WP Ghost 9.0: Security Threats Log, Login Designer & GEO Map
April 16, 2026
Release date: March 30, 2026
WP Ghost 9.0 is the biggest release since we rebranded from Hide My WP Ghost. It turns the plugin into a full hack-prevention command center with a live Security Optimization Score, a built-in Login Page Designer, AI crawler blocking for copyright protection, an interactive GEO Threat Map, country filtering in logs, and one-click CSV export. Combined with the 8.3 series (Security Threats Log, IP Block Automation, expanded 7G/8G rules, 2FA and Magic Login in core), this update gives you real visibility into what gets blocked on your site every day, not just a list of features running in the background.
What’s New in WP Ghost 9.0 at a Glance
| Feature | What It Does | Availability |
|---|---|---|
| Security Optimization Score | Live 0 to 100 gauge showing how hardened your site is | Free & Premium |
| Login Page Designer | Brand your hidden login URL with logos, colors, and 13 layouts | Free (core) & Premium (advanced presets) |
| AI Crawler Blocking | Blocks GPTBot, ClaudeBot, PerplexityBot, and 30+ AI scrapers | Free & Premium |
| Interactive GEO Threat Map | Visual world map of blocked attacks, clickable to filtered logs | Free & Premium (with Security Threats Log enabled) |
| Country Filtering in Logs | Filter and export attack data by country | Premium |
| CSV Export for Logs | One-click export of threats and user events for reporting | Premium |
| Dark Mode Dashboard | Full dark theme support for the admin UI | Free & Premium |
Security Optimization Score: Know Exactly Where You Stand
The old static speedometer image is gone. In its place, WP Ghost 9.0 shows a live gauge that calculates a precise score from 0 to 100 based on how many security tasks you have actually completed. Every time you enable a feature, fix a vulnerability, or harden a path, the number moves up in real time.
You get both the visual dial and the exact numeric value, so tracking progress over weeks is finally easy. Premium users typically push scores higher because features like IP Block Automation, Country Blocking, and extended file hardening contribute additional points the free tier cannot reach.
You will find the Security Optimization Score on the WP Ghost Overview dashboard and inside the WordPress Security Check page.
Login Page Designer: Brand Your Hidden Login URL
You no longer need a separate login-styling plugin. WP Ghost 9.0 ships with a full Login Page Designer that customizes the look of your secured login URL directly from the plugin settings. Upload a custom logo with live preview, set the logo link, add a background image with blur and overlay controls, tweak page and form background colors, button colors, text and link colors, and pick from 13 layout presets (split-screen, frosted panel, media layouts) plus 10 color scheme presets.
The designer hooks into the custom login URL you set under Change Paths, which means your branded page is served at your secured path and not at the default wp-login.php. Hackers never see the login form, but your real users land on a page that looks like it belongs to your brand.
Location: WP Ghost > Tweaks > Login Page Design.
AI Crawler Blocking: Copyright Protection Against AI Training Bots
AI companies send crawlers to harvest text, images, and data from websites to train their large language models, usually without asking. If you write original content, sell courses, publish research, or run any site where your words are your product, this matters.
WP Ghost 9.0 adds a dedicated AI Crawler Blocking feature that stops these bots at the firewall layer and automatically writes the matching Disallow rules into your robots.txt. The built-in list covers GPTBot, ClaudeBot, PerplexityBot, CCBot, Bytespider, and 30+ other known AI training crawlers. We refresh the list with every plugin release as new bots show up, so you don’t have to track user agents yourself.
This feature only targets AI training crawlers. Regular search engine bots (Googlebot, Bingbot, Yahoo Slurp), social media previews (Facebook, Twitter, LinkedIn), and all standard web traffic pass through untouched. Your SEO rankings and search visibility stay exactly the same.
If you actually want to appear in AI answer engines like ChatGPT Search or Perplexity, you can leave the feature off or selectively allow specific AI crawlers through the Whitelist User Agents option. The choice is yours, not theirs.
Location: WP Ghost > Firewall > Block AI Crawler Bots. For background on how firewall-layer blocking works, see the Firewall & Geo Security guide.
