WP Ghost works on Nginx VPS (Virtual Private Server) environments with full root access. When you have SSH access and can edit Nginx config files directly, you add an include line pointing to WP Ghost’s hidemywp.conf file in your site’s server block. This is different from managed hosting (Kinsta, WPMUDEV, Flywheel) where you can’t edit Nginx config files. With VPS access, the setup is straightforward and gives you full control over WP Ghost’s path security features.
Nginx stores configuration files in /etc/nginx/. The main file is nginx.conf, which typically includes files from conf.d/ and sites-enabled/. Individual site configurations go in sites-available/ and are symlinked to sites-enabled/ when ready to go live. Your WordPress site has a server block in one of these files, and that’s where you add the WP Ghost include line.
The typical Nginx directory structure:
/etc/nginx/
├── nginx.conf # Main config (includes other files)
├── conf.d/ # Additional config files (*.conf)
├── sites-available/ # Site configs (create here)
├── sites-enabled/ # Active sites (symlinks to sites-available)
├── fastcgi_params
├── mime.types
└── ...The nginx.conf file typically ends with these include directives that load your site configs:
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;hidemywp.conf file in your WordPress root directory and displays the include line you need to add.SSH into your server and open your site’s Nginx server block config:
sudo nano /etc/nginx/sites-available/yoursiteAdd the include line before the location / block, inside the server { } block:
server {
listen 80;
server_name yourdomain.com;
root /var/www/yoursite;
index index.php;
# WP Ghost rewrite rules (add this line)
include /var/www/yoursite/hidemywp.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}Use the exact include path from WP Ghost’s notification. The path depends on your WordPress installation directory. The example above uses /var/www/yoursite/, but your path may be /var/www/html/, /home/user/public_html/, or another location. Always copy the include line directly from WP Ghost’s notification.
Placement matters. The include line must be placed before the location / block. Nginx processes location blocks in a specific order, and WP Ghost’s rewrite rules need to be evaluated before the WordPress try_files rule catches the request.
sudo nginx -tsyntax is ok and test is successful, reload Nginx:sudo nginx -s reloadUse reload, not restart. Reloading applies the new config without dropping active connections. Restarting terminates all connections and starts fresh, which causes brief downtime. Always use nginx -s reload in production.
The hidemywp.conf file may not exist at the specified path. Verify with ls -la /var/www/yoursite/hidemywp.conf. If it doesn’t exist, re-save WP Ghost settings to regenerate it. Also ensure the include line is inside the server { } block, not outside it.
The include line may be placed after the location / block. Move it before location / so WP Ghost’s rewrite rules are evaluated first. Reload Nginx after moving it.
The Nginx worker process runs as the www-data user (or nginx on some distributions). Ensure the hidemywp.conf file is readable by Nginx: sudo chown www-data:www-data /var/www/yoursite/hidemywp.conf and sudo chmod 644 /var/www/yoursite/hidemywp.conf.
Yes, this is expected. Nginx loads its config at startup and keeps it in memory. Any changes to hidemywp.conf (which WP Ghost updates when you save) require a reload: sudo nginx -s reload. This is different from Apache, which re-reads .htaccess on every request.
SSH into your server and either remove the include line from the server block and reload Nginx, or use the Safe URL parameter to bypass WP Ghost temporarily. See the Emergency Disable guide for additional recovery methods.
Yes, whenever you change path settings. WP Ghost updates the hidemywp.conf file automatically, but Nginx doesn’t detect file changes until it’s reloaded. Run sudo nginx -s reload after any path change. Non-path settings (firewall, brute force, 2FA) don’t require a Nginx reload.
The Custom Nginx Config File guide covers the same core process but is written for managed Nginx hosting where you may have limited access. This VPS guide includes more Nginx configuration context (directory structure, server blocks, includes) for users who manage their own server and may be less familiar with Nginx conventions.
If you’re on managed hosting without Nginx config access (Kinsta, WPMUDEV, Flywheel), see Use WP Ghost on Nginx Without Config Changes for features that work without server config modifications, or contact your hosting support to add the include.
No. WP Ghost generates a separate hidemywp.conf file and uses WordPress hooks for application-level changes. No core files are modified. Deactivating WP Ghost restores all defaults instantly.
Nginx and server configuration:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…
No puedo entrar a mi sitio, ya probé de todas las formas, no funciona el enlace que me pasaron.
I see that you have wordpress.com. Try connecting with /login path.
Hide My WP doesn't work well with wordpress.com because Jetpack plugin doesn't let you change the wp-admin and wp-login paths.