Make your WordPress site invisible to theme detectors, CMS scanners, and hacker bots by removing every WordPress fingerprint from the public-facing source code. After changing your WordPress paths and activating brute force protection, the next step is ensuring the old paths are completely hidden, WordPress identifiers are removed from HTML, and no secondary signals give your CMS away. This guide walks you through the complete checklist: hide old paths, block detector crawlers, strip WordPress classes, clean sitemaps, and verify with real-time detection tools.
Don’t import demo data. If your theme came with demo content (tagline, footer text, sample posts), replace it with your own. Theme detectors compare content patterns against known theme demos. Custom content removes this detection vector entirely.
Follow these 9 steps after you’ve already customized your WordPress paths in Safe Mode or Ghost Mode.
Changing paths creates new URLs, but the old paths still respond unless you hide them. Go to WP Ghost > Change Paths > WP Core Security and enable:
Hide WordPress Common Paths – blocks access to /wp-content/, /wp-content/plugins/, /wp-content/themes/, and other default directories. Non-logged-in visitors get a 404.
Hide WordPress Common Files – blocks access to /readme.html, /license.txt, /wp-config.php, and other root files that identify WordPress.
For detailed configuration including file extension hiding, see Hide WordPress Common Paths and Files.
Block known theme detector bots at the firewall level. Go to WP Ghost > Firewall and enable Block Theme Detectors Crawlers. This blocks requests from known detector IPs and user agents before they can scan your site.
For an additional layer, go to WP Ghost > Change Paths > Level Of Security > Simulate CMS and select a different CMS name (Drupal, Joomla, etc.). This sends false CMS signals to detectors that try to deep-scan. See Simulate CMS for details.
Go to WP Ghost > Tweaks > Hide Options and enable these options to remove secondary WordPress fingerprints from your HTML source:
Change Paths for Logged Users – applies custom paths even when logged in, preventing admin activity from leaking original paths into browser caches.
Change Paths in Cached Files – ensures custom paths appear in cache plugin output files.
Hide Version from Images, CSS and JS – strips ?ver= query strings that reveal WordPress and plugin versions.
Hide WordPress Generator META Tags – removes the <meta name="generator"> tag that WordPress adds to the HTML head.
Hide WordPress DNS Prefetch META Tags – removes dns-prefetch links to s.w.org and other WordPress-specific domains.
Hide HTML Comments – strips WordPress HTML comments from the source code.
Hide Emoji Icons – removes the WordPress emoji script that scanners detect.
Disable Embed Scripts – removes WordPress embed functionality scripts.
Hide WLW Manifest Scripts – removes the Windows Live Writer manifest link.
Theme detectors also scan HTML class names for WordPress patterns like wp-block, wp-image, and wp-caption. Use WP Ghost > Mapping > Text Mapping to replace these with non-WordPress names.
Recommended mappings for common WordPress classes:
wp-caption => caption, wp-custom => custom, wp-block => block, wp-image => image, wp-smiley => smiley, wp-embed => embed, wp-i18n => i18n, wp-hooks => hooks, wp-util => util, wp-polyfill => polyfill, wp-escape => escape, wp-element => element, wp-post => post, wp-switch-editor => switch-editor.
If your theme doesn’t rely on WordPress default block classes for styling, also add: --wp-- => {blank}
Test after adding mappings. Some class name replacements can break CSS styling. Enable Text Mapping in CSS and JS files to keep replacements consistent between HTML and stylesheets. For advanced patterns including {blank} and {rand}, see Advanced Text Mapping. For plugin-specific class hiding, see Hide Plugins Like WooCommerce and Elementor.
Cache plugins can combine CSS and JS files under URLs that still contain /wp-content/. If you see old paths in your source code after enabling all WP Ghost options, the cache plugin is the likely source.
Option 1: Enable Combine CSS and Combine JS in your cache plugin to merge files into a single output (hiding individual plugin paths).
Option 2: Use WP Ghost > Mapping > URL Mapping to manually replace specific URLs that still contain old paths.
