Yes. 115+ features free including path security, firewall, brute force, 2FA with passkeys, and security headers. Premium adds logs, geo blocking, and priority support.

How Does WP Ghost Compare to CloudFilt?

Q: How does WP Ghost compare to CloudFilt?

They serve different purposes. CloudFilt is a cloud WAF that filters traffic at the network level. WP Ghost is a hack-prevention plugin that hides WordPress paths, blocks bots, and hardens site configuration at the application level. They can work together as complementary layers.

Q: Can I use WP Ghost together with CloudFilt?

Yes. They work at different layers without conflict. CloudFilt handles network-level traffic filtering. WP Ghost handles WordPress-level path security, firewall, login protection, and identity hiding.

Q: Does WP Ghost replace a cloud WAF?

Not directly. WP Ghost includes a 7G/8G firewall at the server/application level. A cloud WAF filters at the network level. For most WordPress sites, WP Ghost's firewall is sufficient.

Q: Does WP Ghost modify WordPress core files?

No. Server rewrite rules and WordPress filters only. No files modified. Deactivating restores all defaults.

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost and CloudFilt serve different purposes. CloudFilt is a cloud-based web application firewall (WAF) that filters traffic at the network level before it reaches your server. WP Ghost is a hack-prevention plugin that works at the WordPress application level, hiding paths, blocking bots, and hardening your site’s configuration. They can work together as complementary layers, and WP Ghost offers significantly more WordPress-specific security features.

What Does CloudFilt Do?

CloudFilt is a cloud-based WAF service that sits between your visitors and your server. It filters incoming traffic at the network/CDN level, blocking malicious requests, DDoS attacks, and bad bots before they reach your hosting. It works by routing your traffic through their servers, similar to how Cloudflare or Sucuri’s firewall works. CloudFilt focuses on traffic filtering, not on WordPress-specific security.

What Does WP Ghost Do That CloudFilt Doesn’t?

WP Ghost operates at the WordPress application level and provides security features that a cloud WAF can’t offer. It changes every default WordPress path (wp-admin, wp-login, wp-content, plugins, themes, uploads, REST API) so bots can’t identify your site as WordPress. It includes a built-in 7G/8G firewall, brute force protection with reCAPTCHA, two-factor authentication (including passkeys with Face ID and Touch ID), security headers, Text and URL Mapping, country blocking, and security monitoring with threat logs.

The key difference is approach. CloudFilt filters traffic at the network edge. WP Ghost reduces the attack surface at the application level. A cloud WAF blocks known malicious patterns. WP Ghost hides the doors so bots can’t find them in the first place. Most attacks against WordPress target predictable paths and known plugin vulnerabilities. If those paths don’t exist, the attack has nothing to target, regardless of whether a WAF is in front of your server.

Can I Use WP Ghost Together with CloudFilt?

Yes. They work at different layers and don’t conflict. CloudFilt handles network-level traffic filtering. WP Ghost handles WordPress-level path security, firewall rules, login protection, and identity hiding. Using both gives you layered defense: CloudFilt stops threats at the network edge, and WP Ghost stops threats that reach your WordPress application.

WP Ghost is also designed to work alongside other security tools like Wordfence, Solid Security, Sucuri, and hosting firewalls. You don’t need to choose between them. WP Ghost handles prevention (hiding the attack surface), while other tools handle detection and response (scanning for malware, monitoring file changes).

Do I Need CloudFilt If I Have WP Ghost?

For most WordPress sites, WP Ghost alone provides comprehensive hack prevention. With 115+ free features covering path security, 7G/8G firewall, brute force protection, 2FA, and security headers, WP Ghost handles the most common attack vectors against WordPress. A cloud WAF like CloudFilt adds value if your site faces heavy DDoS attacks, large-scale bot traffic, or needs enterprise-level network filtering. For typical WordPress sites, blogs, WooCommerce stores, and small business sites, WP Ghost is sufficient on its own or paired with a plugin like Wordfence for malware scanning.

For the full list of security plugins WP Ghost works alongside, see the compatible plugins list.

Frequently Asked Questions

Does WP Ghost replace a cloud WAF?

Not directly. They work at different layers. WP Ghost includes its own 7G/8G firewall that blocks SQL injection, script injection, and exploit attempts at the server/application level. A cloud WAF like CloudFilt filters traffic at the network level before it reaches your server. For most WordPress sites, WP Ghost’s built-in firewall is sufficient. A cloud WAF adds an extra layer for high-traffic or enterprise sites.

Is WP Ghost free?

Yes. WP Ghost Free includes 115+ features: path security, 7G/8G firewall, brute force protection, 2FA (including passkeys), security headers, and dozens of hardening options. Premium adds the full Security Threats Log, User Events Log, country blocking, extended file extension security, and priority support.

Does WP Ghost modify WordPress core files?

No. WP Ghost uses server rewrite rules and WordPress filters to change paths and block threats at runtime. No core files, theme files, or plugin files are modified. Deactivating WP Ghost restores all default WordPress paths instantly.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.