Hide My WP Ghost Exceptions

WP Ghost (formerly Hide My WP Ghost) is compatible with all major servers, hosting providers, and WordPress Multisite. There are two known environments with limitations: WordPress.com Business plan (login paths restricted by Jetpack) and shared Nginx servers where you cannot access the server config. This page documents both exceptions and their workarounds.

WordPress.com Business Plan

Automattic (the company behind WordPress.com) does not allow wp-admin and wp-login.php paths to be customized on their hosted plans. WordPress.com uses Jetpack for login security and blocks any changes to these paths.

What works: You can use WP Ghost to change and hide all other paths: wp-content, wp-includes, uploads, plugins, themes, author, comments, REST API, and admin-ajax.php. You can also enable the firewall, brute force protection, security headers, and 2FA. These features protect against plugin and theme vulnerabilities regardless of the login path restriction.

What does not work: Customizing wp-admin and wp-login.php paths. Leave these at their default values in WP Ghost settings when using WordPress.com hosting.

Shared or Unmanaged Nginx Servers Without Config Access

WP Ghost requires server rewrite rules to function. On Apache and LiteSpeed servers, these are written to .htaccess automatically. On Nginx, the rewrite rules must be included in the nginx.conf or site config file. If you cannot access the Nginx config and your hosting provider will not add the include line, WP Ghost’s path changes cannot work on that server.

What works: Features that do not depend on rewrite rules still function: brute force protection, 2FA, security headers, and some hide options in Tweaks. These operate through WordPress PHP hooks, not server rewrite rules.

What does not work: Path changes (wp-content, wp-includes, plugins, themes, login, wp-admin, etc.) require rewrite rules. Without access to the Nginx config, these paths cannot be changed.

Workarounds: Contact your hosting provider and ask them to add the hidemywp.conf include line. WP Ghost generates the exact line. Most hosts can do this in a few minutes. If the host refuses, consider switching to a hosting provider that gives you Nginx config access or uses Apache/LiteSpeed instead. See the Nginx Server Setup guide for the exact steps your host needs to follow.

Frequently Asked Questions

Does WP Ghost work with WordPress Multisite?

Yes. WP Ghost supports both subdomain and subdirectory Multisite installations. Path changes can be configured network-wide.

Does WP Ghost work on WP Engine, Kinsta, SiteGround, or Cloudways?

Yes. WP Ghost is compatible with all major managed hosting providers. Some may need the Nginx include line added (WP Engine, Kinsta, Flywheel use Nginx). Contact their support with the include line WP Ghost provides. See the Compatibility List for hosting-specific notes.

My host uses Nginx but I do not have SSH access. What can I do?

Contact your hosting provider’s support team. Send them the include line that WP Ghost displays after saving. Most managed hosts add it within minutes. If the host refuses, WP Ghost’s PHP-based features (brute force, 2FA, headers) still work. Only path changes require the Nginx config.

Is WordPress.com the same as self-hosted WordPress?

No. WordPress.com is a hosted service by Automattic with restrictions on what plugins can do. Self-hosted WordPress (from wordpress.org, installed on your own server) has no such restrictions. WP Ghost works fully on self-hosted WordPress with any hosting provider.

Does WP Ghost modify WordPress core files?

No. WP Ghost uses rewrite rules and WordPress hooks. No core files modified. Deactivating restores all defaults instantly.

Related Tutorials

Nginx Server Setup – add the hidemywp.conf include line.

Compatibility Plugins List – all tested hosts, plugins, and themes.

Customize All WordPress Paths – configure all available paths.

What WP Ghost Can’t Do – full limitations overview.

Website Security Check – verify your configuration.