WP Ghost Constants in wp-config.php

WP Ghost supports advanced configuration through constants in wp-config.php. These constants let you control plugin behavior at the server level, bypassing the admin interface. They’re useful for locked-down environments, white-labeled deployments, multisite setups, or situations where you want settings that persist regardless of what happens in the WordPress dashboard.

How to Add Constants

Add any of the constants below to your wp-config.php file before the /* That's all, stop editing! Happy publishing. */ comment. Access the file via FTP, cPanel File Manager, or SSH.

HMW_PRIORITY: Force Plugin Priority Loading

define( 'HMW_PRIORITY', true );

Forces WP Ghost to load immediately after WordPress initializes, before other plugins. Use this if you experience compatibility issues with plugins that load before WP Ghost and interfere with its security features.

UI equivalent: WP Ghost > Advanced > Compatibility > Plugin Loading Hook > Priority Loading

HMW_RULES_IN_WP_RULES: Add Rewrites in WordPress Rules

define( 'HMW_RULES_IN_WP_RULES', true );

Adds WP Ghost rewrite rules inside the WordPress rewrite rules section in .htaccess instead of adding them as separate rules. Use this when your server blocks the addition of custom rules outside the WordPress section in .htaccess, or as a fallback mechanism.

UI equivalent: WP Ghost > Advanced > Compatibility > Add Rewrites in WordPress Rules Section

HMW_DYNAMIC_FILES: Dynamic Loading of CSS and JS

define( 'HMW_DYNAMIC_FILES', true );

Forces WP Ghost to dynamically load CSS and JS files, including cached files, so that paths are secured even in cached or minified content. Use this when caching plugins or CDN services expose original WordPress paths in cached files.

UI equivalent: WP Ghost > Mapping > Text Mapping > Text Mapping in CSS and JS files including cached files

HMW_ALWAYS_CHANGE_PATHS: Rename Paths in Admin

define( 'HMW_ALWAYS_CHANGE_PATHS', true );

Forces WP Ghost to apply path changes inside the WordPress admin dashboard too, not just on the frontend. By default, WP Ghost only changes paths on the frontend to avoid admin issues. Enable this for enhanced privacy where even logged-in admin users see customized paths.

For full admin dashboard customization (parameter names, values, and text), also see the Admin Mapping add-on.

HMW_HIDE_OLD_IMAGES: Hide Old Image Paths

define( 'HMW_HIDE_OLD_IMAGES', true );

Blocks access to old image paths after WP Ghost changes the uploads path. Returns a 404 error for common image formats (jpeg, jpg, gif, png, webp, tiff, bmp) accessed through the original path. Useful after migration or path restructuring to prevent bots from accessing old URLs.

After adding this constant, go to WP Ghost > Change Paths > WP Core Security > Hide WordPress Common Paths and select IMAGE Files.

For the full guide, see Hide the Old Image Paths.

HMWP_LOGGED_IN_COOKIE: Custom Login Cookie

define( 'HMWP_LOGGED_IN_COOKIE', 'hmwp_logged_in_' );

Sets a custom cookie name for logged-in users. This works with custom admin paths to ensure authentication sessions remain valid when the admin path is changed. It also prevents WordPress-specific cookie names from being visible in browser developer tools.

HMW_FILE_PERMISSION / HMW_DIR_PERMISSION / HMW_CONFIG_PERMISSION

define( 'HMW_FILE_PERMISSION', 0644 );
define( 'HMW_DIR_PERMISSION', 0755 );
define( 'HMW_CONFIG_PERMISSION', 0444 );

Customizes the file, directory, and configuration file permissions that WP Ghost applies when you use the Security Check > Fix Permissions feature. The default values are 0644 for files, 0755 for directories, and 0444 for configuration files (wp-config.php). Use stricter permissions in shared hosting environments or high-security deployments.

WP_AUTO_UPDATE_HMWP: Stop Automatic Update Checks

define( 'WP_AUTO_UPDATE_HMWP', false );

Prevents WP Ghost from automatically checking for updates. You can still check for updates manually from Plugins > Installed Plugins > Check for Updates. Use this on staging environments, locked-down production sites, or servers with restricted outbound requests.

For the full guide, see Stop Plugin Auto Update Check.

Constants override admin settings. When a constant is defined in wp-config.php, it takes precedence over the corresponding setting in the WP Ghost admin interface. If you set a constant and then try to change the same setting in the UI, the constant value wins. To restore UI control, remove the constant from wp-config.php.

Frequently Asked Questions

When should I use constants instead of the admin UI?

Use constants when you want settings that can’t be changed from the WordPress dashboard (locked-down deployments), when deploying the same settings across multiple sites (white label), when you need settings to persist through plugin resets, or when the admin UI is inaccessible.

Can I use multiple constants at the same time?

Yes. Add as many constants as you need to wp-config.php. Each constant controls an independent feature and they don’t conflict with each other.

How do I remove a constant?

Delete or comment out the define() line in wp-config.php. The corresponding setting reverts to whatever is configured in the WP Ghost admin interface.

Does WP Ghost modify WordPress core files?

No. These constants are added to wp-config.php, which is your site’s configuration file, not a WordPress core file. WP Ghost itself doesn’t modify any core files.

Related Tutorials

Advanced WP Ghost configuration:

• Stop Plugin Auto Update Check – Full guide on the WP_AUTO_UPDATE_HMWP constant.
• Admin Mapping Add-on – Advanced admin dashboard customization.
• Hide Old Image Paths – Full guide on blocking access to old uploads paths.
• Emergency Disable – Other wp-config.php methods for disabling WP Ghost.
• White Label – Deploy pre-configured settings across client sites.