WordPress security plugin with 7G/8G firewall, brute force protection, 2FA & passkeys. 150+ features, zero core file changes.
G2 · Capterra · AppSumo
WordPress.org
active installs
average load impact
30-day money-back guarantee · Works on every major host · No core files modified · Deactivate anytime
[ 01] How It Works
Hacker bots don’t pick targets manually. They scan the internet looking for WordPress signals and attack whatever they find. Hide My WP Ghost breaks that chain at every step.
Disappear from automated scanners completely.
Bots can’t attack what they can’t fingerprint. Hide My WP Ghost removes every WordPress signal from your site.
Stop attacks at the firewall, before they reach PHP.
Application-layer protection that hosting firewalls can’t provide. Attacks blocked before they hit your code.
Know what’s happening on your site, in real time.
Detection speed determines recovery cost. Hide My WP Ghost shows you every threat as it happens – not three months later.
✓ No core files modified ✓ Reversible anytime ✓ Setup in 5 minutes
[ 02 ] Featured Capabilities
Below we go deeper on what makes Hide My WP Ghost different. For complete technical documentation on any feature, see our Knowledge Base.
The login page is hacker target #1
Every WordPress site uses the same default URL yourdomain.com/wp-login.php or /wp-admin. Hide My WP Ghost lets you create a custom login URL and serves a 404 on the default paths. Brute force attempts drop to virtually zero overnight. No file is physically modified.
Stops thousands of failed logins per minute
Most attacks hit /xmlrpc.php and /wp-login.php. Hide My WP Ghost stops them at three levels: hides the login URL, limits failed attempts with auto-lockout, and adds CAPTCHA on login forms. Extends to WooCommerce, MemberPress, lost password and signup forms.
Block bots without annoying real users
Four options to balance security and UX: Math CAPTCHA (lightweight), reCAPTCHA v2 (classic checkbox), reCAPTCHA v3 (invisible scoring) and reCAPTCHA Enterprise for high-traffic sites. Enable on login, registration, lost password and WooCommerce forms.
Total control over who reaches your admin
Blacklist single IPs or entire ranges that you never want near your login page. Whitelist the opposite: only trusted IPs access the admin area. Block by User Agent, Referrer or Hostname, with auto-block for repeat offenders.
No more infinite password guessing
WordPress lets users try infinite passwords by default – a gift for brute force scripts. Set a maximum number of failed attempts, after which the user (and their IP) is locked out for a duration you choose. Customize the lockout message too.
Block user enumeration attacks
By default, /?author=1 redirects to /author/admin-username/ – exposing your real WordPress username. With that username, an attacker only needs to brute force the password. Hide My WP Ghost disables Author ID lookup and lets you change /author/ to any custom path.
Install once. Protect forever. No signup required.
Erase the heaviest WordPress fingerprints
/wp-content/, /wp-includes/ and /wp-content/uploads/ are the three most fingerprint-heavy folders. Renaming them (without physically moving files) removes the easiest WordPress signals from your source code. Vulnerable plugin scanners can no longer auto-detect.
Vulnerable plugins are the #1 hack reason
If a hacker scans your site and sees /wp-content/plugins/some-vulnerable-plugin/, they know exactly which exploit to run. Hide My WP Ghost changes the plugins/themes paths and gives each plugin and theme a random custom name in your source code.
Close two of WordPress’s biggest entry points
The REST API at /wp-json/ exposes user accounts, posts and metadata. XML-RPC lets attackers test hundreds of passwords per single request – a perfect amplifier for brute force. Hide My WP Ghost rewrites /wp-json to a custom path and disables XML-RPC cleanly.
Enterprise-grade protection at server level
XSS and SQL Injection attacks work on any website, WordPress or not. The 7G and 8G Firewall layers add hundreds of pre-tested rules to your .htaccess or NGINX config that block these queries before they ever reach PHP. Zero performance overhead.
Make WordPress invisible to theme detectors
Three small headers in every WordPress page that scream “I’m WordPress” to theme detectors: the RSD link, the Generator meta tag with the WP version, and the DNS Prefetch for s.w.org. Hide My WP Ghost removes them all – theme detector services return “Not Detected”.
Know what happens on your site, in real time
Records logins (success/fail with IP), posts created/deleted, plugins activated, role changes and settings modifications. Filter by user role, set up email alerts for suspicious actions. Cloud storage with 30-day retention and CSV export available in Pro.
35+ automated tests with one-click fixes
Scans your WordPress install for known weaknesses: default wp_ prefix, weak admin usernames, outdated SALT keys, wrong file permissions, plugin editor enabled, vulnerable plugins detected, debug mode in production. Get a Security Optimization Score from 0–100.
Stop attackers even if they steal a password
2FA by Authenticator code (Google Authenticator, Authy, 1Password), 2FA by email, Passkey with Face ID / Touch ID / Windows Hello (passwordless), Magic Link for passwordless email login, and Trust current browser to skip 2FA on devices you own.
No more sharing admin passwords
Need to give a developer, designer or support agent access for 24 hours without sharing your password? Create a time-limited, loginless URL with a specific user role. The link expires automatically. Perfect for agencies and freelancers.
Block traffic from high-risk regions
If your site only serves European customers, why allow login attempts from countries that send 90% of attack traffic? Country Blocking lets you allow or block traffic from any country. Apply rules per path – for example, block country X from /wp-admin only.
