Hide WordPress Common Paths and Files

What is Hiding Paths?

By hiding or renaming these paths, website owners can make it almost impossible for hacker bots to locate and exploit these entry points, effectively reducing the attack surface and strengthening website security.

Why is it Essential to Hide WordPress Paths?

WordPress sites are prime targets for attackers due to their popularity and predictable structure. The default WordPress paths are well-documented, making it easier for bots and hackers to identify vulnerabilities.

Hiding these paths offers several advantages:

• Prevents Automated Attacks: Most hacking attempts are automated and rely on standard paths. Hiding these paths renders automated tools ineffective.
• Reduces Vulnerability Discovery: Hackers cannot exploit vulnerabilities they cannot locate.
• Strengthens Obfuscation: Even if plugins or themes have vulnerabilities, hiding their paths makes it more difficult for attackers to detect and exploit them.
• Minimizes Bot Traffic: Protects against malicious bots scanning for weak points, reducing server load and improving performance.

How to Hide Paths and Files in WP Ghost

Activate Safe Mode or Ghost Mode

Begin by activating Safe Mode or Ghost Mode to open the path customization process.

1. Access your WordPress dashboard after installing and activating the WP Ghost plugin.
2. Go to WP Ghost > Change Paths > Level of Security.
3. Select Safe Mode or Ghost Mode. Safe Mode provides basic protection, while Ghost Mode offers more advanced security features.

Hide WordPress Common Paths

If you changed wp-login, wp-content, wp-includes, plugins, and themes paths using WP Ghost, you should now hide the old paths from hackers to protect vulnerable plugins and themes.

On each security section you have the option to hide the default path after changing it. Here we’ll talk especially about hiding the common paths and files options from WP Core Security.

1. Go to WP Ghost > Change Paths > WP Core Security.
2. Switch to the Hide WordPress Common Paths option to hide the paths and sub-paths.
3. Select from Hide File Extensions the file extension you want to hide together with these directories.
4. Click the Save button to apply the changes.

WP Ghost will show a 404 error when a user is not logged on to the website and tries to access the paths, sub-paths, and files with the selected extension.

By selecting JS and PHP file extensions from the Hide File Extensions option, you hide and secure files like Javascript and PHP, which hacker bots use to inject SQL and JavaScript into these files.

Hide WordPress Common Files

Hiding the WordPress common files is an important action in hiding your website from Theme detectors and protecting it from hacker bot attacks.

1. Go to WP Ghost > Change Paths > WP Core Security.
2. Switch on the Hide WordPress Common Files option to open the file select option.
3. Select from Hide Common Files the files you want to hide from hacker bots.
4. Click the Save button to apply the changes.

WP Ghost will add a filter to show a 404 error when the user is not logged in to the website and accesses these files.

To significantly reduce comment spam on your website, change the comments path and select the file wp-comments-post.php from the list of Hide Common Files, which will appear after you change the comments path.

We also encourage you to activate the Brute Force Protection on Comments Form to prevent automatic comment spam.

Note! Hiding the file wp-comments-post.php will NOT stop people from filling in your site’s comment forms and sending you spam comments. To completely stop spam comments, we recommend installing a dedicated Anti-Spam plugin with a database of spam emails and messages. 

Disable Directory Browsing

Don’t expose directory content when an index file is missing. For example, displaying the file list in wp-content/uploads could make it easier for hackers to find vulnerable files.

To prevent this, enable the directory browsing protection:

1. Go to WP Ghost > Change Paths > WP Core Security.
2. Switch on the Disable Directory Browsing option to disable direct directory browsing and block access to directory content.
3. Click the Save button to apply the changes.

When this option is active, and directory browsing is disabled, hackers cannot see the contents of your directories. Instead, they will encounter a blank or restricted access page, blocking their attempts to view sensitive files.