How Do I Block WP Content in WordPress? (WP Ghost Guide)

Q: Will blocking wp-content break my images, CSS, or JavaScript?

No. WP Ghost creates a new URL path using rewrite rules. Assets are served through the custom path. Only the old default path is blocked.

Q: Do I need to change the path before hiding it?

Yes. Change the path first so your site uses new URLs, then hide the old path so it returns a 404. Doing both gives complete protection.

Q: Will this affect my SEO or sitemaps?

No. Hidden files like directory structures and readme.txt are not indexed by search engines. Public pages, posts, and media continue working through custom paths.

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

You can block direct access to wp-content in two steps: change the wp-content path to a custom name, then enable Hide WordPress Common Paths to return a 404 on the original URL. WP Ghost handles both from a single settings page, and nothing on your site breaks because all files are served through the new path automatically.

Why Should You Block Access to the wp-content Directory?

The /wp-content/ directory is the heart of every WordPress installation. It contains your themes, plugins, and uploaded media. Every bot, scanner, and theme detector on the internet knows exactly where to find it, because WordPress puts it in the same place on every site.

When attackers can access /wp-content/, they can enumerate your plugins by probing /wp-content/plugins/plugin-name/readme.txt, identify your theme from /wp-content/themes/theme-name/style.css, and find your exact versions from those files. With that information, they look up known vulnerabilities and launch targeted exploits. Blocking access to wp-content removes this entire attack vector.

How Do I Change the wp-content Path with WP Ghost?

The first step is to give your wp-content directory a custom URL so your site’s assets load from a path that doesn’t reveal WordPress.

Go to WP Ghost > Change Paths > WP Core Security. Find the Custom wp-content Path field. A predefined random name is already filled in. You can keep it or enter your own. Avoid names that obviously relate to content, like “assets”, “files”, or “resources”. Choose something random that doesn’t hint at what’s inside. Click Save to apply.

After saving, every URL that previously referenced /wp-content/ now uses your custom path. Images, CSS, JS, fonts, everything updates automatically. Check your page source in a private browser window and search for “wp-content”. If the path change is working, you won’t find any instances.

For a full walkthrough, see the change wp-content path tutorial.

How Do I Hide the Old wp-content Path So Bots Get a 404?

Changing the path creates a new URL, but the original /wp-content/ path might still respond if someone types it directly. You need to block access to the old path so bots and scanners hit a dead end.

Still in WP Ghost > Change Paths > WP Core Security, switch on Hide WordPress Common Paths. This blocks direct access to the old /wp-content/, /wp-includes/, and other default WordPress directories. Anyone or any bot that tries to access the original path gets a 404 error instead.

You can also choose which file extensions to block from the old paths. The key ones are PHP (blocks direct access to vulnerable plugin files), JS (hides JavaScript files that reveal plugin structure), and TXT (hides readme.txt files that expose plugin versions). Select the extensions you want to protect and click Save.

Hide WordPress Common Paths option in WP Ghost settings showing file extension protection

How Do I Verify That wp-content Is Actually Blocked?

After saving your settings, run a quick verification. Go to WP Ghost > Security Check and click Start Scan. The plugin checks whether the wp-content path has been changed and the old path is hidden. If everything is working, the security task is marked as complete.

You can also verify manually. Open a private browser window and try accessing your old wp-content path directly, for example yourdomain.com/wp-content/. You should see a 404 error page. Then view your page source and search for “wp-content”. If neither test reveals the default path, your site is properly protected.

For complete details on the security scanner, see the Security Check tutorial.

What Else Can I Hide Along with wp-content?

Blocking wp-content is a great start, but for full protection you should also change and hide the wp-includes path, change individual plugin names and paths, change your theme names and paths, and change the uploads path. When all of these are customized together, vulnerability scanners and theme detectors come up completely empty. WP Ghost can do all of this from the same WP Ghost > Change Paths page.

For a recommended configuration that covers all paths, check the best practice guide.

Frequently Asked Questions

Will blocking wp-content break my images, CSS, or JavaScript?

No. WP Ghost doesn’t delete or move any files. It creates a new URL path using server rewrite rules. Your images, stylesheets, and scripts are served through the new custom path. Only the old default path is blocked. Clear your cache after saving so cached pages pick up the new URLs.

Do I need to change the path before hiding it?

Yes. The most effective approach is to do both. Change the wp-content path first so your site uses new URLs, then hide the old path so it returns a 404. If you only hide without changing, some internal references may still point to the old path, which could cause broken assets.

Does hiding wp-content affect logged-in admin users?

No. WP Ghost only blocks access for non-logged-in visitors and bots. Logged-in administrators can still access all paths normally. The 404 responses only apply to anonymous requests, which is exactly what bot traffic looks like.

Does this work with WooCommerce?

Yes. WP Ghost is fully compatible with WooCommerce. Product images, cart functionality, checkout pages, and customer accounts all work normally through the custom paths. WooCommerce files are served through the new path just like everything else.

Will this affect my SEO or sitemaps?

No. The files being hidden (wp-content directory structure, readme.txt, license.txt) are not indexed by search engines and aren’t part of your sitemap. Your public pages, posts, images, and media all continue working through the custom paths. Search engines follow the new URLs just like visitors do.

Does WP Ghost modify WordPress core files?

No. WP Ghost uses server rewrite rules and WordPress filters to create virtual paths. No files are physically moved, renamed, or modified. The actual wp-content folder stays exactly where WordPress put it. Deactivating WP Ghost restores all default paths instantly.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.