Ideal Hide My WP Ghost Settings – Best Practice 2024
November 16, 2021
Learn how to set up Hide My WP Ghost in Ghost Mode and activate all security features you need for a stronger and safer website in just 6 minutes.
VIDEO OUTLINE
- Min. 1.00 – 1.33: Select and Save GHOST MODE
- Min. 1.33 – 2.24: Change Paths Settings
- Min. 2.25 – 3.43: Tweaks Settings
- Min. 3.43 – 4.07: Brute Force Settings
- Min. 4.08 – 4.36: Events Log Settings
- Min. 4.36 – 5.29: Security Check
- Min. 5.29 – 6.28: View Changes
π Min. 01.00 – 1.33: Select and Save GHOST MODE
Recommended Actions:
- Select Ghost Mode
- A pop-up will appear showing you all the predefined paths that Hide My WP Ghost sets in Ghost Mode. READ the info.
- Click on Continue, and then SAVE.
- Run the Frontend Login test.
- SAVE your login URL (!very important that you do this)
- SAVE your SAFE URL (!also very important, youβll need this in case you canβt login)
- If the test is successful, click on Yes, itβs working.
π Min. 1.33 – 2.24: Change Paths Settings
Admin Security
- Custom Admin Path β Recommended action: Leave as is
- Hide wp-admin β Recommended: ON
- Hide wp-admin From Non-Admin users β Recommended: ON
- Hide the New Admin Path β Recommended: ON
Login Security
- Custom Login Path β Recommended action: Leave as is
- Hide wp-login.php β Recommended: ON
- Hide login Path β Recommended: ON
- Custom Lost Password Path β Recommended action: Leave as is
- Custom Register Path β Recommended action: Leave as is
- Custom Logout Path β Recommended action: Leave as is
Ajax Security
- Custom admin-ajax Path β Recommended action: Leave as is
- Hide wp-admin from Ajax URL β Recommended: ON
- Change Paths in Ajax Calls β Recommended: ON
User Security
- Custom Author Path β Recommended action: Leave as is
- Hide Author ID URL β Recommended: ON
WP Core Security
- Custom wp-content Path β Recommended action: Leave as is
- Custom wp-includes Path β Recommended action: Leave as is
- Custom uploads Path β Recommended action: Leave as is
- Custom comment Path β Recommended action: Leave as is
- Hide WordPress Common Paths β Recommended: ON
- Hide File Extensions β Recommended action: Leave as is
Plugins Security
- Custom plugins Path β Recommended action: Leave as is
- Hide Plugin Names β Recommended: ON
- Hide All the Plugins β Recommended: OFF
- Hide WordPress Old Plugins Path β Recommended: ON
- Show Advanced Optionsβ Recommended: OFF
Themes Security
- Custom themes Path β Recommended action: Leave as is
- Hide Theme Names β Recommended: ON
- Hide WordPress Old Themes Path β Recommended: ON
- Custom theme style name β Recommended action: Leave as is
- Show Advanced Options β Recommended: OFF
API Security
- Custom wp-json Path β Recommended action: Leave as is
- Hide REST API URL link β Recommended: ON
- Disable REST API access β Recommended: OFF
- Disable XML-RPC access β Recommended: ON
- Disable RSD Endpoint from XML- RPC β Recommended: ON
Firewall and Headers
- Add Security Headers for XSS and Code Injection Attacks β Recommended: ON
- Strict-Transport-Security β Recommended: ACTIVE, leave as is
- Content-Security-Policy β Recommended: ACTIVE, leave as is
- X-XSS- Protection β Recommended: ACTIVE, leave as is
- X-Content-Type- Options β Recommended: ACTIVE, leave as is
- Cross-Origin-Embedder- Policy β Recommended action: ADD then leave as is
- Cross-Origin-Opener-Policy β Recommended action: ADD then leave as is
- X-Frame-Options β Recommended action: ADD then leave as is
- Remove Unsafe Headers β Recommended: ON
- Block Theme Detectors Crawlers β Recommended: ON
- Firewall Against Script Injection β Recommended: ON
π Min. 2.25 – 3.43: Tweaks Settings
Redirects
- Redirect Hidden Paths β Recommended action: Leave as is (redirects hidden paths to your front page)
- Do Login & Logout Redirects β Recommended: OFF
Feed and Sitemap
- Hide Feed and Sitemap Link Tags β Recommended: ON
- Change Paths in RSS feed β Recommended: ON
- Change Paths in Sitemaps XML β Recommended: ON
- Hide Paths in Robots.txt β Recommended: ON
Change Options
- Change Paths for Logged Users β Recommended: ON
- Change Relative URLs to Absolute URLs β Recommended: OFF
Hide Options
- Hide Admin Toolbar β Recommended: ON
- Select User Roles β Recommended action: Select the users roles for whom you DONβT want the Admin Toolbar to be visible.
