Hide Your WordPress Site From Hackers

How Hide My WordPress Ghost can help you to change common paths and hide your URLs from hackers

Which Are The Most Attacked Paths?

The majority of password-guessing attacks will try to hit your WordPress wp-admin,  wp-login, xmlrpc endpoints URL that accepts a user name and password. Also, it may attack the installed themes and plugins and other known vulnerable files.

Why is important to hide them?

Hackers are everywhere online and they are always ready to capture your company data and even sell it to the highest bidder

brute force attack protection

Hide My WordPress Ghost Can Help You Hide All These Paths and More

In the following, I’ll explain every step that you should take to have a secure website. 

You’ll learn how to use Hide My WordPress Ghost to protect your website from hackers.

Hide & Customize wp-admin and wp-login URLs

A hacker needs to find your login page, if he or she intends to use a brute force attack on the login page to gain access. 

Normally, to get to the login page all you have to do is go to /wp-admin or /wp-login.php. Most WordPress websites have the login entry point at http://yourwebsite.com/wp-login.php.

By hiding your login page you will protect your website. This way, the attacker can’t identify a potential point of entry. 

A bot that can’t find your login page, can’t attempt to log in.

Similar to the wp-login.php page, there is the wp-admin directory which also needs to be protected.

WordPress Login Fail Attempts
404 redirect

Hide My WordPress Ghost Will Help You To

  1. Hide WordPress wp-admin URL and redirect hackers to 404 page or a custom page.
  2. Hide WordPress wp-login.php and redirect hackers to 404 page or a custom page.
  3. Change the wp-admin and wp-login URLs  to custom names.
  4. Hide the admin-ajax URL.

Beside the huge security advantage, this saves lots of server processing time by reducing PHP and MySQL usage since brute force attacks trigger wrong URLs.

Customize & Hide WordPress Common Paths

By default, WordPress puts all your content (including images, plugins, themes, uploads and more) in a directory called “wp-content.”

This default folder name makes it easy for attackers to scan for files with security vulnerabilities on your WordPress installation because they know where the vulnerable files are located.

Renaming the “wp-content” folder can make it more difficult or even impossible for an attacker to find the vulnerable files, as scans of your site’s file system will not produce any results.

You also need to change any links containing /wp-content/, /themes/, and /plugins/ for better security.

WordPress Common Paths

Hide My WordPress Ghost Options

  • Customize & Hide WP wp-includes path
  • Customize & Hide WP wp-content path
  • Customize & Hide WP plugin & theme paths
  • Customize & Hide WP uploads path
  • Customize WP authors path / Hide Author ID URL
  • Customize WP comment URL
  • Customize WP category & tags path
  • Customize WP API Rest path
  • Customize WP Lost Password URL
  • Customize Register URL
  • Customize Logout URL
  • Customize Activation URL
  • Customize Ajax URL
  • Restrict user access to old common paths/directories
  • Choose to redirect unwanted visitors to a custom page

Hide WordPress Common Files

Hide WordPress Common files:

  • wp-config.php
  • readme.html
  • license.txt
  • install.php
  • update.php
  • and more

Restrict access for unwanted visitors and trigger a “Page not found” error

Hide WordPress Common Files

Plugin and Theme Settings

Hide My WordPress Ghost Will Help You To

Change the WordPress theme directory, remove theme Info from stylesheets and replace default WP classes.

Change plugins directory and hash plugin names.

Set random plugin names.
Set random theme names.

Remove unwanted classes.
Remove ids from stylesheets and scrips metas.
Set custom style.css for your WordPress themes.

Other Security Settings

Firewall Against Script Injection 

  • Most WordPress installations are hosted on the popular Apache, Litespeed, Nginx and IIS web servers.
  • A thorough set of rules can prevent many types of SQL Injection and URL hacks from being processed.

Disable Directory Browsing

  • Don’t let hackers see any directory content.
Disable Directory Browsing

Advanced Security Settings

Advanced Settings CSS and JS loading optimize

Optimize CSS and JS files

  • Cache CSS, JS and Images to increase the frontend loading speed
  • Leverage browser caching

Notification Settings

  • Send emails with the changed admin and login URLs
  • Send security alerts and weekly website security stats

URL Mapping

  • You can add a list of URLs that you want to change into new ones. It’s important to include only internal URLs from your frontend source code after you activate the plugin in Safe Mode or Ghost Mode.

from: https://yourdomain.com /assets/f9f4ca341/main.css
to:  https://yourdomain.com/mystyle.css

URL Domain Mapping

You Can Choose From 2 Levels Of Security

There is no difference in features between Safe Mode and Ghost Mode, just in the predefined settings.

By default, Safe Mode does not modify the wp-admin and admin-ajax.php paths, it just hides them. Also, it doesn’t hide the common paths (wp-includes, wp-content, plugins, themes) and WP-JSON API calls.

Safe Mode has been created to eliminate many incompatibilities with custom themes and plugins that we have tested in recent years.

Safe Mode provides a good level of security, even if these settings are not enabled.

If you feel confident you can switch to Ghost Mode, since you can always go back to Safe Mode in one click.

Loving what you see?

I want to know more about Hide my WordPress Ghost

Best WordPress
No Coding
Other Plugins
Dedicated Support