Can WP Ghost replace Solid Security (formerly iThemes Security)?

No. They serve different purposes. WP Ghost handles hack prevention by hiding paths and blocking bots. Solid Security handles WordPress hardening, password policies, file detection, and malware scanning. Use both for defense in depth.

Will they conflict with each other?

Not if configured properly. Both share some features (custom login, IP blocking, login limits). Pick one plugin per feature and disable it in the other.

Can WP Ghost Replace Solid Security (iThemes)?

Q: How should I configure them to avoid conflicts?

Enable each feature in only one plugin. WP Ghost for path security, firewall, 2FA, and brute force. Solid Security for password policies, file detection, and malware scanning. Disable Hide Backend in Solid Security since WP Ghost handles login paths.

Q: Should I use Solid Security's 2FA or WP Ghost's 2FA?

WP Ghost. It offers code, email, and passkeys (Face ID, Touch ID, Windows Hello). Solid Security doesn't include 2FA in its free version.

Q: Does this work with WooCommerce?

Yes. Both plugins are fully compatible with WooCommerce.

Q: Does WP Ghost modify WordPress core files?

No. Rewrite rules and WordPress hooks only. Solid Security's file change detection won't flag WP Ghost. Deactivating restores all defaults.

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

No. WP Ghost is not designed to replace Solid Security (formerly iThemes Security). They serve different purposes and work best together. WP Ghost handles hack prevention by hiding paths and blocking bots at the server level. Solid Security handles WordPress hardening, password policies, file change detection, and malware scanning. Using both gives you defense in depth: WP Ghost stops attacks at the door, Solid Security monitors what happens inside.

WP Ghost and Solid Security (formerly iThemes Security) working together for WordPress protection

What Does Each Plugin Handle?

WP Ghost focuses on attack surface reduction: changing WordPress paths (wp-admin, wp-login, wp-content, plugins, themes, uploads, REST API), the 7G/8G firewall that blocks malicious requests before PHP loads, security headers (HSTS, CSP, X-Frame-Options), 2FA with passkeys (Face ID, Touch ID, Windows Hello), brute force protection with reCAPTCHA on all forms, and country blocking.

Solid Security focuses on WordPress hardening and monitoring: guided onboarding, password policies and expiration per user role, database prefix changes, file change detection, malware scanning (Pro), login attempt limits, and version management for auto-updating vulnerable plugins and themes.

When a hacker bot scans for /wp-login.php, WP Ghost returns a 404. The bot never reaches Solid Security’s login protection because it can’t find the login form. When a more sophisticated attacker bypasses path security, Solid Security’s hardening and monitoring features take over. Each plugin handles what the other doesn’t.

How Should I Configure Them to Avoid Conflicts?

Both plugins share some overlapping features (custom login URL, brute force protection, IP blocking). The key rule: pick one plugin per feature and disable it in the other.

Enable in WP Ghost: All path security features (login, admin, wp-content, plugins, themes, uploads, REST API), 7G/8G firewall, security headers, 2FA with passkeys, brute force protection on register, lost password, and comment forms, and hiding common WordPress paths and files.

Enable in Solid Security: Password policies and enforcement, file change detection, malware scanner (Pro), version management for auto-updates. Disable the “Hide Backend” feature in Solid Security since WP Ghost handles the custom login path more comprehensively (covering wp-admin, lost password, register, activation, logout, AJAX, and more, not just wp-login).

For hardening features that overlap (database prefix, file permissions, disable file editor): use whichever plugin you prefer, but don’t enable the same hardening step in both. A good split is Solid Security for database prefix and password policies, WP Ghost for file permissions and path security.

For the complete configuration guide with feature-by-feature recommendations, see the WP Ghost and Solid Security compatibility guide.

Is This the Same Plugin as iThemes Security?

Yes. iThemes Security was renamed to Solid Security in November 2023 when it became part of the SolidWP brand. The plugin functionality is the same. WP Ghost has been tested and is compatible with both the old iThemes Security branding and the current Solid Security branding.

Frequently Asked Questions

Will WP Ghost and Solid Security conflict with each other?

Not if you configure them properly. Both offer some overlapping features (custom login URL, 2FA, IP blocking, login attempt limits). Enable each feature in only one plugin. WP Ghost is recommended for path security and brute force protection across all forms. Solid Security is recommended for WordPress hardening, password policies, and file monitoring.

Should I use Solid Security’s 2FA or WP Ghost’s 2FA?

WP Ghost’s 2FA is more comprehensive. It offers three methods: code (Google Authenticator), email, and passkeys (Face ID, Touch ID, Windows Hello, hardware security keys). Solid Security doesn’t include 2FA in its free version. Use WP Ghost for 2FA and disable any authentication features in Solid Security to avoid conflicts.

Does this work with WooCommerce?

Yes. Both WP Ghost and Solid Security are fully compatible with WooCommerce. Both plugins protect WooCommerce login forms and customer accounts. Cart, checkout, product pages, and all store functionality work normally with both plugins active.

Does WP Ghost modify WordPress core files?

No. WP Ghost writes rewrite rules to .htaccess (Apache) or hidemywp.conf (Nginx) and uses WordPress hooks for application-level changes. No core files are modified. Solid Security’s file change detection won’t flag WP Ghost as a core modification. Deactivating WP Ghost restores all defaults instantly.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.