WP Ghost is the most complete WordPress cloaking plugin available. It hides your WordPress identity by changing all default paths (admin, login, plugins, themes, uploads, REST API), removing CMS fingerprints from the HTML source, and even simulating a different CMS like Drupal or Joomla. The result: bots and theme detectors cannot identify your site as WordPress, which eliminates the most common attack vector.
What Does “Cloaking WordPress” Actually Mean?
In WordPress security, cloaking means hiding or disguising the signals that tell bots, theme detectors, and attackers that your site runs on WordPress. Every default WordPress installation leaves a trail of recognizable fingerprints: the /wp-admin and /wp-login.php paths, plugin and theme directory names inside /wp-content/, the WordPress generator meta tag in the HTML head, version numbers on CSS and JS files, and REST API endpoints at /wp-json/.
Bots scan for these signals to confirm a target runs WordPress. Once confirmed, they check vulnerability databases for known exploits in your specific plugins and themes, then attack automatically. Cloaking removes or replaces all of these signals so bots find nothing to confirm and nothing to target. It is not about making your site invisible to visitors or search engines. It is about making your site invisible to the automated scripts that carry out 99% of WordPress attacks.
How WP Ghost Cloaks Your WordPress Site
WP Ghost uses a multi-layer approach to WordPress cloaking. Each layer removes a different category of fingerprints.
Path security. WP Ghost changes over 30 default WordPress paths to custom URLs. The admin path, login page, plugins directory, themes directory, uploads folder, wp-includes, REST API, author paths, admin-ajax.php, and more all get renamed. Bots probing /wp-login.php get a 404. Scanners looking for /wp-content/plugins/woocommerce/ find nothing. Individual plugin and theme names can be replaced with random codes so even the new paths reveal nothing about your technology stack.
Fingerprint removal. WP Ghost strips the WordPress generator meta tag, version numbers from CSS and JS files, RSD headers, DNS prefetch hints, HTML comments, style IDs, and meta IDs from your page source. These are the secondary signals that theme detectors like BuiltWith, Wappalyzer, IsItWP, and WhatCMS use to identify WordPress when paths alone are not enough.
CMS simulation. WP Ghost can go beyond removing WordPress signals by actively injecting fake Drupal or Joomla fingerprints into your HTML. Theme detectors scanning your site don’t just fail to detect WordPress, they confidently report a completely different CMS. You can select Drupal or Joomla from the built-in presets or add a custom generator name using a filter. See the CMS Simulator tutorial for details.
Additional protection layers. Cloaking is WP Ghost’s foundation, but the plugin goes well beyond it. It includes 7G and 8G firewall rules, brute force protection with reCAPTCHA, two-factor authentication (code, email, and passkeys), security headers, country blocking (Premium), and IP block automation. These layers handle anything that gets past the cloaking, like targeted manual attacks or zero-day exploits.
How to Set Up WordPress Cloaking with WP Ghost
Install WP Ghost from the WordPress plugin directory or upload it through Plugins > Add New. After activation, go to WP Ghost > Change Paths and select a security level. Safe Mode changes the most critical paths with tested compatibility settings. Ghost Mode changes all paths for maximum cloaking. Both options can be loaded as one-click presets that configure everything automatically. Customize your login path, clear your cache, and run the Security Check at WP Ghost > Security Check to verify your site is fully cloaked. The setup takes under five minutes. For a full walkthrough, see the WP Ghost Tutorial.
To verify the cloaking works, check your site with a theme detector like IsItWP, BuiltWith, or Wappalyzer. If they cannot detect WordPress, your cloaking is working.
Frequently Asked Questions
Is WordPress cloaking the same as “security through obscurity”?
No. WP Ghost uses path security, not obscurity. Obscurity means relying on secrecy as your only defense. WP Ghost changes the actual attack surface: paths that bots probe return 404 errors, the firewall blocks injection attempts, brute force protection limits login attempts, and 2FA secures authentication. Path changes are one layer of a multi-layer defense strategy.
Will cloaking affect my SEO or site functionality?
No. WP Ghost changes asset paths (CSS, JS, images) and admin paths, not your public page URLs. Your posts, pages, sitemaps, canonical URLs, and media files continue working normally. Search engines index your content through the same URLs as before. WP Ghost also updates paths in sitemaps and robots.txt automatically so there are no broken references.
Can theme detectors still identify my site after cloaking?
When properly configured with Ghost Mode and all fingerprint removal options enabled, WP Ghost hides your site from all major theme detectors including BuiltWith, Wappalyzer, IsItWP, WhatCMS, and WPThemeDetector. Activating the CMS Simulator makes detectors report Drupal or Joomla instead of WordPress. For a detailed guide, see the Hide from WordPress Theme Detectors tutorial.
Does WP Ghost cloak the site from my visitors too?
No. Your visitors see and use your site normally. Pages load, forms submit, images display, and WooCommerce carts work exactly the same. The cloaking only affects what bots and scanners see when they probe for WordPress fingerprints. Logged-in administrators can still access all admin features through the custom paths.
Is WP Ghost lightweight enough for shared hosting?
Yes. WP Ghost uses rewrite rules and server-level filtering rather than heavy file scans. It does not run database checks or file scans on every page load. By blocking bot traffic before it reaches WordPress, WP Ghost can actually reduce your server load compared to running without it.
Does WP Ghost modify WordPress core files?
No. WP Ghost uses rewrite rules, WordPress filters, and output buffering to cloak your site at runtime. No WordPress core files, plugin files, or theme files are modified. Deactivating WP Ghost restores all original paths and fingerprints instantly.