Interactive GEO Threat Map
The Overview dashboard now includes an interactive world map showing where your blocked attacks come from. The top 5 threat countries are plotted with proportional markers so high-volume attack sources stand out visually.
Click any country circle and WP Ghost opens the Security Threats Log already filtered to that country for the last 7 days. No digging through raw data. You see immediately whether a country is worth blocking and can decide in one click whether to add it to your geo restrictions.
Location: WP Ghost Overview dashboard (requires the Security Threats Log to be enabled).
Country Filtering and CSV Export in Security Logs
Both the Security Threats Log and the User Events Log now let you filter entries by country. You can spot regional attack patterns, see which countries generate the noisiest traffic against your site, and export the filtered data for reporting.
Country codes are stored directly in the threats log table for faster lookups, and any missing codes get resolved automatically in the background without slowing down threat logging.
CSV export covers both log types. It’s useful for compliance documentation, sharing attack data with your hosting provider or a security consultant, and keeping offline archives of incidents. The export button sits below the log table, not above it, to prevent accidental clicks when you’re scrolling through entries.
Location: below the log table in WP Ghost > Logs > Security Threats and WP Ghost > Logs > User Events.
Enhanced Overview Dashboard with Dark Mode
The Overview widget got several quality-of-life fixes. Threat counts now show the full 7-day period instead of partial counts, and day buckets are timezone-aligned so the chart and the stat boxes always match the underlying log data.
If WP Ghost detects attacks it could have blocked with a stronger firewall, the dashboard now shows a prompt suggesting you turn on the 7G or 8G Firewall. This is aimed at users who install the plugin and miss one of the highest-impact settings.
Dark mode is fully supported now. If your browser or WordPress admin is set to a dark theme, WP Ghost respects it with proper color handling across the entire plugin UI.
Security Check: IP Block Automation Verification
A new task in the WordPress Security Check page confirms that IP Block Automation is configured correctly. The feature is powerful when it works, but misconfigured thresholds can mean repeat offenders keep hitting your site unblocked. The new check catches that silent failure mode and tells you what to fix.
Key Features Carried Over from WP Ghost 8.3
The 8.3 series laid the groundwork for most of what 9.0 polishes. If you’re upgrading from 8.2 or earlier, here’s what landed in between.
Security Threats Log
Version 8.3.00 introduced a dedicated Security Threats Log that records every blocked attack and malicious request as it happens. The old Events Log was split into two views: User Events (login activity, role changes, settings modifications) and Security Threats (blocked attacks, firewall triggers, brute force attempts). For the first time, you can see exactly what WP Ghost is stopping on your site every day, not just trust that it’s working.
Expanded 7G and 8G Firewall Rules
The 7G and 8G Firewall rulesets grew significantly in 8.3.00 to cover advanced brute-force patterns, SQL injection payloads, XSS attacks, file inclusion exploits, directory traversal probes, and automated vulnerability scans. The firewall execution path was also optimized so it holds up under heavy attack traffic without dragging site performance.
IP Block Automation
Version 8.3.03 added automated IP blocking in the Firewall section. When the same IP repeatedly trips security rules or probes your secured paths, WP Ghost blocks it automatically using thresholds you control: how many attacks, in what time window, for how long.
2FA and Magic Login Moved Into Core
Two-Factor Authentication (code, email, and passkey) and Magic Link Login moved from the separate Advanced Pack into the WP Ghost core in 8.3.03. Every user now has these authentication methods available without installing anything extra.
Why WP Ghost 9.0 Matters
The plugin started as a path security tool, hiding the predictable WordPress structure that bots scan for. That foundation still holds, but most users never had a clear view of what was actually being blocked or where attacks were coming from. 9.0 closes that gap. You get a live score that tells you how hardened your site is, a map that shows who’s hitting it, logs you can export and share, and a login page your real users can be proud to see.
The underlying positioning has not changed. WP Ghost is still a hack-prevention plugin, not a malware scanner. It reduces your attack surface so bots can’t find the doors in the first place, and it works alongside your hosting security, Wordfence, Solid Security, or Sucuri, not as a replacement for them. What 9.0 adds is visibility and control, so you can see the prevention working in real time and make informed decisions instead of flipping toggles in the dark.
