Search: safe mode

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Elementor relies on the REST API, admin-ajax.php, and the wp-admin path to load its editor. When WP Ghost changes these paths in Safe Mode or Ghost Mode, Elementor may lose access to them if your server configuration, cache, or other settings are not updated to match. Here is how to fix it step by step.

Check Your Server Type (Nginx Users)

If your server runs Nginx, path changes require a manual update to the …

… to regenerate its rewrite rules, which can resolve path-related issues.

Frequently Asked Questions

Will reverting WP Ghost to Safe Mode fix the styling issue immediately?

Yes. Switching to Safe Mode (the default security level) disables all custom path changes and returns your site to standard WordPress paths. If the styling issue disappears in Safe Mode, the problem is related to one of the path or mapping settings. You can then re-enable features one at a time to pinpoint the cause. If you’re locked out entirely, use the emergency disable method to regain access.

Do I need …

… and priority support. For a full breakdown, see the Free vs Premium comparison.

Getting Started

Install WP Ghost from the WordPress plugin directory or upload it through Plugins > Add New in your dashboard. After activation, go to WP Ghost > Change Paths and load one of the four security presets: Minimal, Safe Mode + Compatibility, Safe Mode + Full Protection, or Ghost Mode + Full Protection. The Safe Mode + Compatibility preset is recommended for most sites. Customize your login path, clear your cache, and run the Security Check to verify everything works. The entire setup takes under five minutes. See the WP Ghost Tutorial …

… your theme, and often your exact versions. From there, they look up known vulnerabilities and attack.

WP Ghost changes all of these paths so bots find nothing. Here’s how to set it up:

Step 1 – Activate a Security Level

Go to WP Ghost > Change Paths > Level of Security. Select Safe Mode for basic path changes, or Ghost Mode for maximum protection. Click Continue to load the predefined custom paths. Ghost Mode changes all core paths automatically and is the recommended choice for sites that want to be fully invisible to detectors.

Step 2 – Customize Paths (Optional)

WP Ghost fills …

… that gets past the cloaking, like targeted manual attacks or zero-day exploits.

How to Set Up WordPress Cloaking with WP Ghost

Install WP Ghost from the WordPress plugin directory or upload it through Plugins > Add New. After activation, go to WP Ghost > Change Paths and select a security level. Safe Mode changes the most critical paths with tested compatibility settings. Ghost Mode changes all paths for maximum cloaking. Both options can be loaded as one-click presets that configure everything automatically. Customize your login path, clear your cache, and run the Security Check at WP Ghost > Security Check to …

… fingerprint that any scanner can read with a single request. Hiding the theme name means removing all of these signals from your site.

How to Hide the Theme Name with WP Ghost

WP Ghost offers six layers of theme protection. For complete theme hiding, enable them all. Start by activating Safe Mode or Ghost Mode at WP Ghost > Change Paths > Level of Security, then configure the theme-specific options.

Change the themes path. Go to WP Ghost > Change Paths > Themes Security. Enter a custom name in the Custom Themes Path field. This replaces the keyword in your URLs, so becomes …

… better approach.

Why Should I Install WP Ghost Before My Site Goes Live?

Bots start scanning new domains within hours of registration. Even if your site has no traffic and isn’t linked anywhere, automated scanners will find it and probe for default WordPress paths like , , and . If those paths respond, bots know you’re running WordPress and start looking for vulnerabilities.

Installing WP Ghost during development means your site is protected from day one. Go to WP Ghost > Change Paths > Level of Security and select Safe Mode or Ghost Mode. WP Ghost changes all default WordPress paths to custom

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

To hide your WordPress site from bots, scanners, and theme detectors, you need to change the default paths, remove CMS fingerprints from the HTML source, and block access to common WordPress files. WP Ghost does all of this in a single plugin with 115+ free features. After configuration, tools like BuiltWith, Wappalyzer, and IsItWP cannot identify your site as WordPress.

What “Hiding WordPress” Actually Means

Hiding your WordPress site does not mean making it invisible to visitors …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

If your theme layout breaks or CSS/JS files fail to load after activating Safe Mode or Ghost Mode in WP Ghost, the issue is almost always a server configuration problem or a stale cache. The new paths need to be recognized by your server before they can serve files correctly. Here is how to diagnose and fix it.

Step 1: Clear All Cache

This is the most common cause and the easiest fix. When WP Ghost …

… Ghost > Tweaks so that cached pages already contain the new paths.

Does WP Ghost Work Well with Caching Plugins?

Yes. WP Ghost is compatible with all major caching plugins, including WP Rocket, LiteSpeed Cache, W3 Total Cache, WP Super Cache, Breeze, Hummingbird, and Autoptimize. The path changes happen before the caching plugin stores the page, so cached versions already contain the new paths. Visitors receive the cached page with no additional processing from WP Ghost.

After saving any WP Ghost path changes, always clear your cache so the caching plugin regenerates pages with the new paths. For a detailed …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

If you can’t access your WordPress dashboard through the usual /wp-admin path, it’s almost certainly because WP Ghost is doing its job. The plugin hides the default wp-admin and wp-login.php paths so bots can’t find them. You need to use your custom login URL instead. This guide explains what happened, how to find your custom path, how to disable the hiding if you prefer, and what to do if you …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Go to WP Ghost > Change Paths > API Security, switch on Disable XML-RPC Access, and click Save. That is it. The xmlrpc.php file will return a 404 error for all requests, blocking brute force amplification attacks, pingback DDoS abuse, and username enumeration through this endpoint.

Why You Should Disable XML-RPC

XML-RPC is WordPress’s legacy remote communication protocol. It was built before the REST API existed and is rarely needed on modern sites. The …

… WordPress application running on it. WP Ghost works through three pillars of prevention. First, path security: it changes every default WordPress path so bots can’t identify your site as WordPress. Second, firewall filtering: the 8G firewall blocks SQL injection, script injection, and malicious payloads at the server edge. Third, login security: brute force protection with reCAPTCHA and two-factor authentication (including passkeys with Face ID, Touch ID, and Windows Hello) ensure stolen passwords aren’t enough.

WP Ghost includes 115+ free features covering path security, 7G/8G firewall, brute force protection, 2FA, security headers, and hardening options. On …

… config after any path change in WP Ghost. See the Nginx setup guide for details. Third, try uploading the same icon package on a site without WP Ghost. If the icons are still blank, the issue is the icon font generator or the Elementor upload process, not WP Ghost.

If you are using the Hide WordPress Common Paths feature in WP Ghost and have hidden specific file extensions, make sure you are not blocking font file extensions like .woff, .woff2, .ttf, .eot, and .svg. These are required for custom icon fonts to load.

Frequently Asked Questions

Does WP Ghost …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes, WP Ghost is compatible with Kinsta hosting. Kinsta uses Nginx servers, so full path rewriting requires Kinsta’s support team to add a config file on your behalf. Many WP Ghost users run on Kinsta successfully. This guide explains the full setup process and also covers an alternative approach if you prefer not to contact support.

Why Does Kinsta Require Extra Setup for WP Ghost?

Kinsta is a managed WordPress hosting provider that runs on Nginx …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost’s CMS Simulator includes Drupal and Joomla as built-in options. You can also set a custom generator name using a WordPress filter, but for best results, the name should match a real CMS that detection tools already recognize. A completely invented name won’t fool scanners because they only identify CMS platforms that exist in their databases.

How CMS Detection Works (and Why Custom Names Have Limits)

CMS detectors like BuiltWith, Wappalyzer, and WhatCMS …