What is Hiding Paths?
Hiding paths refers to the process of concealing the default WordPress file and directory structures, including common paths like /wp-admin/, /wp-login.php, /wp-content/, /wp-includes/, and plugin or theme directories.
These default paths are widely known and frequently targeted by hackers and bots attempting to exploit vulnerabilities in WordPress websites.
By hiding or renaming these paths, website owners can make it almost impossible for hacker bots to locate and exploit these entry points, effectively reducing the attack surface and strengthening website security.
Why is it Essential to Hide WordPress Paths?
WordPress sites are prime targets for attackers due to their popularity and predictable structure. The default WordPress paths are well-documented, making it easier for bots and hackers to identify vulnerabilities.
Hiding these paths offers several advantages:
- Prevents Automated Attacks: Most hacking attempts are automated and rely on standard paths. Hiding these paths renders automated tools ineffective.
- Reduces Vulnerability Discovery: Hackers cannot exploit vulnerabilities they cannot locate.
- Strengthens Obfuscation: Even if plugins or themes have vulnerabilities, hiding their paths makes it more difficult for attackers to detect and exploit them.
- Minimizes Bot Traffic: Protects against malicious bots scanning for weak points, reducing server load and improving performance.
How to Hide Paths and Files in WP Ghost
Activate Safe Mode or Ghost Mode
Begin by activating Safe Mode or Ghost Mode to open the path customization process.
- Access your WordPress dashboard after installing and activating the WP Ghost plugin.
- Select Safe Mode or Ghost Mode. Safe Mode provides basic protection, while Ghost Mode offers more advanced security features.
Hide WordPress Common Paths
If you changed wp-login, wp-content, wp-includes, plugins, and themes paths using WP Ghost, you should now hide the old paths from hackers to protect vulnerable plugins and themes.
On each security section you have the option to hide the default path after changing it. Here we’ll talk especially about hiding the common paths and files options from WP Core Security.
- Select from Hide File Extensions the file extension you want to hide together with these directories.
WP Ghost will show a 404 error when a user is not logged on to the website and tries to access the paths, sub-paths, and files with the selected extension.
By selecting JS and PHP file extensions from the Hide File Extensions option, you hide and secure files like Javascript and PHP, which hacker bots use to inject SQL and JavaScript into these files.
Hide WordPress Common Files
Hiding the WordPress common files is an important action in hiding your website from Theme detectors and protecting it from hacker bot attacks.
- Select from Hide Common Files the files you want to hide from hacker bots.
WP Ghost will add a filter to show a 404 error when the user is not logged in to the website and accesses these files.
To significantly reduce comment spam on your website, change the comments path and select the file wp-comments-post.php from the list of Hide Common Files, which will appear after you change the comments path.
We also encourage you to activate the Brute Force Protection on Comments Form to prevent automatic comment spam.
Note! Hiding the file wp-comments-post.php will NOT stop people from filling in your site’s comment forms and sending you spam comments. To completely stop spam comments, we recommend installing a dedicated Anti-Spam plugin with a database of spam emails and messages.
Disable Directory Browsing
Don’t expose directory content when an index file is missing. For example, displaying the file list in wp-content/uploads could make it easier for hackers to find vulnerable files.
To prevent this, enable the directory browsing protection:
When this option is active, and directory browsing is disabled, hackers cannot see the contents of your directories. Instead, they will encounter a blank or restricted access page, blocking their attempts to view sensitive files.