Is hiding plugin names a free feature?

Yes. Changing the plugins directory path, randomizing plugin names, and Text Mapping are all included in the free version of WP Ghost.

How Can I Hide Plugins From WordPress Detectors?

Q: How can I hide plugins from WordPress detectors?

WP Ghost changes the plugins directory path and randomizes individual plugin names in the page source. Instead of /wp-content/plugins/contact-form-7/, detectors see random strings like /app/modules/xk4m9p/. Combined with wp-content path changes and Text Mapping, this makes plugin identification impossible.

Q: Will hiding plugin names break plugin functionality?

No. WP Ghost changes paths in the page source through rewrite rules, not by renaming files. Plugins load from their original directory on the server. The browser receives files through new URLs, but functionality is unaffected.

Q: Does this also hide plugins from vulnerability scanners like WPScan?

Yes. WPScan probes known paths like /wp-content/plugins/plugin-name/readme.txt. With WP Ghost active, every probe returns 404 and the scanner reports zero detected plugins.

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost hides your plugins from WordPress detectors by changing the plugins directory path and randomizing individual plugin names in the page source. Instead of /wp-content/plugins/contact-form-7/, detectors see something like /app/modules/xk4m9p/. Combined with wp-content and wp-includes path changes, this makes it impossible for tools like BuiltWith, Wappalyzer, and WP Theme Detector to identify which plugins your site uses.

How Detectors Identify Your Plugins

WordPress plugin detectors work by scanning your page source for recognizable patterns. Every plugin that loads CSS or JavaScript on the frontend leaves a fingerprint in the HTML: a stylesheet link to /wp-content/plugins/plugin-name/style.css, a script tag pointing to /wp-content/plugins/plugin-name/script.js, or HTML class names specific to that plugin. Detectors match these patterns against their database of known plugins and report what they find.

To fully hide plugins from detectors, you need to eliminate all of these signals: the plugins directory path, individual plugin folder names, any plugin-specific class names in the HTML, and the /wp-content/ path that confirms WordPress.

What WP Ghost Changes

Plugins directory path. WP Ghost changes /wp-content/plugins/ to a custom path of your choice. Go to WP Ghost > Change Paths > Plugins Security and set a custom plugins path. Every plugin URL in your page source uses the new path.

Individual plugin names. WP Ghost randomizes each plugin’s folder name in the page source. Instead of contact-form-7, the source shows a random string like xk4m9p. Each plugin gets a unique random code. Detectors cannot match these random strings against their plugin database. Configure this in the same Plugins Security section.

The wp-content path. WP Ghost changes /wp-content/ to a custom path, removing the most visible WordPress directory fingerprint from your entire page source. This affects plugin paths, theme paths, upload paths, and all other resources that load from wp-content.

Plugin-specific class names and IDs. Some plugins add recognizable class names to the HTML (like wpcf7-form for Contact Form 7). WP Ghost’s Text Mapping feature at WP Ghost > Mapping > Text Mapping lets you replace these class names with custom strings. This removes the final fingerprints that detectors could use to identify specific plugins.

For the complete plugin-hiding setup, see the Change Plugins Path tutorial. For the full detector-hiding guide covering themes and CMS identity as well, see the Hide From Theme Detectors tutorial.

Quick Setup

The fastest approach is to activate Ghost Mode at WP Ghost > Change Paths > Level of Security. Ghost Mode automatically changes the plugins path, randomizes plugin names, changes the wp-content path, and applies comprehensive path security. After saving, verify the result by checking your page source in the browser (View Source) and running your site through a detection tool like BuiltWith.com or WhatCMS.org. The tool should not list any of your actual plugins.

Frequently Asked Questions

Will hiding plugin names break plugin functionality?

No. WP Ghost changes the paths in the page source through rewrite rules, not by renaming actual files. Your plugins continue loading from their original directory on the server. The browser receives the files through the new URLs, but the server knows to serve them from the original locations. Functionality is completely unaffected.

Does this also hide plugins from vulnerability scanners like WPScan?

Yes. Vulnerability scanners like WPScan detect plugins by probing known paths (like /wp-content/plugins/plugin-name/readme.txt). When WP Ghost changes these paths, the scanner gets 404 errors for every probe and reports zero detected plugins. This is the security benefit: bots cannot find plugins to check against vulnerability databases.

Is this a free feature?

Changing the plugins directory path and randomizing plugin names are included in the free version of WP Ghost. Text Mapping for replacing class names in the HTML is also free.

Does WP Ghost modify WordPress core files?

No. Plugin paths are changed through server rewrite rules and WordPress output filtering. No plugin files are renamed, moved, or modified. Deactivating WP Ghost restores all original plugin paths instantly.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.