FAQ

Hiding the WordPress site and CMS is a good idea when you want to protect your website from hacker bots attacks.

Usually, the bots try to inject scripts and SQL queries into the website no matter if they are WordPress or other type of CMS.
Most of the attacks are targeting the well known plugins with vulnerabilities which have a door to the WordPress core.

There are 2 ways to hide a WordPress site:

1. Manually through File Manager with a bit of PHP knowledge

To hide the WordPress Site you need to:

• Hide all the WP headers like RDS, DNS Prefetch, Generator Meta
• Hide all the WP comments and versions at the end of each file
• Change and hide the WP common paths like wp-content, wp-includes, plugins, themes and cache directories
• Hide the files readme.html, xml-rpc.php, install.php, wp-config.php and more
• Hide classes from source code beginning with “wp-” (make sure the plugins are not using them)

2. Use a free WordPress plugin

A faster way to hide the WordPress site without coding, we recommend you to install the Hide My WP Ghost plugin

Hiding the WordPress site and CMS is a good idea when you want to protect your website from hacker bots attacks.

Usually, the bots try to inject scripts and queries into the website no matter if they are WordPress or other type of CMS.
Most of the attacks are targeting the well known plugins with vulnerabilities which have a door to the WordPress core.

This should be the main reason you should hide the CMS.

To hide the WP CMS you need to:

• Hide all the WP headers
• Hide all the WP comments and versions
• Change and hide the WP common paths like wp-content, wp-includes, plugins, themes and cache directories
• Hide the files readme.html, xml-rpc.php, install.php, wp-config.php and more
• Hide classes from source code beginning with “wp-” (make sure the plugins are not using them)

A faster way to hide the WordPress site without coding, we recommend you to install the Hide My WP Ghost plugin

Yes, you can hide the website until it’s ready in two ways:

1. The easy way to hide your WordPress website while you’re in development is to check the option “Discourage search engines from indexing this site” from Settings > Reading

2. Another way is to install a free maintenance plugin like https://wordpress.org/plugins/wp-maintenance-mode/

The plugin will let you customize the website but it will be hidden for the users and Search Engines. This is how the visitors will see the frontend:

One advantage to use the maintenance plugin is that you can collect emails until you finish the website and already have users for Email Marketing when you start your business.

To hide the CMS from Theme detectors is not so easy to do. You need to change all WordPress common paths in source-code, hide the paths, links to WordPress.org, restrict access to WordPress files, and more.

If you have a WordPress site and you want to hide the fact that you’re using a WordPress CMS, install Hide My WP Ghost plugin and configure it to hide and protect your website in the same time.

Here are some useful articles you must follow to hide your website from Theme detectors:

https://hidemywpghost.com/how-to-hide-from-wordpress-theme-detectors/

https://hidemywpghost.com/hide-my-wp-how-to-install-the-plugin/

All the ajax calls in the frontend are made by the default URL /wp-admin/admin-ajax.php. This URL is also used by hackers to upload viruses and scripts on your website.

Changing the wp-admin/admin-ajax.php URL is mandatory for protecting the WordPress site from hackers.

To easily change the admin-ajax.php path you can use Hide My WP Ghost plugin. After adding a new ajax URL, the default admin-ajax.php URL will be hidden from hackers.

How to change admin-ajax in WordPress

1. To change the admin-ajax.php path, go to Hide My WP > Permalinks > Custom Ajax URL
   
2. To hide the wp-admin path from ajax calls, switch on Hide My WP > Permalinks > Hide wp-admin from ajax URL 

Why you must have Hide My WP Ghost: https://hidemywpghost.com/hide-my-wp-why-you-must-have-it/

You can change wp-content folder manually or using a WordPress plugin.

1. You can manually change the folder wp-content into lib (or a different name) using the File Manager on your server and you will need to re-login to your website.
   
2. You can use Hide My WP Ghost plugin to change the wp-content path and all the common WordPress paths to protect your website from hackers.

You can find details about both ways here:
https://hidemywpghost.com/how-to-customize-wp-content-directory-in-wordpress/

WordPress wp-login, wp-login.php, and login paths are the first ones a hacker bot will access for Brute Force attacks. Changing these paths and hiding them is mandatory when you have a WordPress CMS.

To do this with Hide My WP Ghost, just change the name for the wp-login with your custom name in Hide My WP > Change Paths > Login Security > Custom Login Path.

The most important path in WordPress is the wp-admin and the only way to protect this path is by changing its name and hiding it from hacker bots.

To do this with Hide My WP Ghost, just change the name for the wp-admin with your custom name in 
Hide My WP > Change Paths > Custom Admin Path.

Yes, you can customize and hide wp-admin path on Nginx server. Just follow the setup instruction.

Please read more details about How to configure Hide My WP Ghost for Nginx servers

Note! To change and hide the wp-admin path on Nginx Servers you need to have shell access to be able to reload the Nginx server.

