WP Ghost offers advanced configuration options through constants that can be added to the wp-config.php file. These constants allow you to fine-tune the plugin’s behavior without using the admin interface.
Below is a detailed tutorial on each constant and how to configure them.
Force Plugin Priority Loading
define( 'HMW_PRIORITY', true );
Forces the plugin to load immediately after WordPress initializes, ensuring that it executes its security measures as early as possible.
Equivalent: WP Ghost > Advanced > Compatibility > Plugin Loading Hook > Priority Loading
Enable this option if you experience compatibility issues with other plugins that might load before WP Ghost. It ensures that WP Ghost has priority, minimizing conflicts and enforcing security features early in the WordPress initialization process.
Add Rewrites in WordPress Rules
define( 'HMW_RULES_IN_WP_RULES', true );
Adds WP Ghost rules directly into WordPress rewrite rules defined in the .htaccess file. This integration provides a fallback mechanism for applying plugin rules within WordPress itself rather than relying solely on external .htaccess configurations.
Equivalent: WP Ghost > Advanced > Compatibility > Add Rewrites in WordPress Rules Section
Use this setting when external factors (e.g., server configurations) block the addition of custom rules in .htaccess. It ensures that rewrite rules are always applied, even if the server prevents direct modification of .htaccess files.
Enable Dynamic Loading of CSS and JS
define( 'HMW_DYNAMIC_FILES', true );
Forces the plugin to dynamically load CSS and JS files, including cached files, ensuring paths are obfuscated and protected from direct access.
Equivalent: WP Ghost > Mapping > Text Mapping > Text Mapping in CSS and JS files including cached files
Use this option to prevent caching plugins or CDN services from exposing sensitive paths. It is particularly helpful when cached or minified files reveal original paths that could be exploited, offering an extra layer of protection for resources.
Rename Paths in Admin Mode
define( 'HMW_ALWAYS_CHANGE_PATHS', true );
Forces WP Ghost to rename paths even within the WordPress admin area, hiding URL parameters, file paths, and sensitive text.
Also Use: https://wpghost.com/kb/wp-ghost-admin-mapping/
This option is useful for users who want enhanced privacy and path masking even for logged-in admin users. It ensures that paths remain obfuscated regardless of whether the user is browsing the frontend or working in the backend dashboard, improving overall security.
Hide Old Image Paths
define( 'HMW_HIDE_OLD_IMAGES', true );
Blocks access to old image paths after paths have been changed. Returns a 404 error for image formats like jpeg, jpg, tiff, gif, bmp, png, and webp to prevent exposure.
After adding the option in the config file, Go to WP Ghost > Change Paths > WP Core Security > Hide WordPress Common Paths and select the extension IMAGE Files.
Read Also: https://wpghost.com/kb/hide-the-old-image-paths-with-wp-ghost/
This prevents the exposure of old URLs to protect against direct access or brute-force attempts targeting old image paths. It is especially useful after migrating or restructuring a site to block old references that attackers might use.
Custom Cookie for Logged-In Users
define( 'HMWP_LOGGED_IN_COOKIE', 'hmwp_logged_in_' );
Sets a custom cookie for logged-in users to work with custom admin path, improving compatibility with login sessions and security measures.
Enhances security for dynamic path disabling when logged-in users access the admin dashboard. This ensures seamless authentication while maintaining hidden paths, making it harder for attackers to guess login URLs.
Customize File and Directory Permissions
define( 'HMW_FILE_PERMISSION', 0644 );
define( 'HMW_DIR_PERMISSION', 0755 );
define( 'HMW_CONFIG_PERMISSION', 0444 );
Configures permissions for files, directories, and configuration files when using the Security Check > Fix Permissions feature. Setting strict permissions ensures files and folders are only accessible where necessary.
Default Values:
- File Permissions:
0644 - Directory Permissions:
0755 - Config Permissions:
0444
Enforce stricter permissions to enhance security, especially in shared hosting environments or high-security websites. Restricting permissions reduces the risk of unauthorized modifications or access by malicious scripts.
Stop Checking For Updates
define('WP_AUTO_UPDATE_HMWP', false);To prevent the WP Ghost plugin from automatically checking for updates, add the following line to your wp-config.php file:
This setting disables the plugin’s automatic update checks. If you need to update WP Ghost manually, navigate to the plugin list in your WordPress dashboard and click the Check for Updates link next to the plugin.