WP Ghost (short for Hide My WP Ghost) is a comprehensive hack-prevention security solution for WordPress websites. It adds multiple layers of security to block hacker bots and prevent unauthorized access.
It works by changing and hiding common vulnerabilities, making it difficult for bots and hackers to exploit weak points in plugins, themes, and the WordPress core itself.
What is Hack Prevention?
Hack prevention is the proactive approach to secure a website against unauthorized access, data breaches, and malware infections.
It involves implementing multiple layers of security measures to block common attack vectors such as:
Brute Force Attacks
SQL Injection Attacks
Script Injection Attacks
Malware Injection
XML-RPC attacks
File Inclusion Exploits
Vulnerability Exploits
Directory Traversal Attacks
Default WP Paths Exploits
Cross-Site Scripting (XSS)
Throttling of Access Attempts to Entry Points
Signup and Comment Spams
and more
Hack prevention minimizes vulnerabilities, strengthens login protections, and reduces visibility to potential attackers, ensuring a secure and resilient WordPress site.
Key Security Features
Path Security: WP Ghost changes and hides critical paths (such as common paths, plugin paths, theme paths, and login URLs), preventing bots from exploiting well-known WordPress entry points.
8G Firewall Protection: Blocks harmful traffic before it reaches your site by filtering malicious IPs, bad bots, and common attack patterns at the server edge.
Header Security: Enforces secure HTTP headers to protect against attacks such as clickjacking, MIME sniffing, and cross-site scripting (XSS).
Anti-Spam Blocking: Filters and blocks bad bots, eliminating spam and preventing unnecessary crawling. This saves bandwidth, reduces server load, and improves overall site performance.
Brute Force Protection: Limits login attempts and blocks suspicious IPs to prevent brute-force attacks and credential-stuffing attempts.
Two-Factor Authentication (2FA): Adds an extra verification layer to user logins, protecting accounts even if passwords are compromised.
Passkey Authentication (Passwordless 2FA): Enables secure, passwordless login using device-based passkeys such as Face ID, Touch ID, Windows Hello, or hardware security keys. Passkeys eliminate phishing risks, prevent credential theft, and provide stronger authentication than traditional passwords or one-time codes.
Security Threats Log: Provides a detailed log of blocked and attempted attacks, including brute-force attempts, bot scans, firewall blocks, and suspicious behavior. This gives site owners visibility into real attack activity and helps validate the effectiveness of WP Ghost’s hack prevention mechanisms.
Country Blocking: Allows blocking access from specific countries to reduce exposure to high-risk regions and targeted attack traffic.
In addition to these core features, WP Ghost monitors for vulnerabilities and sends email alerts for fail attempts or risky actions, providing users with a proactive, easy-to-manage security solution. It’s designed to work with popular plugins and themes without disrupting your site, delivering an effective shield against common WordPress threats.
Security Features
Change Paths
Change wp-admin path
Change wp-login.php path
Change lost password path
Change register path
Change logout path
Change activation path
Change admin-ajax.php path
Change wp-comments-posts.php path
Change wp-includes path
Change wp-content/uploads path
Change comments path
Change author path
Change wp-content/plugins path
Change plugins name (customize each plugin name)
Change wp-content/themes path
Change themes name (customize each theme name)
Custom theme style.css name
Change REST API wp-json path
Path Security
Hide wp-admin path and show 404 error or a custom page
Hide wp-admin path for non-admin users
Hide wp-login.php and show 404 error or a custom page
Hide wp-login path and show 404 error or a custom page
Hide login path and show 404 error or a custom page
Hide admin-ajax path
Hide wp-admin from admin-ajax.php path
Hide wp-content path
Hide wp-includes path
Hide wp-content/uploads path and sub paths
Hide wp-comments-posts.php
Hide author path
Hide author ID access
Hide wp-content/plugins path and sub paths
Hide wp-content/themes path and sub paths
Hide REST API wp-json path
Hide rest_route parameter
Hide wp-config.php & wp-config-sample.php
Hide wp-load.php
Hide wp-settings.php
Hide wp-blog-header.php
Hide bb-config.php
Hide install.php
Hide license.txt, readme.txt & readme.html
Hide php.ini, error-log & debug.log
Hide WordPress Common Paths by Extension
Hide Admin Toolbar based on user role
Hide style IDs and META IDs
Hide WordPress HTML comments
Hide Version and WordPress Tags
Hide DNS Prefetch WordPress link
Hide WordPress Generator Meta
Hide RSD (Really Simple Directory) header
Hide Emoticons if you don’t use them
Disable Options
Disable REST API access
Disable XML-RPC access
Disable Embed scripts
Disable DB-Debug in Frontend
Disable WLW Manifest scripts
Disable Select All – Ctrl+A (Windows and Linux), ⌘+A (macOS)
Disable Copy – Ctrl+C (Windows and Linux), ⌘+C (macOS)
Disable Cut – Ctrl+X (Windows and Linux), ⌘+X (macOS)
