- Why Use Both Plugins Together
- What Wordfence Provides
- What WP Ghost Provides
- Recommended Configuration
- Feature Comparison
- Frequently Asked Questions
- Will WP Ghost and Wordfence conflict with each other?
- Which plugin should handle the custom login path?
- Should I use Wordfence’s 2FA or WP Ghost’s 2FA?
- Should I use Wordfence’s firewall or WP Ghost’s 7G/8G firewall?
- Do I need Wordfence if I have WP Ghost?
- Will running both plugins slow down my site?
- Does this work with WooCommerce?
- Does WP Ghost modify WordPress core files?
- Related Tutorials
WP Ghost and Wordfence are fully compatible and complement each other well. Wordfence is one of the most popular WordPress security plugins, focused on its application-level firewall, malware scanning, and threat intelligence. WP Ghost focuses on attack surface reduction by changing WordPress paths and adding firewall rules at the rewrite layer. Running both together gives you defense in depth: WP Ghost prevents bots from finding your WordPress files in the first place, while Wordfence inspects requests that do reach your site and scans for malware. Both plugins work on all server types and integrate cleanly with SEO and cache plugins.
Why Use Both Plugins Together
Wordfence and WP Ghost approach WordPress security from different angles. Wordfence runs as an application firewall – it inspects requests with WordPress context (user identity, login state, request payload) and uses its threat intelligence database to block known malicious patterns. WP Ghost works earlier in the chain: it uses server-level rewrite rules to make WordPress paths invisible to bots before any PHP code runs. When a hacker bot scans for /wp-login.php, WP Ghost returns 404 – the bot never reaches Wordfence’s firewall. When a more sophisticated attacker finds the actual login URL, Wordfence’s firewall and malware scanner take over. Each plugin handles what the other doesn’t.
What Wordfence Provides
Wordfence is one of the most comprehensive WordPress security plugins. Its core strengths are application-level firewall and malware scanning:
- Application-level firewall – inspects requests with WordPress context (user identity, login state, request payload) using over 85% of rules that leverage user identity information.
- Malware scanner – scans WordPress files against a database of known malware signatures and reports modifications to core files.
- Login security – 2FA, login attempt limits, breached password protection.
- Live traffic monitoring – real-time visibility into site traffic and blocked attacks.
What WP Ghost Provides
WP Ghost is a hack-prevention plugin focused on attack surface reduction:
- Path security – changes wp-admin, wp-login, wp-content, plugins, themes, uploads, and other WordPress paths so bots can’t find them.
- 7G/8G Firewall – blocks malicious requests at the rewrite layer before WordPress loads.
- Security headers – HSTS, CSP, X-Frame-Options, X-XSS-Protection, and other browser-level security headers.
- SQL and script injection prevention – blocks common injection patterns at the request level.
- Country blocking – geographic access control by country.
- 2FA and Magic Links – additional authentication factors including code, email, and passkey methods.
- Brute force protection – rate limiting on login, register, lost password, and comment forms with reCAPTCHA support.
Recommended Configuration
Wordfence and WP Ghost have several overlapping features (login security, country blocking, 2FA, IP blocking). To avoid conflicts, configure each plugin to handle the features it does best.
Enable in WP Ghost:
- All path security features (login, admin, wp-content, plugins, themes, uploads, REST API).
- 7G/8G Firewall.
- Security headers (HSTS, CSP, X-Frame-Options).
- 2FA and/or Magic Link login (especially passkeys for hardware key support).
- Brute force protection on register, lost password, and comment forms (Wordfence handles login).
- Hide WordPress common paths and files (readme.html, license.txt, etc.).
Enable in Wordfence:
- Application-level firewall (the main reason to use Wordfence).
- Malware scanner (run scans on a schedule).
- Login security (failed login limits) – or move this to WP Ghost if you prefer one tool for all brute force.
Avoid duplication: Both plugins offer 2FA, country blocking, IP blocking, and login attempt limits. Pick one plugin to handle each feature – using both creates conflicts and confusing behavior. WP Ghost is recommended for path security, comprehensive brute force protection across all forms, and 2FA with passkeys. Wordfence is recommended for its application firewall and malware scanner.
