Does WP Ghost Make Changes to the .htaccess File?

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes, WP Ghost writes rewrite rules and security filters to the .htaccess file on Apache and LiteSpeed servers. This is the standard, expected way to handle URL rewriting in WordPress – WordPress core itself uses .htaccess for permalink rules. No PHP files are changed. No other config files are modified. Everything WP Ghost adds is removed cleanly when you deactivate the plugin.

What Exactly Does WP Ghost Add to .htaccess?

WP Ghost adds two types of rules to your .htaccess file. The first is URL rewrite rules that map your custom paths (like a custom login URL or custom wp-content path) to the original WordPress file locations. The second is security filter rules from the 7G/8G firewall that block malicious requests at the server level before PHP even loads.

All WP Ghost rules are placed between clearly marked comments: #BEGIN HMWP_RULES and #END HMWP_RULES. This makes them easy to identify and ensures they don’t mix with WordPress core rules or rules from other plugins.

Does WP Ghost Change Any Files Besides .htaccess?

No. On Apache and LiteSpeed servers, .htaccess is the only file WP Ghost writes to. No PHP files are modified: not wp-config.php, not wp-settings.php, not theme files, not plugin files. Your actual WordPress files remain exactly as they were. The rewrites happen at the server level when a browser requests a URL. The server reads the .htaccess rules and routes the request to the correct file without changing anything on disk.

On Nginx servers, WP Ghost generates a separate hidemywp.conf file instead. On Windows IIS servers, it provides rules for web.config. In all cases, only server configuration files are touched, never WordPress core files.

What Happens to .htaccess When I Deactivate WP Ghost?

WP Ghost removes all its rules from .htaccess automatically when you deactivate the plugin. The #BEGIN HMWP_RULES / #END HMWP_RULES block is deleted cleanly. Your .htaccess file returns to its pre-WP Ghost state with only WordPress core permalink rules and any rules from your other plugins. No manual cleanup is needed.

Can Other Plugins Remove WP Ghost’s .htaccess Rules?

Some security or optimization plugins clean up custom rules in .htaccess that sit outside the WordPress block (#BEGIN WordPress / #END WordPress). If you notice your custom paths stop working after saving another plugin’s settings, that plugin may be removing WP Ghost’s rules.

The fix is to go to WP Ghost > Advanced > Compatibility and enable Add Rewrites in WordPress Rules Section. This moves WP Ghost’s rules inside the WordPress block where they’re protected from deletion by other plugins. Alternatively, you can set your .htaccess file permissions to read-only (444) after saving WP Ghost settings to prevent any plugin from modifying it. For details, see the .htaccess read-only guide.

Frequently Asked Questions

Is writing to .htaccess safe?

Yes. Writing URL rewrite rules and security filters to .htaccess is the standard method used by WordPress itself and by every major plugin that handles permalinks, caching, or security on Apache/LiteSpeed servers. WP Ghost follows the same pattern and uses clearly marked comment blocks to keep its rules separate and identifiable.

What if my .htaccess file isn’t writable?

If .htaccess is set to read-only (which is actually good security practice), WP Ghost will show you the rules that need to be added manually. You can temporarily change the file permissions, save WP Ghost settings, then set it back to read-only. Or you can copy the rules from the WP Ghost notification and paste them into .htaccess manually via FTP or your hosting file manager.

Does WP Ghost require AllowOverride All?

Yes, on Apache servers. AllowOverride All tells Apache to process the .htaccess file. Most shared hosting plans have this enabled by default. If it’s not enabled, WP Ghost’s rewrite rules are ignored and the plugin falls back to slower WordPress PHP redirects. See the AllowOverride setup guide if you need to enable it.

What about Nginx? Does WP Ghost modify nginx.conf?

WP Ghost doesn’t write to nginx.conf directly. It generates a separate hidemywp.conf file that you (or your host) include in the Nginx configuration. This is a one-time setup. For the full process, see the Nginx setup guide.

Does WP Ghost modify WordPress core files?

No. WP Ghost writes to .htaccess (a server config file, not a WordPress core file) and uses WordPress runtime filters for application-level changes. No PHP files, theme files, or plugin files are ever modified. Deactivating removes all rules and restores defaults instantly.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.