- Why Use Both Plugins Together
- What Solid Security Provides
- What WP Ghost Provides
- Recommended Configuration
- Feature Comparison
- Frequently Asked Questions
- Will WP Ghost and Solid Security conflict with each other?
- Which plugin should handle the custom login path?
- Should I use Solid Security’s 2FA or WP Ghost’s 2FA?
- What about WordPress hardening? Both plugins do this.
- Is this the same plugin as iThemes Security?
- Does this work with WooCommerce?
- Does WP Ghost modify WordPress core files?
- Related Tutorials
WP Ghost and Solid Security (formerly iThemes Security) are fully compatible and complement each other well. Solid Security is a well-established WordPress security plugin focused on site hardening, login protection, malware scanning (Pro), and a guided onboarding experience. WP Ghost focuses on attack surface reduction by changing WordPress paths and adding firewall rules at the rewrite layer. Running both together gives you defense in depth: WP Ghost prevents bots from finding your WordPress files in the first place, while Solid Security handles site hardening, user-level security policies, and malware detection. Both plugins work on all server types and integrate cleanly with SEO and cache plugins.
Why Use Both Plugins Together
Solid Security and WP Ghost approach WordPress security from different angles. Solid Security focuses on hardening WordPress settings, enforcing user security policies (password requirements, 2FA enforcement), and monitoring for file changes and malware (Pro). WP Ghost works at a different level: it uses server-level rewrite rules to make WordPress paths invisible to bots before any PHP code runs. When a hacker bot scans for /wp-login.php, WP Ghost returns 404 – the bot never reaches Solid Security’s login protection. When a more sophisticated attacker bypasses path security, Solid Security’s site hardening and monitoring features take over. Each plugin handles what the other doesn’t.
What Solid Security Provides
Solid Security (formerly iThemes Security) is a well-established WordPress security plugin. Its core strengths are site hardening and a guided setup experience:
- Guided onboarding – setup wizard that configures security in under 10 minutes without requiring expertise.
- Login security – custom login URL, login attempt limits, and lockout configuration.
- WordPress hardening – database prefix changes, file permission checks, disable file editor, force SSL, and more.
- Password policies – enforce strong passwords and password expiration per user role.
- File change detection – monitors core files for unexpected changes.
- Malware scanning – scans for known malware signatures (Pro feature via SolidWP integration).
- Version management – auto-update plugins and themes based on vulnerability status (Pro).
What WP Ghost Provides
WP Ghost is a hack-prevention plugin focused on attack surface reduction:
- Path security – changes wp-admin, wp-login, wp-content, plugins, themes, uploads, and other WordPress paths so bots can’t find them.
- 7G/8G Firewall – blocks malicious requests at the rewrite layer before WordPress loads.
- Security headers – HSTS, CSP, X-Frame-Options, X-XSS-Protection, and other browser-level security headers.
- SQL and script injection prevention – blocks common injection patterns at the request level.
- Country blocking – geographic access control by country.
- 2FA and Magic Links – additional authentication factors including code, email, and passkey methods.
- Brute force protection – rate limiting on login, register, lost password, and comment forms with reCAPTCHA support.
Recommended Configuration
Solid Security and WP Ghost overlap on some features (custom login URL, brute force protection, IP blocking, reCAPTCHA). Configure each plugin to handle the features it does best.
Enable in WP Ghost:
- All path security features (login, admin, wp-content, plugins, themes, uploads, REST API).
- 7G/8G Firewall.
- Security headers (HSTS, CSP, X-Frame-Options).
- Country blocking (if needed).
- 2FA with passkeys (more authentication methods than Solid Security).
- Brute force protection on register, lost password, and comment forms.
- Hide WordPress common paths and files (readme.html, license.txt, etc.).
Enable in Solid Security:
- WordPress hardening settings (database prefix, file permissions, disable editor).
- Password policies (strong password enforcement, expiration).
- File change detection.
- Malware scanning (Pro – if available).
- Version management and auto-updates (Pro).
Avoid duplication: Both plugins offer a custom login URL, login attempt limits, and IP blocking. Pick one plugin to handle each feature – using both creates conflicts. WP Ghost is recommended for path security and primary brute force protection (it covers more forms and paths). Solid Security is recommended for WordPress hardening, password policies, and file change detection.
