How Do I Hide My WordPress Site from the Public?

Q: Can I hide my site from visitors but still let my client preview it?

Yes. Maintenance mode blocks non-logged-in visitors. Create a WordPress account for your client or use WP Ghost Temporary Login to generate a one-click expiring access link.

Q: Will the noindex setting affect my SEO once I launch?

Only if you forget to uncheck it. Go to Settings > Reading and uncheck the noindex box before launching. WP Ghost path changes don't affect SEO.

Q: Do I need both a maintenance plugin and WP Ghost?

They serve different purposes. Maintenance mode hides content from human visitors. WP Ghost hides WordPress identity from bots and attackers. Use both during development, keep WP Ghost after launch.

Q: What happens when I'm ready to launch?

Deactivate maintenance mode and uncheck noindex. Keep WP Ghost active permanently for ongoing hack prevention. No WP Ghost changes needed at launch.

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

If your WordPress site isn’t ready for visitors yet, you need to keep the public out while you build and test. The standard approach combines a maintenance mode plugin for human visitors, a noindex setting for search engines, and a security plugin like WP Ghost to protect the site from bots even during development. This guide covers every step, from blocking public access to securing the site before it goes live.

How Do I Block Visitors from Seeing My Unfinished Site?

The fastest way to hide your site from the public is with a maintenance mode or “coming soon” plugin. Install one from the WordPress plugin directory. Popular options include SeedProd, WP Maintenance Mode, and LightStart. Once activated, the plugin displays a branded placeholder page to every visitor while logged-in administrators see the real site and can keep building.

This is the right tool for the job when your goal is visitor-facing privacy. You can customize the placeholder page with your logo, a message, a countdown timer, or an email signup form so visitors know the site is coming.

How Do I Stop Search Engines from Indexing My Site During Development?

You don’t want Google crawling and indexing half-finished pages. Go to Settings > Reading in your WordPress dashboard and check the box that says “Discourage search engines from indexing this site.” This adds a noindex meta tag to every page, telling search engines to skip your site until you’re ready.

This is a critical step that’s easy to forget. When your site is ready for launch, come back to Settings > Reading and uncheck this box. Forgetting to remove noindex is one of the most common reasons new WordPress sites don’t appear in Google for weeks after launching.

Should I Password Protect the Entire Site?

If you need stronger access control than a maintenance mode plugin provides, you can password protect your entire site at the server level. Most hosting control panels (cPanel, Plesk, RunCloud) offer directory-level password protection that blocks all access unless the visitor enters a username and password. This works independently of WordPress, which means even if someone knows your site URL, they can’t view anything without credentials.

This is especially useful if you’re sharing the site with a client for review but want to keep it completely private from everyone else. You can also restrict access by IP address (see the whitelisting section below) for an even tighter lockdown.

How Do I Restrict Access to Specific IP Addresses Only?

If you and your team work from fixed IP addresses, you can whitelist only those IPs and block everyone else. WP Ghost includes IP whitelisting under WP Ghost > Firewall > Whitelist. Add your IP address (and your team’s IPs) to ensure only authorized users can access the site. Combined with brute force protection and the firewall, this creates a tight development environment.

Keep in mind that IP whitelisting only works reliably if you have a static IP. If your ISP assigns dynamic IPs, you’ll need to update the whitelist each time your IP changes. In that case, a maintenance mode plugin combined with strong login credentials and two-factor authentication is a better approach.

Why Should I Install WP Ghost Before My Site Goes Live?

Bots start scanning new domains within hours of registration. Even if your site has no traffic and isn’t linked anywhere, automated scanners will find it and probe for default WordPress paths like /wp-admin/, /wp-login.php, and /wp-content/. If those paths respond, bots know you’re running WordPress and start looking for vulnerabilities.

Installing WP Ghost during development means your site is protected from day one. Go to WP Ghost > Change Paths > Level of Security and select Safe Mode or Ghost Mode. WP Ghost changes all default WordPress paths to custom names, enables the 8G firewall, and blocks bots before they reach your plugins and themes. When you launch, the protection is already in place. You never have an unprotected window.

For the complete setup walkthrough, see the WP Ghost installation guide.

What Else Should I Do to Secure My Site During Development?

Hiding the site from visitors is one layer. Securing it against attacks is another. During development, make sure you also use strong, unique passwords for every admin and user account, enable two-factor authentication on all logins (WP Ghost includes 2FA by code, email, and passkey for free), keep WordPress core, themes, and plugins updated, set up regular backups stored off-site so you can restore quickly if anything goes wrong, and run WP Ghost > Security Check > Start Scan to find and fix any remaining weak spots.

For a recommended configuration covering all security layers, check the WP Ghost best practice guide.

Frequently Asked Questions

Can I hide my site from visitors but still let my client preview it?

Yes. A maintenance mode plugin blocks all non-logged-in visitors but lets anyone with a WordPress account see the full site. Create a subscriber or editor account for your client and give them the login URL. Alternatively, use WP Ghost’s Temporary Login feature to generate a one-click access link that expires automatically, no password needed.

Will the noindex setting affect my SEO once I launch?

Only if you forget to remove it. Before launching, go to Settings > Reading and uncheck “Discourage search engines from indexing this site.” Once unchecked, search engines will begin crawling and indexing your site normally. WP Ghost’s path changes don’t affect SEO at all. Google follows the custom paths just like human visitors.

Do I need both a maintenance plugin and WP Ghost?

They serve different purposes. A maintenance plugin hides your unfinished content from human visitors. WP Ghost hides your WordPress identity from automated bots, scanners, and attackers. During development, use both. After launch, remove the maintenance plugin but keep WP Ghost active permanently for ongoing hack prevention.

Can I use WP Ghost on a local development site?

Yes. WP Ghost works on any WordPress installation including local environments. On localhost the security benefits are minimal since the site isn’t publicly accessible, but it’s useful for testing your configuration before deploying to a live server.

What happens when I’m ready to launch? Do I need to change anything in WP Ghost?

No changes needed in WP Ghost. Just deactivate the maintenance mode plugin and uncheck the noindex setting. WP Ghost’s path security, firewall, brute force protection, and 2FA should stay active permanently. They protect your site from bots and attacks whether you’re in development or fully live.

Does WP Ghost modify WordPress core files?

No. WP Ghost uses server rewrite rules and WordPress filters to change paths and block threats at runtime. No core files, theme files, or plugin files are modified, moved, or renamed. Deactivating WP Ghost restores all default WordPress paths instantly.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.