See Change Paths in Cached Files and the Compatibility Plugins List for cache plugin-specific configuration.
Two endpoints that can reveal your WordPress identity even when paths are changed:
admin-ajax.php – customize the filename and hide wp-admin from the URL. See Change the admin-ajax.php Path.
REST API (wp-json) – hide the wp-json path from the source code. Also disable XML-RPC access since it’s used for brute force attacks by bots. See REST API wp-json Path.
Theme detectors check /sitemap.xml for plugin author references and /robots.txt for wp-admin and wp-includes disallow rules. WP Ghost automatically removes author/style references from sitemaps and strips WordPress-specific paths from robots.txt.
Go to WP Ghost > Tweaks > Feed, Sitemap & Robots and enable the relevant options. See Feed, Sitemap and Robots for details.
No SEO impact. These options remove only WordPress fingerprints, not your actual content. All pages, posts, and media continue to appear in sitemaps. All necessary crawl rules remain in robots.txt. Google indexes your content exactly as before.
Before testing with external detectors, verify your configuration internally. Go to WP Ghost > Security Check > Start Scan. WP Ghost runs 39 security tasks and reports which checks pass. If path-related checks show green and no /wp-content/ references appear, your configuration is correct.
You can also manually verify by opening your site in an incognito browser and viewing the source code (view-source:https://yourdomain.com/). Search for wp- using Ctrl+F. If no WordPress paths or class names appear, the configuration is working. See Website Security Check for the full guide.
After passing the Security Check, test your site with real-time theme detectors to confirm it’s invisible externally. These detectors provide accurate, uncached results:
wpthemedetector.com, whatwpthemeisthat.com, whatcms.org, mycodelesswebsite.com
Avoid BuiltWith and IsItWP for testing. These services cache CMS information for months after initial detection. Even if your site is fully hidden, they may still show WordPress from cached data. Use real-time detectors listed above instead. To remove your site from BuiltWith’s cache, visit builtwith.com/removals.
WP Ghost hides WordPress fingerprints for public visitors. When you’re logged in as an administrator, WordPress exposes admin assets and signals that detectors can pick up. To get accurate results:
Never test with browser extensions while logged in. Don’t run WhatRuns, Wappalyzer, BuiltWith, or similar extensions in the same browser profile you use for WordPress admin work. These extensions detect WordPress through admin-only signals and may cache that result permanently.
Test in an incognito/private window while logged out. This gives you the same view as a public visitor.
Use a separate browser profile for admin work. Keep one profile for managing your site and another (clean, no extensions) for testing detection.
Use another device for testing. A phone or tablet that isn’t logged into your WordPress site gives the most accurate public view.
For maximum protection, yes. Each step eliminates a different detection signal. If you only need to block hacker bots (not pass every theme detector), steps 1 through 3 cover the critical paths. Steps 4 through 9 progressively remove the secondary signals that sophisticated detectors use.
Check three things. First, are you testing while logged out? (Incognito browser, no admin session.) Second, view your source code and search for wp- – if old paths or class names still appear, identify the source (cache plugin, hardcoded theme reference, or a mapping you missed). Third, the detector may be using cached results from before you configured WP Ghost. Try a different real-time detector.
Yes. WP Ghost is designed to work alongside Wordfence, Sucuri, Solid Security, and other security plugins. You don’t need to deactivate other security plugins when installing WP Ghost. They handle different protection layers – WP Ghost focuses on reducing attack surface by hiding paths, while plugins like Wordfence focus on malware scanning and firewall rules.
Yes. All hiding features are fully compatible with WooCommerce. Cart, checkout, product pages, and customer accounts work normally with hidden paths. For WooCommerce-specific class hiding, see Hide Plugins Like WooCommerce and Elementor.
No. All hiding is done through URL rewrite rules, WordPress hooks, and output buffering. No files are moved, renamed, or deleted. Deactivating WP Ghost restores all original paths and fingerprints instantly.
The previous steps in this guide and key feature tutorials:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…