Disable Paste – Ctrl+V (Windows and Linux), ⌘+V (macOS)
Disable Save – Ctrl+S (Windows and Linux), ⌘+S (macOS)
Disable View Source – Ctrl+U (Windows and Linux), ⌘+U (macOS)
Disable Right Click
Disable Drag-Drop
Disable Image Dragging by Mouse
Disable Text Selection
Disable Directory Browsing
Redirects
Custom login redirects based on user role
Custom logout redirects based on user role
Custom redirects for hidden paths
Automatically redirect logged users to dashboard
Mapping & Changing
Change class names & IDs using Text Mapping
Change URLs using URL Mapping
Change CDN domains using CDN Mapping
Change URLs from Relative to Absolute
Change paths in Ajax calls
Change paths for Logged Users
Change paths in Cache Files
Change paths in the Feed link
Change paths in the Sitemap XML
Change paths in the Robots.txt
Firewall
7G Firewall Security Filter
8G Firewall Security Filter
Firewall against Script Injections and SQL Injection
Two-Factor Authentication by Code (2FA)
Two-Factor Authentication by Email (2FA)
Two-Factor Authentication by Passkey (2FA)
Security Headers against XSS & Code Injections
Security Header Strict-Transport-Security
Security Header Content-Security-Policy
Security Header X-XSS-Protection
Security Header X-Content-Type-Options
Security Header X-Frame-Options
Block by IP Addresses
Block by User Agents
Block by Referrers
Block by Hostnames
Hide Website from Theme Detectors
Security Threats Filters
Brute Force Protection
Brute Force Protection with Math reCaptcha
Brute Force Protection with Google reCaptcha V2
Brute Force Protection with Google reCaptcha V3
Brute Force Protection on Login
Brute Force Protection on Password Lost
Brute Force Protection on Signup
Brute Force Protection on Comment
Brute Force Protection on Woocommerce Login
Brute Force Protection shortcode
Custom attempts, timeout, message
Manage Blacklist and Whitelist IPs
Geo Security
Country Blocking
Path based country blocking
Security Check & Fix
Files & Folders Permission Fix
Database ‘wp’ Prefix Fix
Weak username login Fix
SALT keys Fix
WordPress debugging Fix
Script debugging Fix
Plugin editing Fix
Extra Features
Magic Link Login Without Password
Temporary Logins Without Password
Fix relative URLs
Backup and Restore settings
Change classes on source code using Text Mapping
Change URLs on source code using URL Mapping
Cache CSS, JS, and Images to optimize the loading speed
Load Security Presets for quick configuration
Weekly security checks and reports
Events/Actions Monitoring (Cloud Support)
Security Threats Monitoring
Brute Force Monitoring
Hide My WP Premium Feature
Free & Pro Features
While WP Ghost’s free version offers robust protection, the premium version provides additional advanced features for enhanced security, such as:
Security Threats Log (Advanced Hack Prevention) Provides an extended and detailed security threats log, showing blocked attacks, exploit attempts, bot scans, and suspicious behavior. This advanced logging helps validate protection efficiency, analyze attack patterns, and proactively harden your site against future threats.
Extended Hiding Options: Pro users have the option to hide additional WordPress elements, such as wp-content, wp-includes, wp-content/uploads, and other identifiable WordPress paths and files, providing an even higher level of protection.
Country Blocking: allows you to restrict access to your WordPress site based on geographic locations, blocking traffic from specific countries to reduce hacking attempts, spam, and malicious activities while improving security and performance.
User Events Log: tracks and records security-related activities on your WordPress site, including login attempts, plugin install and removal, brute force attacks, blocked requests, and other suspicious actions, providing detailed logs to monitor activity and quickly detect potential threats.
Priority Support: With the Pro version, users get access to priority support, ensuring timely assistance for any issues or questions that arise during use.
Why Choose WP Ghost?
WP Ghost is designed for simplicity and security, making it an attractive choice for website owners, bloggers, e-commerce store owners, and enterprise-level administrators.
Here are some reasons why WP Ghost is the ideal WordPress security solution:
Ease of Use: WP Ghost’s intuitive interface and setup wizard mean that even beginners can enhance their website security without feeling overwhelmed. The plugin’s preconfigured settings ensure that users can start with secure defaults and gradually explore more advanced options as they gain confidence.
Fast & Robust: WP Ghost is engineered to provide powerful security features without compromising site performance. By avoiding direct alterations to WordPress core files, it remains lightweight and compatible with core updates, ensuring that your site stays secure without unnecessary slowdowns.
Update and Support: WP Ghost is actively maintained and updated, with regular updates that address emerging security threats and improve functionality. The plugin’s support team is available to assist with any questions or issues, ensuring a smooth and effective security experience.