How to Upgrade to WP Ghost 9.0
The upgrade is automatic. If you have WP Ghost installed, WordPress will prompt you to update from the Plugins page or Dashboard > Updates. Existing settings carry over. After updating, visit the Overview dashboard once so the new Security Optimization Score can scan your current configuration and set your baseline.
If you are running multiple sites, the upgrade works the same way on WordPress Multisite and on single installs. For best practice settings after upgrading, see our WP Ghost settings best practice guide.
Frequently Asked Questions
What is the Security Optimization Score in WP Ghost?
It’s a live number from 0 to 100 that reflects how many security tasks you have completed in WP Ghost. You’ll see it on the Overview dashboard and the Security Check page as both a visual gauge and an exact value. The higher the score, the fewer vulnerabilities are exposed on your site. Premium features contribute additional points because they cover attack surfaces the free tier doesn’t reach.
How do I customize my WordPress login page with WP Ghost?
Go to WP Ghost > Tweaks > Login Page Design, toggle the feature on, and choose your custom logo, background image, colors, and layout preset. Your changes apply to the secured login URL you have configured under Change Paths, not to the default wp-login.php (which WP Ghost hides anyway).
Does WP Ghost block AI bots from using my content for training?
Yes. WP Ghost 9.0 includes AI Crawler Blocking that stops AI training bots from scraping your site. It covers GPTBot, ClaudeBot, PerplexityBot, CCBot, Bytespider, and 30+ other known AI crawlers at the firewall level. Your copyrighted content is protected from being pulled into AI models without your consent. Regular search engine indexing is unaffected, so your Google, Bing, and Yahoo rankings stay the same.
Will blocking AI crawlers hurt my SEO?
No. The feature specifically targets AI training crawlers like GPTBot and ClaudeBot. Standard search engine bots (Googlebot, Bingbot, DuckDuckBot, YandexBot) and social media preview bots pass through without interference. If you also want to appear in AI answer engines like ChatGPT Search or Perplexity, you can either leave the feature off or whitelist specific crawlers individually.
Can I export my WP Ghost security logs?
Yes. Both the Security Threats Log and User Events Log export to CSV from the log pages under WP Ghost > Logs. The export button sits below the table to avoid accidental clicks. CSV export is a Premium feature.
What changed in the WP Ghost firewall in 2026?
WP Ghost 8.3 expanded the 7G and 8G Firewall rules to cover SQL injection, XSS, file inclusion, directory traversal, and automated vulnerability scans. WP Ghost 9.0 added AI crawler blocking and an IP Block Automation verification check to the firewall stack. Firewall execution was also optimized so it stays fast under heavy attack traffic.
Is the login page designer available in the free version?
Yes, the core designer is in the free version: logo upload, colors, backgrounds, and basic layouts. Advanced layout presets (like frosted panel and split-screen media layouts) are part of WP Ghost Premium.
How does the GEO Threat Map work?
The map on the Overview dashboard plots the geographic origin of blocked threats over the last 7 days. The top 5 countries appear with proportional markers sized by attack volume. Click any country and WP Ghost opens the Security Threats Log filtered to that country. Actually blocking traffic from a country (Country Blocking) is a Premium feature.
Do I need to reconfigure anything after upgrading to 9.0?
No. Existing settings carry over automatically. We recommend visiting the Overview dashboard once after the upgrade so the Security Optimization Score can assess your current setup, and running the Security Check page to pick up any new recommended tasks (like the IP Block Automation verification).
Does WP Ghost 9.0 work with WooCommerce and cache plugins?
Yes. WP Ghost is compatible with WooCommerce, all major cache plugins (WP Rocket, LiteSpeed Cache, W3 Total Cache, Breeze, Hummingbird), and runs alongside other security plugins like Wordfence, Solid Security, and Sucuri. See the compatibility plugins list for the full rundown.
Does WP Ghost modify WordPress core files?
No. WP Ghost never touches WordPress core files. It uses rewrite rules, filters, and a mapping engine to redirect requests and hide the real paths. Core, plugins, and themes stay completely untouched, which means updates apply normally and nothing breaks when you deactivate the plugin.