How Customizable Is WP Ghost? Can I Control Every Setting?

Q: How customizable is WP Ghost?

Fully customizable. Every feature toggles on/off individually, every path accepts a custom value, and four presets provide one-click starting points. The Overview panel shows all major features as toggles. Over 65 individual hiding options, configurable firewall thresholds, multiple 2FA methods, and developer hooks via wp-config.php constants and WordPress filters.

Q: Do I need technical knowledge to configure WP Ghost?

No. Load a preset, customize your login path, and run the Security Check. That covers most sites in under five minutes. Advanced options are available but never required.

Q: Can I use different configurations on different sites?

Yes. Each installation is configured independently. Use Backup and Restore to save a configuration from one site and import on another, then adjust as needed.

Q: What if a setting breaks something?

WP Ghost includes the Safe URL (bypasses settings for one request), Pause 5 Minutes, Rollback to defaults, and FTP emergency disable. Multiple recovery methods ensure you're never locked out.

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost is fully customizable. Every feature can be turned on or off individually, every path can be set to a custom value or left at default, and security presets let you load a complete configuration with one click and adjust from there. You control exactly which protections are active and how aggressive they are, from a single hidden login path to full Ghost Mode with firewall, 2FA, and country blocking.

Start Simple, Customize as You Go

WP Ghost is designed so you can start with a preset and then fine-tune. The Overview panel at WP Ghost > Overview shows all major features as toggles. Switch any feature on or off from this single page without navigating to individual settings sections. When you want more control, each feature has its own dedicated settings page with granular options.

Four security presets are available at WP Ghost > Change Paths: Minimal (no server config changes), Safe Mode + Firewall + Compatibility (recommended for most sites), Safe Mode + Full Protection, and Ghost Mode + Full Protection. Load a preset, then customize any individual setting you want to change. The preset handles the 80%, and you adjust the remaining 20% for your specific site. For details on each preset, see the Preset Security Options tutorial.

What You Can Customize

Every path individually. WP Ghost lets you set custom names for the admin path, login path, lost password path, register path, logout path, activation path, admin-ajax.php, wp-includes, wp-content, uploads, plugins (including individual plugin names), themes (including individual theme names), REST API, author path, and comments path. Each one can be changed independently or left at default.

Firewall settings. Choose between 7G and 8G firewall rules, or disable the firewall entirely. Configure automated IP blocking thresholds: how many attacks trigger a block, the time window, and the block duration. Add custom blacklists and whitelists for IPs, user agents, and referrers.

Brute force protection. Select the reCAPTCHA type (Math, Google V2, Google V3, or Enterprise). Set the maximum number of failed login attempts, the lockout duration, and custom error messages. Enable or disable protection individually on login, lost password, registration, comment, and WooCommerce login forms.

Two-factor authentication. Choose a single 2FA method (authenticator app, email, or passkey) or enable User Choice so each person selects their own. Configure max failed 2FA attempts and ban duration.

Security headers. Enable all seven headers with one toggle, or customize individual header values. The Content-Security-Policy header has a dedicated input field for defining your specific CSP rules.

Tweaks and hiding options. Over 65 individual toggles for hiding WordPress fingerprints: version numbers, generator meta, DNS prefetch, HTML comments, emoji scripts, embed scripts, WLW manifest, style IDs, right-click, inspect element, view source, copy/paste, directory browsing, and more. Each is independent, so you turn on exactly what you need.

Text, URL, and CDN mapping. Replace any text string, URL, or CDN path in your source code with custom values. This gives you complete control over what appears in your page source beyond the automatic path changes.

For Developers

WP Ghost supports wp-config.php constants for server-level overrides and WordPress filters for runtime customization. You can force priority loading, add custom rewrite rules, override file permissions, inject custom CMS signatures, and extend the plugin’s behavior without touching the admin interface. See the WP Ghost Constants tutorial and the Plugin Hooks reference for the full developer API.

Frequently Asked Questions

Do I need technical knowledge to configure WP Ghost?

No. The presets and Overview toggles make setup accessible to anyone. Load a preset, customize your login path, and run the Security Check. That covers most sites in under five minutes. The advanced options are there for users who want granular control, but they are never required. See the WP Ghost Tutorial for a beginner-friendly walkthrough.

Can I use different configurations on different sites?

Yes. Each WP Ghost installation is configured independently. You can also use the Backup and Restore feature to save a configuration from one site and import it on another, then adjust individual settings as needed.

What if a setting breaks something?

WP Ghost includes multiple recovery methods: the Safe URL bypasses all settings for a single request, the Pause 5 Minutes button temporarily disables the plugin, and Rollback resets everything to defaults. You can also disable WP Ghost via wp-config.php or FTP. See the Emergency Disable guide.

Does WP Ghost modify WordPress core files?

No. Every setting is applied through rewrite rules and WordPress filters at runtime. No files are modified. Changing any setting or disabling the plugin reverts the affected feature instantly.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.