WP Ghost is a hack-prevention plugin that reduces the WordPress attack surface. It’s important to understand what WP Ghost does and what falls outside its scope. WP Ghost prevents attacks by hiding WordPress paths, blocking malicious requests with firewall rules, protecting login with brute force prevention and 2FA, and enforcing security headers. It does not scan for existing malware, clean infected files, or replace the need for backups and updates.
WP Ghost focuses on preventing attacks before they happen. It changes and hides WordPress paths so bots can’t find plugins, themes, and admin files. It blocks SQL injection, script injection, and directory traversal with 7G/8G firewall rules. It protects login with brute force limits, reCAPTCHA, and 2FA (including passkeys). It enforces security headers like HSTS, CSP, and X-Frame-Options. It blocks country-based access and AI crawlers. It provides security logs and email alerts for suspicious activity. All of this works proactively to stop attacks before they reach your site’s vulnerable points.
WP Ghost is designed for prevention, not post-infection cleanup. These tasks fall outside WP Ghost’s scope:
Malware scanning and removal. WP Ghost does not scan your files for existing malware or clean infected files. If your site is already compromised, you need a malware scanner (like Wordfence or Sucuri) to identify and remove the infection. WP Ghost prevents the attacks that lead to infection in the first place.
Backups. WP Ghost does not back up your files or database. Use a dedicated backup plugin (like UpdraftPlus or BlogVault) for regular backups. WP Ghost protects your site from attacks, but backups protect you from everything else: failed updates, hosting issues, and human error.
Plugin and theme updates. WP Ghost reduces the attack surface so bots can’t find and exploit vulnerable plugins, but it doesn’t patch the underlying vulnerabilities. Keeping plugins and themes updated closes the actual security holes. WP Ghost buys you time by hiding vulnerable paths, but updates fix the root cause.
Hosting-level security. Server configuration, PHP version management, MySQL hardening, and server firewall rules are managed by your hosting provider. WP Ghost works alongside hosting security, not in place of it.
By default, WP Ghost changes paths only on the frontend (what visitors and bots see). When you’re logged in as an administrator, the admin dashboard shows original WordPress paths. This is intentional for two reasons:
Compatibility. Many plugins and themes reference default WordPress paths in the admin area. Changing them can break admin-side functionality, plugin settings pages, and media uploads.
Safety. If you deactivate WP Ghost or need to troubleshoot, the admin dashboard continues to work with default paths. You won’t be locked out of your own site.
You can enable admin path changes if needed. If you want WP Ghost to change paths in the admin dashboard too, add the HMW_ALWAYS_CHANGE_PATHS constant to wp-config.php. See Change Paths in Admin Dashboard for details. For full admin customization, also see the Admin Mapping add-on.
It depends on what you need. WP Ghost covers hack prevention (path security, firewall, brute force, 2FA). Wordfence covers malware scanning and post-infection cleanup. They serve different purposes and are fully compatible. For comprehensive security, many users run both: WP Ghost for prevention, Wordfence for scanning.
WP Ghost is not designed for cleanup. If your site is already infected, first remove the malware using a scanner or professional cleanup service, then install WP Ghost to prevent re-infection. Installing WP Ghost on an already-compromised site doesn’t remove existing malware but does prevent additional attacks from succeeding.
No. WP Ghost hides vulnerable paths so bots can’t find them, but the vulnerabilities still exist in outdated code. If an attacker discovers your paths through other means (leaked information, manual research), they can still exploit unpatched vulnerabilities. Use both strategies: WP Ghost to hide the attack surface, and regular updates to fix the actual vulnerabilities.
No. WP Ghost uses server rewrite rules and WordPress hooks for all its security features. No files are moved, renamed, or modified. Deactivating WP Ghost restores all defaults instantly.
Understanding WP Ghost’s security approach:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…