Is Hide My WP Ghost Hiding The wp-admin On Nginx Servers?

Yes, you can customize and hide wp-admin path on Nginx server. Just follow the setup instruction.

Please read more details about How to configure Hide My WP Ghost for Nginx servers

Note! To change and hide the wp-admin path on Nginx Servers you need to have shell access to be able to reload the Nginx server.

How Do I Know If My Website Is Hidden With Hide My WP Ghost?

Make sure you follow the setup instructions:

You can then use external WordPress detectors to verify if you are 100% hidden:

wordpress vulnerability detector


If the WordPress Detectors still find your website please contact us and we will check if there are some theme incompatibilities.

If I’m logged in my website I can access the wp-admin, is that safe?

The wp-admin path can only be accessed if you are logged in as admin. It’s not visible to visitors or hacker bots.

The Ghost version is hiding all the plugins and themes paths and the WordPress common paths from hackers.

Even if plugins like Woocommerce are adding class names in HTML and WP detectors are identifying these classes in order to tell you that you are using WordPress, the hacker bots are using Brute Force and Script Injection to break the plugins on vulnerable paths even if your website is not built in WordPress.

Having the common paths hidden with Hide My WP Ghost will protect your site against hackers attacks. Also, activate the Brute Force protection from Hide My WP Ghost to prevent the Brute Force attacks.

Having the wp-admin path visible when you’re logged to your website will prevent your website from crashing if you deactivate the plugin or if another plugin uses the old admin path in the backend.

Should You Disable XML-RPC on WordPress?

XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps, and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.

These include:

  • Publish a post
  • Edit a post
  • Delete a post.
  • Upload a new file (e.g. an image for a post)
  • Get a list of comments
  • Edit comments

For a full list of the WordPress API functions available to developers via XML-RPC, take a look at this page on the WordPress codex.

If you disable the XML-RPC service on WordPress, you lose the ability for any application to use this API to talk to WordPress.

Let’s use an example to illustrate: You have an app on your iPhone that lets you moderate WordPress comments. Someone advises you to disable XML-RPC. Your iPhone app suddenly stops working because it can no longer communicate with your website using the API you just disabled.

There are two common attacks on XML-RPC:

  • DDoS via XML-RPC pingbacks.
  • Brute force attacks via XML-RPC.

If you still want to disable XML-RPC, you can switch on this option in Hide My WP Ghost.

Does Hide My WP Ghost Going To Make My Website Invisible On FTP?

Hide My WP Ghost adds a redirecting layer over WordPress to let you customize the old paths without physically changing them.
It also gives you the possibility to disable access to the old paths for hackers and protect the WordPress plugins and themes.

WordPress Directory Structure

All these changes will not affect the WordPress directory structure through FTP and it will not break it if you deactivate the plugin.

It looks like a simple plugin but it’s a complex system behind it and a good firewall against Script Injection and Brute Force attacks.

Why do I get a 404 error when I access my new admin URL?

Once you change the admin path and switch on to Hide My WP > Permalinks > Hide the new admin path, you can’t access the new admin URL as a visitor.

You need to go to the new login path, and after you login, you will be redirected to the new admin URL.