Block direct access to WordPress core paths, hide sensitive files like wp-config.php and readme.html, and disable directory browsing with WP Ghost. Changing your WordPress paths is step one. Step two? Making sure the old paths are completely dead. This tutorial covers the three options that seal the gaps: hiding common paths, hiding common files, and disabling directory browsing.
This is different from changing paths. When you change the wp-content path or change wp-includes, you create a new URL that serves the same files. But the old URL might still respond. Hiding is what makes the old URL return a 404. You need both for complete protection: change the path so your site uses the new URL, then hide the old path so bots can’t access it.
WP Ghost also lets you hide specific file types within these directories (PHP, JS, TXT, CSS) and block access to individual files that reveal WordPress information, like readme.html which displays your WordPress version, or wp-config.php which contains your database credentials.
Every default WordPress path and file that’s accessible from the outside is a signal. Some signals tell bots you’re running WordPress. Others tell them exactly which plugins you use and what versions they’re running. A few even leak your database name or server configuration. Here’s why shutting these down is essential for your hack prevention strategy:
Bots probe default paths before anything else. Automated scanners like WPScan don’t guess. They hit /wp-content/, /wp-includes/, and /wp-admin/ directly. If any of them respond, the bot knows it’s WordPress and starts enumerating plugins, themes, and versions. If all of them return 404, the bot has nothing to work with. It moves on. With 64,782 tracked WordPress vulnerabilities as of 2025 (WPScan database) and 7,966 new ones discovered in 2024 alone, making your site invisible to these scans isn’t optional. It’s essential.
Readme and license files expose your WordPress version. The file readme.html in your WordPress root displays the exact WordPress version you’re running. The file license.txt confirms WordPress as your CMS. Plugin readme.txt files reveal individual plugin versions. Attackers check these files to find known vulnerabilities for your specific versions. Hiding them removes this intelligence entirely.
PHP files in default paths are the primary exploit target. The vast majority of WordPress attacks target PHP files in /wp-content/plugins/ and /wp-admin/. Hiding PHP file access through the old paths means that even if an attacker knows a vulnerable plugin file exists, they can’t reach it through the default URL. They’d need to know your custom path, which they don’t.
Directory browsing reveals your entire file structure. If directory listing is enabled (common on shared hosting), anyone can navigate to /wp-content/plugins/ and see every installed plugin. Or browse /wp-content/uploads/ and access every uploaded file. Disabling directory browsing removes this entire attack surface in one toggle.
WP Ghost offers three complementary protections under WP Core Security. Each one addresses a different exposure point, and they work best when all three are enabled.
Before you can hide any paths, one of WP Ghost’s security levels must be active.
Need help choosing? Check the Safe Mode vs Ghost Mode comparison.
This option blocks direct access to the default /wp-content/ and /wp-includes/ directories and all their sub-paths. Any request to the old paths returns a 404 error for non-logged-in users. You can also choose which file types to block.
Once active, bots hitting the old paths get nothing:
This option blocks direct access to individual WordPress root files that reveal information about your installation. These are files that exist in every WordPress root directory and are the first things bots check to confirm WordPress.
Hidden files return a 404 instead of their actual content:
If you’ve also changed the comments path, the file wp-comments-post.php will appear in the list of hideable files. Hiding it adds an extra layer against comment spam bots that target this file directly. However, note that hiding the file alone won’t stop all spam. For complete comment spam protection, also enable Brute Force Protection on the Comments Form and consider a dedicated anti-spam plugin.
Note: Hiding wp-comments-post.php blocks bots that POST directly to the file. It does not block visitors from using your site’s comment forms normally, since those forms submit through your custom path.
Directory browsing lets anyone navigate to a folder URL (https://wpghost.com/kb/like /wp-content/plugins/) and see a list of every file inside. Think of it as leaving a folder open on a shared computer. Some hosting providers disable this by default, but many don’t, especially on shared hosting plans.
With this enabled, navigating to any directory URL returns a blank or restricted page instead of a file listing. Bots can’t browse your plugin list, your uploads folder, or any other directory on your site. This is a WordPress security best practice that every site should have enabled, regardless of what other protections you use.
When you enable Hide WordPress Common Paths, you can choose which file types to block within the old directories. Here’s what each extension protects:
PHP – This is the most critical extension to hide. PHP files are the primary targets for code injection, remote code execution, and SQL injection. Blocking PHP access through old paths means attackers can’t reach vulnerable plugin or theme files even if they know the file name.