Make sure you follow the setup instructions:
https://hidemywpghost.com/hide-my-wp-how-to-install-the-plugin/

You can then use external WordPress detectors to verify if you are 100% hidden:

http://whatwpthemeisthat.com/
http://www.wpthemedetector.com/
https://whatcms.org/
https://wpplugins.tips/wordpress-vulnerability-detector/

If the WordPress Detectors still find your website please contact us and we will check if there are some theme incompatibilities.

By default, the wp-admin path is visible for all logged users.

However, Hide My WP Ghost gives you the option to only show the wp-admin path for site administrators.

Switch on Hide My WP > Change Paths > Admin Security > Hide “wp-admin” from Non-Admin Users and logged site users will only be able to access the wp-admin path if they are website administrators.

Note! Having the wp-admin path visible when you’re logged as administrator will prevent your website from crashing if you deactivate the plugin or if another plugin uses the old admin path in the backend.

Having the common paths hidden with Hide My WP Ghost will protect your site against hackers attacks. Also, make sure to activate the Brute Force protection from Hide My WP Ghost to prevent Brute Force attacks.

XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps, and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.

These include:

• Publish a post
• Edit a post
• Delete a post.
• Upload a new file (e.g. an image for a post)
• Get a list of comments
• Edit comments

For a full list of the WordPress API functions available to developers via XML-RPC, take a look at this page on the WordPress codex.

If you disable the XML-RPC service on WordPress, you lose the ability for any application to use this API to talk to WordPress.

Let’s use an example to illustrate: You have an app on your iPhone that lets you moderate WordPress comments. Someone advises you to disable XML-RPC. Your iPhone app suddenly stops working because it can no longer communicate with your website using the API you just disabled.

There are two common attacks on XML-RPC:

• DDoS via XML-RPC pingbacks.
• Brute force attacks via XML-RPC.

If you still want to disable XML-RPC, you can switch on this option in Hide My WP Ghost.

Hide My WP Ghost adds a redirecting layer over WordPress to let you customize the old paths without physically changing them.
It also gives you the possibility to disable access to the old paths for hackers and protect the WordPress plugins and themes.

All these changes will not affect the WordPress directory structure through FTP and it will not break it if you deactivate the plugin.

It looks like a simple plugin but it’s a complex system behind it and a good firewall against Script Injection and Brute Force attacks.

Hide My WP Ghost adds a redirecting layer over WordPress to let you customize the old paths without physically change them.

It also gives you the possibility to disable access to the old paths for hackers and protect the WordPress plugins and themes.

All these changes will not affect the WordPress directory structure through FTP and it will not break it when you deactivate the Hide My WP Ghost plugin.

It looks like a simple plugin but it’s a complex system behind it and a good firewall against Script Injection and Brute Force attacks.

XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps, and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.

Hide My Wp Ghost was tested with all the popular cache plugins like:

• W3 Total Cache
• WP Super Cache
• Wp Fastest Cache
• WP-Rocket
• LiteSpeed Cache
• Autoptimize
• Cache Enabler

If you use a cache plugin that is not in this list and you notice any compatibility issue, please contact us and we will work to make Hide My WP Ghost compatible with it.

Yes, from version 2.3.030 of Hide My Wp Ghost plugin is compatible with BuddyBoss Theme .

Yes, from version 2.3.030 of Hide My Wp Ghost plugin is compatible with Jupiter Theme from Themeforest.

Once you change the admin path and switch on to Hide My WP > Permalinks > Hide the new admin path, you can’t access the new admin URL as a visitor.

You need to go to the new login path, and after you login, you will be redirected to the new admin URL.

Yes, since version 2.3.017, Hide My Wp Ghost plugin is compatible with Classiera Theme from Themeforest.

UPDATE! Since Hide My WP Ghost 5.0, wp-admin can be hidden for Nginx servers.
It will require a config update after you update the settings in Hide My WP Ghost with the custom wp-admin path.

Read more details about how to configure Hide My WP Ghost for Nginx servers

If the .htaccess file is not writable, in order for Hide My Wp Ghost to work you need to write the code you receive in the Hide My Wp Ghost > Permalinks after you change the settings.

If you don’t have server access you can install a plugin that will help you with this:
https://wordpress.org/plugins/wp-htaccess-control/

You can remove the wp-htaccess-control plugin after you’re done with the setup.

No. You need to have custom permalinks set on in Settings > Permalinks.

You will get a notification in the Settings page if something is not setup right.

Don’t panic. You can find information here on how you can deactivate the plugin and configure it right:

How to Disable The Plugin In Case Of Error

Yes, this feature is available for Hide My WP Ghost.

It works with both structures of WP Multisite: subdomain & subdirectories.

Hide My WP Ghost works on WP Multisite and you will configure it for the entire network.

Multisite counts just as one site. Because the settings and usage will happen in Network > Plugins, and not on each individual site.

The Ghost version also works with Apache, Nginx, IIS and LiteSpeed servers.

You can see all the features here: https://hidemywpghost.com/hide-my-wp-ghost-security-features/