Make WordPress completely indistinguishable
Even after changing all paths, your source code may still contain telltale class names like wp-block-, wp-post-, wp-smiley, or Elementor-specific classes. Text Mapping renames these everywhere – including inside cached CSS and JS files.
Save your config. Clone across sites.
Save all your custom paths and settings as an encrypted backup file. Useful when reinstalling the plugin, migrating servers, setting up multiple sites with the same configuration (agencies), or sharing a tested config across a portfolio.
30-day money-back guarantee. Setup in 5 minutes.
[ 03] Free vs Premium
The Free version of Hide My WP Ghost (over 100,000 active installs on WordPress.org) gives you all the essentials. Premium unlocks the advanced layer for growing sites and agencies.
For personal blogs and small business sites, yes. Over 100,000 active installs on WordPress.org rely only on the free version. You’ll likely want to upgrade to Pro when you start managing multiple client sites, run a WooCommerce store with revenue at stake, or need compliance-grade audit logs. You can start with the free version, then upgrade once you understand which features you actually use.
[ 04 ] Who it’s for
From personal blogs to agency portfolios – find the security setup that fits your role.
Free forever. No subscription. Install, pick a preset, done.
One plugin. No dedicated security team required.
Revenue at stake. You need prevention – not incident response.
Protect client sites as part of your standard setup. Add visible value without added complexity.
Multiple client sites. Consistent security. Audit trail you can show clients.
[ 05 ] Compatibility
Tested with 1,000+ themes and plugins. Hide My WP Ghost operates at the server rewrite level; it doesn’t interfere with caching, CDN, or page builder logic.
[ 06] FAQs
Quick answers to the most common questions before you install. For pricing, licensing and refund questions, see the pricing FAQ.
No. Hide My WP Ghost has an average load impact of 0.03 seconds – measured across 250,000+ active installations on hosts ranging from shared hosting to enterprise WordPress platforms. The plugin operates at the server rewrite level (.htaccess on Apache/LiteSpeed, NGINX rules), not as runtime PHP processing, which means most of its work happens before WordPress even loads. The 7G/8G Firewall layers add protection at the same server level – zero performance overhead in real-world tests. Sites that were already slow stay slow; sites that were fast stay fast.
No, when configured correctly. Hide My WP Ghost is tested against 1,000+ themes and plugins, including WooCommerce, Elementor, Divi, WPML, Squirrly SEO, Rank Math, and all major page builders. The plugin includes a Safe Mode that activates changes gradually so you can verify each step, and every change is fully reversible from the dashboard. If you do encounter a conflict (rare, usually with poorly-coded custom plugins), you can disable WP Ghost from the WordPress dashboard or from wp-config.php if you’ve locked yourself out – full guide included.
Yes, and many users run both. Hide My WP Ghost focuses on a layer most security plugins don’t touch: removing the WordPress fingerprint itself — hiding wp-admin, wp-login, plugin and theme paths, REST API endpoints, and version metadata so automated scanners can’t identify your stack in the first place. Wordfence and Sucuri focus on traffic filtering, malware scanning, and incident response. The two approaches stack cleanly: HMWG reduces what bots can see, Wordfence/Sucuri filter and clean what still gets through. Common stacks we see in production:
The only feature you should disable in your scanner if it overlaps is brute force protection (Hide My WP Ghost handles it more efficiently at server level). Everything else stays active.
No. Zero core file modifications. Hide My WP Ghost works exclusively by adding rewrite rules to your server configuration (.htaccess for Apache/LiteSpeed, conf files for NGINX, web.config for IIS) and by filtering output through WordPress hooks. The original /wp-admin/, /wp-login.php, /wp-content/, /wp-includes/ and all other WordPress files stay exactly where WordPress put them — you simply access them through different URLs. This means three things matter for you:
If a plugin tells you “this will modify your core files” – that’s a different plugin, with different risks. Hide My WP Ghost doesn’t.
All changes are 100% reversible, anytime, with no cleanup required. When you deactivate Hide My WP Ghost:
/my-secret-login) stop working – WordPress reverts to default /wp-admin and /wp-login.php.htaccess or NGINX config are removed automaticallyIf you completely uninstall the plugin, the only residue is the encrypted settings backup (you can choose to delete it or keep it for future reinstalls). No orphan database tables, no commented-out code in .htaccess, no broken links. You can install today, test for 30 days, and uninstall on day 31 with zero traces, exactly the same site you started with.
No. Average setup time is under 5 minutes, with three configuration presets that handle 90% of use cases:
Each preset is one-click activation. You can also customize every setting individually if needed, but it’s not required. The only manual step is choosing your custom login URL, pick something memorable but not obvious (avoid /admin, /login, /secret). The plugin walks you through it on first activation.
Yes, fully. Hide My WP Ghost is tested with the most common caching and CDN setups:
If you use a custom server setup (e.g., Varnish in front of NGINX), Hide My WP Ghost provides config snippets in the documentation. Worst case: priority email support helps with custom configurations on Pro plans.
The core difference is prevention vs. detection:
For most sites, the right answer is to combine the two: Hide My WP Ghost for prevention + your scanner of choice for detection. Three concrete differences if you’re comparing directly: