How To

Want to prevent hack attacks on WordPress?

Using an Open Source CMS with open-source plugins and themes it’s giving a hard time preventing all the hack attacks to your WordPress site.

Many plugins are created by authors who don’t know how to completely secure them. The same with the themes’ authors.

Prevent Hack Attacks

Fortunately, there are security plugins that are built to help you protect your website and prevent hack attacks. Some of them are popular on WordPress: Wordfence, iThemes, Sucuri, etc.

Most of these plugins are working to identify if your website was already hacked but what’s also important is to add a layer on your WordPress site to proactively stop a virus.

The best and simplest way to do this is to change all the known vulnerable paths for all plugins and themes. To do this, you can install Hide My WP Ghost free plugin.

Hide My WP Ghost works together with other security plugins and hides the paths from hackers’ bots, stopping all Script and SQL injections. You can also include Brute Force protection to your login page if you want to use only one security plugin for your website.

WordFence Vs Hide My WP

Even if both plugins are considered WordPress Security plugins, WordFence and Hide My WP work together without any issue and both will add security layers on your websites, stopping the hackers’ attacks and preventing data loss.


  • Both plugins are free and used successfully by many companies around the globe.
  • Both plugins load fast and work with SEO and Cache plugins.
  • Both plugins work on all types of servers.
  • Hide My WP works as security through obscurity and prevents access to vulnerable files and paths.
  • Wordfence works like a firewall to prevent Brute Force attacks and virus injections and more.

Wordfence Features:

Wordfence runs at the endpoint, your server, providing better protection than cloud alternatives. Cloud firewalls can be bypassed and have historically suffered from data leaks. Wordfence firewall leverages user identity information in over 85% of our firewall rules, something cloud firewalls don’t have access to. And our firewall doesn’t need to break end-to-end encryption like cloud solutions.


  • Web Application Firewall identifies and blocks malicious traffic. Built and maintained by a large team focused 100% on WordPress security.
  • [Premium] Real-time firewall rule and malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
  • [Premium] Real-time IP Blacklist blocks all requests from the most malicious IPs, protecting your site while reducing load.
  • Protects your site at the endpoint, enabling deep integration with WordPress. Unlike cloud alternatives does not break encryption, cannot be bypassed and cannot leak data.
  • Integrated malware scanner blocks requests that include malicious code or content.
  • Protection from brute force attacks by limiting login attempts.


  • Malware scanner checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections.
  • [Premium] Real-time malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
  • Compares your core files, themes and plugins with what is in the repository, checking their integrity and reporting any changes to you.
  • Repair files that have changed by overwriting them with a pristine, original version. Delete any files that don’t belong easily within the Wordfence interface.
  • Checks your site for known security vulnerabilities and alerts you to any issues. Also alerts you to potential security issues when a plugin has been closed or abandoned.
  • Checks your content safety by scanning file contents, posts and comments for dangerous URLs and suspicious content.
  • [Premium] Checks to see if your site or IP have been blacklisted for malicious activity, generating spam or other security issue.


  • Two-factor authentication (2FA), one of the most secure forms of remote system authentication available via any TOTP-based authenticator app or service.
  • Login Page CAPTCHA stops bots from logging in.
  • Disable or add 2FA to XML-RPC.
  • Block logins for administrators using known compromised passwords.


  • Wordfence Central is a powerful and efficient way to manage the security for multiple sites in one place.
  • Efficiently assess the security status of all your websites in one view. View detailed security findings without leaving Wordfence Central.
  • Powerful templates make configuring Wordfence a breeze.
  • Highly configurable alerts can be delivered via email, SMS or Slack. Improve the signal to noise ratio by leveraging severity level options and a daily digest option.
  • Track and alert on important security events including administrator logins, breached password usage and surges in attack activity.
  • Free to use for unlimited sites.


  • With Live Traffic, monitor visits and hack attempts not shown in other analytics packages in real time; including origin, their IP address, the time of day and time spent on your site.
  • Block attackers by IP or build advanced rules based on IP Range, Hostname, User Agent and Referrer.
  • Country blocking available with Wordfence Premium.

Hide My WP Features:

Hide My WP Ghost works as security through obscurity solution for WordPress websites.

Security through obscurity is one of the best solutions against hacker bots and one of the best ways to protect vulnerable plugins and themes.


  • Hide WordPress wp-admin URL and redirect it to 404 page or a custom page
  • Hide WordPress wp-login.php and redirect it to 404 page or a custom page
  • Change the wp-admin and wp-login URLs
  • Change lost password URL
  • Change register URL
  • Change logout URL
  • Change admin-ajax URL
  • Change wp-content URL
  • Change wp-includes URL
  • Change comments URL
  • Change author URL
  • Change plugins name URL
  • Change themes name URL
  • Change category URL
  • Change tags URL


  • Hide WordPress HTML comments
  • Hide Version and WordPress Tags
  • Hide DNS Prefetch WordPress link
  • Hide WordPress Generator Meta
  • Hide RSD (Really Simple Directory) header
  • Hide Emojicons if you don’t use them


  • Disable XML-RPC access
  • Disable Embed scripts
  • Disable DB-Debug in Frontend
  • Disable WLW Manifest scripts


  • Brute Force with Math Captcha and reCaptcha


  • Website Security Check with over 30 signals
  • Free weekly security check and reports


  • Backup and Restore settings
  • Fix relative URLs
  • Change classes using Text Mapping from HTML code
  • Cache CSS, JS and Images to optimize the loading speed

Compatible with: WP Multisite, Apache, Litespeed, Nginx and IIS.

Plugins Compatibility updates: W3 Total Cache, WP Super Cache, WP Fastest Cache, Cache Enabler, CDN Enabler,
WOT Cache, Autoptimize, Jetpack by WordPress, Contact Form 7, bbPress, All In One SEO, Yoast SEO, Squirrly SEO,
WP-Rocket, Minify HTML, iThemes Security, Sucuri Security, Back-Up WordPress, Elementor Page Builder,
Weglot Translate, AddToAny Share Btn

Hosting Compatibility checked: WP Engine, Inmotion Hosting, Hostgator Hosting, Godaddy Hosting, Host1plus,
Payperhost, Fastcomet, Dreamhost, Bitnami Apache, Bitnami Nginx, Google Cloud Hosting

Let us know what you think about these plugins.

Hide My WP Ghost and Zapier

Everybody knows that Zapier is a great tool when you need to create automated tasks on your WordPress site or to trigger an action when you create new posts or pages

We recently tested Zapier to create new posts in WordPress while Hide My WP Ghost plugin is activated.

We noticed that Zapier needs the xml-rpc.php file to work properly and we switched off the option Hide My WP > Tweaks > Disable XML-RPC access. With this option off we were able to create and promote our posts on Social Media.

Having this option on it’s not safe for your website. Many brute force attacks are made through this URL. Sometimes you need to make compromises in order to prevent functionality issues.

[How To] Setup Hide My WP Ghost with Advanced Access Manager

The Advanced Access Manager is a great plugin which lets you customize the users rights when it comes to access the backend of your website.

It’s also a good security plugin which protects your personal information when you want to limit the access to developers who sometimes have to work on your live website.

We tested Hide My WP Ghost together with AAM plugin and we noticed that with small adjustments, the two plugins are working beautifully together.


The Difference Between Safe Mode and Ghost Mode in Hide My WP

Hide My Wp Ghost brings a complex level of security through obscurity and protection against hackers’ bots.

A reason to change the common paths in WordPress is to be able to hide these paths and prevent script injections into your vulnerable plugins and themes.

Note! The paths will not be physically changed by the plugin so that all the previous settings will go back to normal in case you deactivate the plugin.


[How To] Customize the WP-Content Directory in WordPress

Method #1 – Change wp-content with wp-config.php

This solution is simple, but it involves editing a core WordPress file.

First, access the root directory of your WordPress installation using the File Manager in your web hosting CPanel or using an sFTP client. Then find a file named wp-config.php and open the file to edit.

Then add the following line in the wp-config file at the beginning of the file:

define ('WP_CONTENT_DIR',__DIR__ .'/lib');
define( 'UPLOADS', 'lib/uploads' );

[How To] Hide WordPress Common Paths in CSS Files

It was a real challenge to hide paths in CSS files but we managed to find a solution that will not affect the load on the web page.

Since version 4.2, you can use Hide My WP Ghost together with Autoptimize plugin and the plugin will look into the /wp-content/cache directory and change all the common paths.

We’ve tested the plugin with Wp-Rocket, Elementor, W3 Total Cache, Autoptimize, WP Fastest Cache and all these plugins passed the tests successfully.


[How To] Customize WordPress Uploads Directory

Method #1 – Change wp-content/uploads with wp-config.php

This solution is simple, but it involves editing a core WordPress file.

First, access the root directory of your WordPress installation using the File Manager in your web hosting CPanel or using an FTP client. Then find a file named wp-config.php and open the file to edit.

Then add the following line in the wp-config file:

define( ‘UPLOADS’, ‘wp-content/storage’ );


[How To] Hide the Image Paths for Elementor, Divi, Thrive and Other Builders

Hide My WP Ghost works well with all the WordPress builders. Once you save the page, Hide My WP Ghost Plugin will know what to do to hide the on-page paths and change them with the new one.

