How to Configure Redirects in WP Ghost

Control what happens when bots, visitors, or logged-in users access hidden or restricted paths on your WordPress site using WP Ghost’s redirect features. You’ve hidden your /wp-admin and /wp-login.php paths. Now what happens when someone tries to access them? By default they might get a generic error. With WP Ghost’s redirects, you decide: send them to a custom page, return a 404, trigger a 403, or route logged-in users to role-specific destinations after login and logout.

What Are Redirects in WP Ghost?

The Redirect features in WP Ghost control what happens when someone tries to access a hidden or restricted path on your site. They cover three scenarios: what unauthorized visitors see when hitting hidden paths, where users go after logging in or out, and what happens when already logged-in users visit the login page.

These aren’t just convenience features. They’re the behavioral layer that completes your path-security setup. Hiding a path like /wp-admin removes it from bots and scanners. Redirects determine the response those bots get – and whether they try again or move on.

Why Redirects Matter for Security

Hiding paths is the first step. Controlling responses is the second. Here’s why redirects matter for your hack prevention strategy:

A 404 tells bots the path doesn’t exist. This is the most effective response for hidden admin and login paths. When a bot hits /wp-admin and gets a 404, it’s indistinguishable from a genuinely nonexistent URL. The bot logs your site as “not WordPress” and moves on. A redirect to the homepage, by contrast, returns a 302 status code – which some sophisticated bots recognize as evidence that something was there but got moved.

A 403 signals “forbidden” without revealing what’s behind it. Some site owners prefer a 403 response because it explicitly tells the requester that access is denied. This is useful when you want to communicate restriction rather than nonexistence – for instance, blocking access to a REST API endpoint while acknowledging the endpoint exists.

Custom page redirects maintain professionalism. If real visitors (not bots) accidentally type /wp-admin because they found it on a tutorial, sending them to a branded “access denied” page or your homepage is more professional than a raw 404 error. This is especially relevant for client-facing sites, agencies, and membership platforms.

Login/logout redirects reduce attack surface. Sending users to role-appropriate pages after login means fewer people land on the admin dashboard who don’t need to be there. A WooCommerce customer shouldn’t see the WordPress dashboard at all – they should land on their My Account page. An editor should go directly to the post editor. Every user seeing only what they need reduces the exposure footprint of your admin area.

How to Configure Redirects in WP Ghost

WP Ghost offers three redirect features. Each controls a different scenario.

Activate Safe Mode or Ghost Mode

Before configuring redirects, one of WP Ghost’s security levels must be active.

1. Go to WP Ghost > Change Paths > Level of Security.
2. Select Safe Mode or Ghost Mode.
3. Click Save to apply.

Need help choosing? Check the Safe Mode vs Ghost Mode comparison.

Redirect Hidden Paths

This controls what happens when someone accesses a path you’ve hidden (like /wp-admin, /wp-login.php, or other protected URLs). You choose the response:

Show a 404 error – the path appears to not exist at all. Best for confusing bots.

Show a 403 error – the path exists but access is explicitly denied. Best for restricted endpoints.

Redirect to a page – send visitors to your homepage, a custom “access denied” page, or any URL you choose. Best for client-facing sites.

1. Go to WP Ghost > Tweaks > Redirects > Redirect Hidden Paths.
2. Select the redirection type (404 error, 403 error, or a specific page).
3. Click Save to apply.

Tip: If none of the default options fit your needs, create a custom WordPress page (e.g., “This page is not available”) and select it as the redirect destination. This gives you full control over the message and design.

Set Login and Logout Redirect URLs

Control where users land after logging in or logging out. You can set default URLs for all users, or configure role-specific destinations so each user type gets sent to the right place.

For example, WooCommerce customers can go directly to their My Account page. Editors can land on the Posts screen. Subscribers can be redirected to a membership area. After logout, you might send everyone to the homepage or a “you’ve been logged out” page.

1. Go to WP Ghost > Tweaks > Redirects > Do Login & Logout Redirects.
2. Choose Default settings for all users, or switch to User Role settings for role-specific redirects.
3. Enter the desired URLs for login and logout destinations.
4. Click Save to apply.

Redirect Logged Users to Dashboard

When a user who is already logged in visits the login page again, this option automatically redirects them to the admin dashboard instead of showing the login form. No need to log in twice. It saves time, reduces confusion, and prevents unnecessary authentication attempts that could trigger brute force protections.

1. Go to WP Ghost > Tweaks > Redirect.
2. Switch on Redirect Logged Users To Dashboard.
3. Click Save to apply.

Troubleshooting

Redirects aren’t working after saving

Almost always a caching issue. Clear your WordPress cache plugin, CDN cache, and server cache. Then test in a private browser window. Also confirm that Safe Mode or Ghost Mode is active – redirects require one of these security levels to be enabled.

Login redirect sends me to the wrong page

Check whether another plugin or your theme is setting its own login redirect. WooCommerce, membership plugins, and some themes override WordPress’s default login redirect. If you see conflicts, disable the other plugin’s redirect and use WP Ghost’s role-based redirects instead.

If you’ve lost access or something broke, check the emergency disable guide, use the rollback settings, or add a constant in wp-config.php to disable WP Ghost temporarily.

Frequently Asked Questions

Should I use a 404, 403, or redirect for hidden paths?

For maximum security, use 404. It makes the path appear to not exist at all, which is the most effective response against automated bots – they log your site as “no WordPress found” and move on. A 403 confirms something exists but is restricted, which may prompt further probing. A page redirect is best for client-facing sites where a branded error page looks more professional than a raw HTTP error.

Does this work with WooCommerce role-based redirects?

Yes. WP Ghost’s login/logout redirects support role-based configuration. You can send WooCommerce customers to their My Account page, shop managers to the dashboard, and subscribers to a custom landing page – all from the same settings panel. If WooCommerce has its own redirect settings, disable them to avoid conflicts and use WP Ghost’s redirects instead. WP Ghost is fully compatible with WooCommerce.

Can I create a custom redirect page?

Yes. Create any WordPress page (e.g., “Access Restricted” or “This page is not available”), publish it, and select it as the redirect destination in WP Ghost. This gives you full control over the message, design, and branding. Some site owners use this to display a custom message with a link to the contact page.

Do redirects affect SEO?

No. Admin paths like /wp-admin and /wp-login.php are not indexed by search engines. Redirecting or blocking these paths has zero impact on your public content, rankings, or sitemaps. Your front-end URLs remain completely unchanged.

Will the redirect affect logged-in administrators?

The “Redirect Hidden Paths” setting only applies to non-logged-in visitors. Logged-in administrators can still access the admin dashboard through the custom admin path. The “Redirect Logged Users to Dashboard” feature applies to already logged-in users who visit the login page – it sends them to the dashboard instead of showing the login form again.

Does WP Ghost modify WordPress core files?

No. All redirects are handled through URL rewrite rules and WordPress filters. No files are modified, moved, or created. Deactivating WP Ghost restores all default WordPress behavior instantly.

Related Tutorials

Complete your path-security and access control setup:

• Change and Hide the wp-admin Path – Hide the admin dashboard URL that redirects protect.
• Change and Hide the Login Path – Hide wp-login.php alongside the redirect configuration.
• Change the Logout Path – Customize the logout URL for complete login flow control.
• Brute Force Attack Protection – Add CAPTCHA and rate limiting as a second defense layer.
• Two-Factor Authentication (2FA) – Require a second factor even if someone finds the login page.
• Login Page Design Customization – Brand the login page that users see after following the custom path.