JS (JavaScript) – JavaScript files can reveal your plugin structure and sometimes contain inline configuration that exposes admin URLs, nonces, or API endpoints. Hiding them prevents bots from downloading and analyzing your JavaScript to map your site’s architecture.
TXT – This hides readme.txt files in plugin directories, which contain exact version numbers. It’s one of the primary ways scanners like WPScan identify plugin versions to check for known vulnerabilities. Hiding TXT files also blocks theme detectors that rely on plugin readme files.
CSS – CSS files are lower priority but can still reveal theme and plugin names through their file paths and sometimes contain version comments. Hiding them adds another layer of security.
For maximum protection, hide all four. At minimum, always hide PHP and TXT.
The Hide WordPress Common Files option lets you block access to specific root-level files. Here’s what each one exposes if left accessible:
readme.html – Contains your exact WordPress version number. This is the first file scanners check. Accessible at yourdomain.com/readme.html on any default installation.
license.txt – Confirms WordPress as the CMS and includes the GPL license text. Bots use it as a secondary WordPress detection method.
wp-config.php – Your most sensitive file. Contains database credentials, authentication keys, table prefix, and debug settings. It should never be directly accessible from the web (and on properly configured servers it isn’t), but hiding it adds a safety net.
wp-config-sample.php – The default configuration template that ships with WordPress. Confirms the CMS and reveals expected configuration structure.
wp-comments-post.php – The file that processes comment submissions. Spam bots POST directly to this file to bypass comment forms. Available to hide after you’ve changed the comments path.
wp-cron.php – The WordPress cron handler. If publicly accessible, it can be used to trigger scheduled tasks or probe for timing-based information.
Hide all of these unless you have a specific reason not to. Most sites will never notice they’re blocked.
Hiding paths and files can occasionally affect functionality if a plugin or external service relies on direct access to a hidden file. Here’s how to diagnose issues:
Something broke after enabling Hide Common Paths: Open your site in a private browser window. If pages load but certain features don’t work (forms not submitting, products not filtering, live search not responding), the issue is likely with AJAX calls still pointing to old paths. Make sure you’ve enabled Change Paths in Ajax Calls.
A third-party service stopped working: Some external services (payment gateways, email marketing tools, analytics platforms) may call specific WordPress files directly. If a service breaks, check if it needs access to a specific file you’ve hidden and either exclude it or whitelist the service. See the WP Ghost Exceptions tutorial for how to create exclusion rules.
Comment forms stopped working: If you hid wp-comments-post.php, make sure you’ve also changed the comments path. The custom path needs to be active for comment submissions to route correctly.
If you need to undo everything, check the emergency disable guide, use rollback settings, or add a constant in wp-config.php to disable WP Ghost temporarily.
Technically, you can hide without changing. But the most effective approach is to do both. Change the paths first so your site uses new URLs, then hide the old paths so they return 404. This way your site functions through the custom paths while the default ones are completely dead. If you only hide without changing, some internal references may still use the old paths, which could break functionality.
No. WP Ghost only blocks access for non-logged-in visitors. If you’re logged into WordPress as an administrator, you can still access all paths normally. The 404 responses only apply to anonymous requests, which is exactly what bot traffic is.
It should be, but it often isn’t. Many shared hosting providers don’t disable it by default, and some server migrations can re-enable it. Enabling this option in WP Ghost guarantees it’s always off, regardless of your server configuration. It’s a one-click insurance policy.
On a properly configured server, no. PHP files in the root directory are processed, not downloaded. But server misconfigurations can expose them, and some hosting setups might serve the raw file under specific conditions. Hiding it through WP Ghost adds an extra safety net. It takes one toggle and costs nothing in performance.
No. The files being hidden (readme.html, license.txt, wp-config.php, etc.) are not indexed by search engines and have no SEO value. Hiding common paths like /wp-content/ and /wp-includes/ only affects direct access to the old URLs. Your public pages, posts, sitemaps, and media continue working through the new custom paths.
Yes. WP Ghost is fully compatible with WooCommerce. WooCommerce’s files are served through your custom paths, so hiding the old paths doesn’t affect cart, checkout, product pages, or any customer-facing functionality.
No. WP Ghost never modifies, moves, or deletes any file. Hiding is done through URL rewrite rules that intercept requests and return 404 responses. The actual files remain on your server untouched. Deactivating WP Ghost restores full access to all paths and files instantly.
Build your complete WordPress path security:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…