WP Ghost on WPMUDEV Hosting Setup

WP Ghost works on WPMUDEV managed hosting, but with an important caveat. WPMUDEV hosting uses Nginx and doesn’t provide direct access to the Nginx config files. Full path security requires contacting WPMUDEV support to add the WP Ghost config include, but user feedback indicates that WPMUDEV support may not always be willing or able to make these changes. The recommended approach is to use WP Ghost’s features that work without server config changes (custom login path, brute force protection, firewall, 2FA, security headers). This guide covers both options.

Important: Based on feedback from WP Ghost users, configuring Nginx with WPMUDEV support has been challenging for some users. WPMUDEV support may decline or be slow to add custom Nginx includes. We recommend Option A (using WP Ghost without config changes) as the most reliable approach on WPMUDEV hosting. Option B (contacting support) is available but results may vary.

Why WPMUDEV Requires Support Assistance

Option A: Use WP Ghost Without Config Changes (Recommended)

This is the recommended approach for WPMUDEV hosting. Use WP Ghost’s security features that work without any Nginx config changes. These features operate through WordPress hooks and PHP at the application level.

Features that work without Nginx config changes:

• Custom login path (hide wp-login.php).
• Brute force protection with reCAPTCHA on login, register, lost password, and comment forms.
• 7G/8G Firewall.
• 2FA with passkeys (Face ID, Touch ID, Windows Hello).
• Security headers (HSTS, CSP, X-Frame-Options).
• Hide WordPress version, generator meta, and common files.
• Temporary logins and Magic Link Login.
• Country blocking.

For the complete no-config setup guide, see Use WP Ghost on Nginx Without Config Changes. That guide includes the Minimal (No Config Rewrites) preset that configures all available features automatically.

What you don’t get without config changes: Full path security for wp-content, plugins, themes, uploads, wp-includes, and REST API. These features require Nginx rewrite rules that only WPMUDEV support can add. Custom login paths and version hiding still work because they operate at the PHP level.

Option B: Full Setup via WPMUDEV Support

If WPMUDEV support is willing to add the Nginx config include, follow these steps for full path security.

Step 1: Configure and Save WP Ghost

1. Go to WP Ghost > Change Paths > Level of Security.
2. Select Safe Mode or Ghost Mode and customize paths.
3. Click Save. WP Ghost generates the hidemywp.conf file.

Step 2: Download the Config File and Contact Support

1. Go to your website root directory using File Manager.
2. Download the hidemywp.conf file.
3. Open a support ticket with WPMUDEV support.
4. Send them the hidemywp.conf file and ask them to include it in your site’s Nginx configuration and restart the server.

Step 3: Backup, Deactivate, Wait, Restore

1. Back up your WP Ghost settings at WP Ghost > Backup / Restore.
2. Deactivate WP Ghost until WPMUDEV support confirms the rules are added.
3. Wait for WPMUDEV support to reply that the config has been added and the server restarted.
4. Re-activate WP Ghost and restore your saved settings from WP Ghost > Backup / Restore.
5. Run the Frontend Login Test and confirm everything works.

Troubleshooting

WPMUDEV support declines to add the config

This has been reported by multiple users. If WPMUDEV support can’t or won’t add the Nginx include, use Option A instead. The Minimal preset provides custom login paths, brute force protection, firewall, 2FA, and security headers without any server config changes. See Use WP Ghost on Nginx Without Config Changes.

Custom paths return 404 after WPMUDEV added the rules

The hidemywp.conf file may have been regenerated or WP Ghost settings need to be restored. Re-activate WP Ghost, restore your backup from WP Ghost > Backup / Restore, and re-save. If the issue persists, download the current hidemywp.conf and send it to WPMUDEV support again.

Locked out after configuration

Use the Safe URL parameter to bypass WP Ghost temporarily. If that doesn’t work, see the Emergency Disable guide to deactivate via SFTP.

Frequently Asked Questions

Which option should I choose?

Option A is recommended for WPMUDEV hosting. It doesn’t require support interaction and provides immediate security improvements (custom login, brute force, firewall, 2FA, headers). Option B adds full path security but depends on WPMUDEV support being willing and available to modify the Nginx config.

Is WP Ghost still effective without full path rewriting?

Yes. Custom login paths, brute force protection, firewall, 2FA, security headers, and version hiding cover the most critical attack vectors. Path rewriting for wp-content, plugins, and themes adds an additional layer by hiding your WordPress identity from theme detectors and bot scanners, but the features available without config changes provide strong protection on their own.

Do I need to contact WPMUDEV support every time I change paths?

Yes, if you used Option B. WPMUDEV needs to reload Nginx for the updated hidemywp.conf to take effect. With Option A, changes take effect immediately without support interaction.

Does WP Ghost modify WordPress core files?

No. WP Ghost generates a separate hidemywp.conf file for Nginx and uses WordPress hooks for application-level changes. No core files are modified. Deactivating WP Ghost restores all defaults instantly.

Related Tutorials

Nginx and managed hosting configuration:

• Use WP Ghost on Nginx Without Config Changes – Full guide for managed hosting environments.
• Kinsta Server Setup – Another managed Nginx hosting guide with similar workflow.
• Custom Nginx Config File – Standard Nginx setup when you have config access.
• Safe URL Parameter – Bypass WP Ghost temporarily if needed.
• Emergency Disable – Recovery via SFTP if needed.