- Hide Version from Images, CSS and JS in WordPress β Recommended: ON
- Hide IDs from META Tags β Recommended: ON
- Hide WordPress DNS Prefetch META Tags β Recommended: ON
- Hide WordPress Generator META Tags β Recommended: ON
- Hide HTML Comments β Recommended: ON
- Hide Emojicons β Recommended: ON
- Hide Embed Scripts β Recommended: ON
- Disable WLW Manifest scripts β Recommended: ON
Disable Options
- Disable Right-Click β Recommended: ON
- Disable Click Message β Recommended action: Leave as is, customization is not mandatory
- Disable Inspect Element β Recommended: ON
- Disable Inspect Element Message β Recommended action: Leave as is, customization is not mandatory
- Disable View Source β Recommended: ON
- Disable View Source Message β Recommended action: Leave as is, customization is not mandatory
- Disable Copy/Paste β Recommended: ON
- Disable Copy/Paste Message β Recommended action: Leave as is, customization is not mandatory
- Disable Drag/Drop Images β Recommended: OFF
- Disable DB Debug in Frontend β Recommended: ON
π Min. 3.43 – 4.07: Brute Force Settings
- Blocked IPs report β Recommended action: Activate Brute Force Protection
- Bruce Force Settings >> Use Brute Force Protection β Recommended: ON
!! In most cases, the Math reCAPTCHA is enough to protect your website against Brute Force login attacks.
- Max fail attempts β Recommended action: Leave as is or customize based on preferences
- Ban Duration β Recommended action: Leave as is or customize based on preferences
- Lockout Message β Recommended action: Leave as is, customization is not mandatory
π Min. 4.08 – 4.36: Events Log Settings
- Events Log Report β Recommended action: Activate Log Users Events
- Events Log Settings >> Log Users Events β Recommended: ON
- Log User Roles β Recommended: Leave as is (Hide My WP will log all user roles), or select specific user roles whose activity you want Hide My WP Ghost to log.
π Min. 4.36 – 5.29: Security Check
Recommended Actions:
- Click on Start Scan to run a new WordPress security check.
- Check the list of Action Items that Hide My WP Ghost generated.
- See if there are still issues that need to be resolved.
- Follow the instructions to try and fix as many of them as possible.
By setting up Ghost Mode for your site, youβve strengthened your siteβs security, as shown by the graphic.
π Min. 5.29 – 6.28: View Changes
Recommended Actions:
- Click on Visit Site to see the changes youβve enabled using Hide My Ghost take effect.
- Log out from your account if you want to test things like: Right Click, View Source, and youβll see that this functionality has been disabled for your site (based on your settings)
- Take a look at your siteβs source code to see the modified paths.
IMPORTANT! The settings shown in this video will work best for most sites β and present a way to quickly, safely, and effectively set up Ghost Mode for your site.
However, the ideal settings can look different from case to case, and you can always further customize these settings based on your needs and wants.
We advise you to always read the documentation that we link to from within the plugin and ensure you clearly understand what each setting enables you to do.
NOTE!
π How to Fix 403 Forbidden Error in WordPress caused by ModSecurity (mod_security)
ModSecurity is an open-source firewall application (or WAF) supported by different web servers (such as Apache, Nginx, IIS) and used by a lot of hosts.
The issue: If they have rule #212340 in place – which they most likely do by default – then it willΒ prevent the Code Editor from working in Ghost ModeΒ from Hide My WP Ghost.
The solution: If you encounter this issue, make sure to contact your host to turn offΒ Rule 212340Β or whitelist you from it.
Once you do that, you should no longer see the 403 Forbidden Error.