Feature Comparison
Use this comparison to decide which plugin should handle each feature on your site:
| Feature Category | Wordfence | WP Ghost |
|---|---|---|
| Path Security (wp-admin, login, plugins, themes, uploads, REST API) | Login only | Yes |
| 7G and 8G Firewall | – | Yes |
| Application-Level Firewall | Yes | – |
| Security Headers (HSTS, CSP, X-Frame-Options) | Yes | Yes |
| Country Blocking | Premium | Yes |
| Two-Factor Authentication (Code, Email, Passkeys) | Code only | Yes |
| Magic Link Login & Temporary Logins | – | Yes |
| Brute Force Protection (login, register, lost password, comments) | Login only | Yes |
| reCAPTCHA (Math, V2, V3) | Yes | Yes |
| IP Blacklist / Whitelist | Yes | Yes |
| Disable XML-RPC | Yes | Yes |
| Text, URL, and CDN Mapping | – | Yes |
| Malware Scanner | Yes | – |
| Live Traffic Monitoring | Yes | – |
| Activity Log & Email Alerts | Yes | Yes |
Frequently Asked Questions
Will WP Ghost and Wordfence conflict with each other?
Not if you configure them properly. Both plugins offer some overlapping features (custom login URL, 2FA, country blocking, IP blocking, login attempt limits). To avoid conflicts, enable each feature in only one plugin. We recommend using WP Ghost for path security and comprehensive brute force protection, and Wordfence for its application firewall and malware scanner.
Which plugin should handle the custom login path?
WP Ghost. WP Ghost’s path security uses server-level rewrite rules (.htaccess on Apache, Nginx config on Nginx) which are more efficient than PHP-based path rewrites. It also covers more paths than Wordfence (Wordfence only changes wp-login, while WP Ghost covers wp-admin, lost password, register, activation, logout, AJAX, plugins, themes, uploads, and more). Disable the custom login URL feature in Wordfence if you have it enabled there, then configure it in WP Ghost.
Should I use Wordfence’s 2FA or WP Ghost’s 2FA?
WP Ghost. WP Ghost offers 2FA via code (Google Authenticator), email, and passkeys (Face ID, Touch ID, Windows Hello, hardware keys). Wordfence’s 2FA only supports authenticator codes. Use WP Ghost’s 2FA and disable Wordfence’s 2FA to avoid conflicts.
Should I use Wordfence’s firewall or WP Ghost’s 7G/8G firewall?
Use both. Wordfence’s firewall and WP Ghost’s 7G/8G firewall operate at different layers and catch different attack patterns. Wordfence runs as a PHP application firewall with WordPress context awareness. WP Ghost’s 7G/8G runs at the rewrite layer before PHP loads, blocking obvious attack patterns earlier and using fewer server resources. Together they provide complementary protection – they don’t conflict because they work at different layers.
Do I need Wordfence if I have WP Ghost?
WP Ghost focuses on prevention – blocking attacks before they reach your site. Wordfence adds reactive features like malware scanning and an application firewall with threat intelligence updates that WP Ghost doesn’t include. If you want both prevention and detection/scanning, run both plugins together. If you’re focused purely on hack prevention and don’t need malware scanning, WP Ghost alone is sufficient for most sites.
Will running both plugins slow down my site?
Wordfence is known to be heavier than other security plugins because of its application firewall and live traffic features. WP Ghost adds minimal overhead because path security uses server-level rewrite rules with no PHP cost. If performance matters, disable Wordfence’s Live Traffic feature and schedule malware scans for off-peak hours.
Does this work with WooCommerce?
Yes. WP Ghost is fully compatible with WooCommerce, and Wordfence works with WooCommerce too. Both plugins protect WooCommerce login forms and customer accounts.
Does WP Ghost modify WordPress core files?
No. WP Ghost writes rewrite rules to .htaccess (Apache) or hidemywp.conf (Nginx) and uses WordPress hooks for application-level changes. No core files are modified. Deactivating WP Ghost restores all defaults instantly.
Related Tutorials
WP Ghost compatibility with other security plugins:
- WP Ghost and Solid Security – Configuration guide for both plugins.
- WP Ghost and Shield Security – Configuration guide for both plugins.
- WP Ghost and WP Cerber – Configuration guide for both plugins.
- WP Ghost and SiteGround Security – Configuration guide for both plugins.
- WP Ghost and BBQ Firewall – Configuration guide for both plugins.
- Compatible Plugins List – All security plugins tested with WP Ghost.