Hide My WP Elementor

Security Check Issues

Website Security Check Report

If WPPlugins founds any security issue, it means that your WordPress CMS is detected and hackers will find these breaches.

If you don’t act NOW, the hacker’s bots will get into your website sooner or later. If they do, they usually remove the website content entirely and steal your database information. The loss and recovery costs can be … oh well … you do the math.

Below you will find more details and solutions for each security breach we found:


Hide My WP Codecanyon Alternative

Many people are asking if the plugin on Codecanyon is the same as ours.

I can say that the name is similar but the features and functionality are not.

Hide My WP Ghost is a plugin built for both experts and non-experts and we’ve tried to minimize interactions with the config files.


What Hide My WP Ghost Can’t Do

We work hard to make Hide My WP Ghost plugin for keeping your website safe using security through obscurity and at the same time to have a fast loading website with good SEO results in Google search engine.

Most hackers are using bots who access the vulnerable plugins path and inject javascript or SQL to get valuable data from your website. We made sure that Hide My WP Ghost will protect you from these types of attacks.


Hide My WP Ghost Compatible With Inmotion WordPress Hosting

Inmotion Hosting is a good hosting solution for your business and if you start an hosting plan with them you will love their services.

Inmotion is using a Cache Manager base on Nginx and it will automatically cache all static files like: CSS, Javascript and Image files.

To make Hide My WP Ghost work and redirect all the static files you need to follow these  steps:


[How To] Hide WordPress From Builtwith

Even if WordPress is one of the safest content management system online, you cannot be completely sure that no one can hack your website if you are using WordPress. There are so many insecure plugins and themes that can be tracked by hackers around the world.

How To Hide WordPress From BuiltWith

Hide My WP Ghost is designed to ensure perfect protection against hackers around the world. Note that BuiltWith is a popular platform that provides hackers information about on which platform a particular website is running so that they can further plan their destructive activities.

Experts reveal that Hide My WP Ghost hides the website from if the users are setting the Ghost mode to Hide My WP Ghost plugin.


The website frontend style is not loading in Ghost Mode

If you followed all the Hide My WP Ghost indications, probably it’s a .htaccess file issue.

Please check the .htaccess file and look for

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

[How To] Hide WordPress From Wappalyzer

WordPress is one of the safest content management system online. Developers at this company keep on updating the security parameters to address potential vulnerabilities.

However; we cannot be completely sure that no one can track your data on this platform. There are so many insecure plugins and themes that can be tracked by hackers around the world.


[How To] Setup Hide My WP Ghost on Nginx Server

Please follow this tutorial step by step to set up the Hide My WP Ghost for Nginx server:

  1. In your WordPress dashboard, go to Hide My WP > Change Paths
  2. Select the Safe Mode or Ghost Mode,  scroll down and customize the paths as you like
  1. Click the Save button to save the changes.
  2. You will see a message to include the configuration file into nginx.conf file.

If your server is a Linux server, the main path to the nginx.conf file is /etc/nginx/nginx.conf (or /etc/nginx/conf/nginx.conf if you’re using Arch Linux). If the server is a Windows server your nginx.conf file will be located at C:/nginx/conf/nginx.conf)

If your nginx doesn’t have sites-enabled option activated (check for sites-enabled subdirectory in the same directory with nginx.conf file), you will find the server configuration in nginx.conf file like in the below example:

server {
        server_name [your domain name];
        root [path to the website root];
        index index.php;

        location / {
                try_files $uri $uri/ /index.php?$args;


[How To] Hide All The Wodpress Files With Hide My Wp Ghost

What Hide My WordPress Ghost can do:

You can set the Ghost mode to hide all the main WordPress paths:

  • wp-content
  • wp-includes
  • wp-content/uploads
  • wp-content/plugins
  • wp-content/themes
  • wp-comments-post.php
  • author
  • wp-json
  • wp-login.php, wp-login, login
  • wp-admin
  • and all the plugins and themes names
  • show forbidden error for all the old paths and let only the new paths
  • custom URLs using the URL Mapping feature

[How To] Set Hide My Wp Ghost For Bitnami Servers

#1 Bitnami Setup for Apache Servers

Step1: Install, Setup Hide My WP Ghost Plugin and click the Save button with the new paths.

Step2: Copy the rewrite rules from Hide My WP Ghost into Bitnamy config file

Bitnami uses “htaccess.conf” files by default instead of “.htaccess” files for security and performance reasons. You can find more info at