here is what hiding WordPress manually involves:
Remove WordPress headers, the generator meta tag, RSD link, WLW manifest link, and DNS prefetch URLs. Each of these identifies your site as WordPress through the HTML head.
Remove WordPress version tags, strip ?ver=6.x from CSS and JS file references so attackers cannot see which WordPress and plugin versions you are running (important because version info enables targeted CVE exploits).
Remove HTML comments, WordPress inserts comments that explicitly say “Generated by WordPress” in various places, remove them through filter hooks.
Change WordPress common paths, rewrite rules for /wp-content, /wp-includes, /wp-content/plugins/, /wp-content/themes/, and cache directories through .htaccess (Apache) or Nginx config. Edit every URL reference in PHP output to match the new paths.
Hide sensitive files, add .htaccess deny rules for readme.html, license.txt, xmlrpc.php, install.php, wp-config.php, debug.log, and other files that leak WordPress identity.
Strip identifying classes, remove or rename HTML classes and IDs that start with wp-, wc-, elementor-, or other fingerprints from source code. Verify no plugin functionality depends on those class names.
Maintain all of this after every update, every time WordPress, a theme, or a plugin updates, re-verify nothing reintroduced the signals you removed. This is where the manual approach usually breaks down, it becomes a maintenance burden that gets forgotten.
The WP Ghost Method (Recommended)
WP Ghost automates everything the manual method covers, with no coding and no maintenance. Install the plugin, activate Safe Mode or Ghost Mode, and the configuration happens through the dashboard. See What is WP Ghost for the feature overview.
Step 1. Install WP Ghost
Install WP Ghost from the WordPress plugin directory at wordpress.org/plugins/hide-my-wp. The free version includes full path security, firewall, brute force protection, 2FA with passkeys, and detector hiding.
Step 2. Activate a Security Level
Go to WP Ghost > Change Paths > Level of Security and select Safe Mode or Ghost Mode. Safe Mode covers the essential path changes, Ghost Mode adds full coverage. See Set Up WP Ghost in Safe Mode in 3 Minutes for the quick-start walkthrough.
Step 3. Enable Detector Hiding Features
Go to WP Ghost > Tweaks and enable the individual hiding toggles:
Hide WordPress Generator meta tag, Hide WordPress Version, Hide DNS Prefetch, Hide Emojicons, Hide HTML Comments, Hide IDs from META Tags, Hide Gutenberg Classes, and the rest of the Hide from Theme Detectors options.
Step 4. Change the Core Paths
Under WP Ghost > Change Paths, customize paths for:
wp-content, plugin paths (per-plugin custom names), theme paths, plus login, admin, REST API, uploads, and more. Individual plugin name hiding is especially useful for high-profile plugins like WooCommerce, Elementor, and Yoast.
Step 5. Hide Sensitive Files
At WP Ghost > Tweaks, enable Hide WordPress Common Paths and Files. This blocks direct access to readme.html, license.txt, xmlrpc.php, install.php, wp-config.php, debug.log, and other identifying files.
Step 6. Verify with a Security Check
Run WP Ghost > Security Check to confirm all hiding features are active. Then test manually: visit your site in an incognito browser, view the page source, and search for wp-, WordPress, and generator. You should find nothing identifying WordPress. See Website Security Check.
Check Your Results With Public Detectors
After configuration, verify your hiding with the same tools attackers use:
Run your URL through Wappalyzer, BuiltWith, WhatCMS, and IsItWP. A properly configured WP Ghost installation returns “Unknown CMS” or identifies your site as something other than WordPress. See the dedicated guide for Hide WordPress from Wappalyzer.
For maximum coverage, Premium users can simulate running Drupal or Joomla, adding decoy signals that trick detectors into reporting the wrong CMS entirely.
What Happens After You Hide WordPress
Three immediate effects:
Bot traffic drops dramatically. Automated scans for default WordPress paths get 404 responses at the server level, before WordPress loads. Most bots move on to easier targets.
Server load decreases. Fewer bot requests trigger WordPress, which means faster response times for real visitors and more headroom on shared hosting.
Vulnerability exploits fail. Even when new plugin vulnerabilities are disclosed (and they are, constantly), bots trying to exploit them on your site cannot find the plugin paths to attack.
WP Ghost’s 115+ free features and 150+ premium features cover the full hiding surface, plus add the firewall, brute force, and 2FA layers that manual hiding does not include.
Frequently Asked Questions
Does hiding WordPress affect SEO?
No. Search engines index your public content, not the WordPress-identifying meta tags, generator tags, or default backend paths. Googlebot and Bingbot continue to crawl and index everything they need while WordPress is hidden from theme detectors and hacker bots.
Is the manual method ever worth doing?
Rarely. The manual method takes significant time to implement correctly, requires re-verification after every WordPress and plugin update, and is easy to get wrong. WP Ghost handles the same work automatically, updates hiding rules with each plugin release, and does not risk breaking your site through bad .htaccess edits. Unless you have a specific reason to avoid plugins entirely, WP Ghost is the practical choice.
Can I just change the login URL and call it done?
No. Changing only /wp-login.php leaves dozens of other signals exposed: /wp-content/plugins/, /wp-content/themes/, generator meta, version tags, wp- classes in HTML, readme.html, and more. Partial hiding fails because bots check multiple signals. Complete hiding requires changing all of them, which is why WP Ghost includes 115+ features instead of just a login URL change.
Does WP Ghost work on any hosting?
Yes. WP Ghost works on Apache, Nginx, LiteSpeed, IIS, and managed WordPress hosts (Kinsta, WP Engine, SiteGround, Cloudways, Flywheel). Some hosts need specific configuration for full path security, check the host-specific setup guides for your environment.
What if something breaks after hiding WordPress?
WP Ghost includes built-in recovery options: the SAFE URL for emergency access, Pause for 5 Minutes to disable temporarily from the Plugins page, Rollback Settings to reset to defaults, and an HMW_DISABLE constant for wp-config.php. You are never permanently locked out.
Does WP Ghost modify WordPress core files?
No. WP Ghost works through server rewrite rules (.htaccess on Apache, hidemywp.conf on Nginx) and WordPress hooks that filter output at runtime. No WordPress core files are touched, moved, or renamed. Deactivating WP Ghost restores every default path and all removed tags instantly.