Feature Comparison
Use this comparison to decide which plugin should handle each feature on your site:
| Feature Category | Solid Security | WP Ghost |
|---|---|---|
| Path Security (wp-admin, login, plugins, themes, uploads, REST API) | Login only | Yes |
| 7G and 8G Firewall | – | Yes |
| Security Headers (HSTS, CSP, X-Frame-Options) | – | Yes |
| Country Blocking | – | Yes |
| Two-Factor Authentication (Code, Email, Passkeys) | – | Yes |
| Magic Link Login & Temporary Logins | – | Yes |
| Brute Force Protection (login, register, lost password, comments) | Login only | Yes |
| reCAPTCHA (Math, V2, V3) | Yes | Yes |
| IP Blacklist / Whitelist | Yes | Yes |
| Text, URL, and CDN Mapping | – | Yes |
| WordPress Hardening (DB prefix, file editor, file permissions) | Yes | Partial |
| Password Policies & Expiration | Yes | – |
| File Change Detection | Yes | – |
| Malware Scanner | Pro | – |
| Version Management & Auto-Updates | Pro | – |
| Activity Log & Email Alerts | Yes | Yes |
Frequently Asked Questions
Will WP Ghost and Solid Security conflict with each other?
Not if you configure them properly. Both plugins offer some overlapping features (custom login URL, brute force protection, IP blocking, reCAPTCHA). To avoid conflicts, enable each feature in only one plugin. We recommend using WP Ghost for path security and comprehensive brute force protection, and Solid Security for WordPress hardening, password policies, and file monitoring.
Which plugin should handle the custom login path?
WP Ghost. WP Ghost’s path security uses server-level rewrite rules (.htaccess on Apache, Nginx config on Nginx) which are more efficient than PHP-based path rewrites. It also covers more paths than Solid Security (Solid Security only changes wp-login, while WP Ghost covers wp-admin, lost password, register, activation, logout, AJAX, plugins, themes, uploads, and more). Disable the “Hide Backend” feature in Solid Security if you have it enabled, then configure your login path in WP Ghost.
Should I use Solid Security’s 2FA or WP Ghost’s 2FA?
WP Ghost. WP Ghost offers 2FA via code (Google Authenticator), email, and passkeys (Face ID, Touch ID, Windows Hello, hardware keys). Solid Security doesn’t include 2FA in its free version. Use WP Ghost’s 2FA and disable any authentication features in Solid Security to avoid conflicts.
What about WordPress hardening? Both plugins do this.
Solid Security’s hardening and WP Ghost’s hardening overlap partially. Solid Security offers database prefix changes, file permission fixes, and disable file editor. WP Ghost offers file permission fixes, SALT regeneration, and disabling debug/editor features. Use the hardening features in whichever plugin you prefer, and avoid enabling the same hardening step in both. A good split: use Solid Security for database prefix and password policies, use WP Ghost for file permissions and path security.
Is this the same plugin as iThemes Security?
Yes. iThemes Security was renamed to Solid Security in November 2023 when it became part of the SolidWP brand. The plugin functionality is the same. WP Ghost has been tested and compatible with both the old iThemes Security branding and the current Solid Security branding.
Does this work with WooCommerce?
Yes. WP Ghost is fully compatible with WooCommerce, and Solid Security works with WooCommerce too. Both plugins protect WooCommerce login forms and customer accounts.
Does WP Ghost modify WordPress core files?
No. WP Ghost writes rewrite rules to .htaccess (Apache) or hidemywp.conf (Nginx) and uses WordPress hooks for application-level changes. No core files are modified. Deactivating WP Ghost restores all defaults instantly.
Related Tutorials
WP Ghost compatibility with other security plugins:
- WP Ghost and Wordfence – Configuration guide for both plugins.
- WP Ghost and Shield Security – Configuration guide for both plugins.
- WP Ghost and WP Cerber – Configuration guide for both plugins.
- WP Ghost and SiteGround Security – Configuration guide for both plugins.
- Compatible Plugins List – All security plugins tested with WP Ghost.