Hide All WordPress Common Paths and Files with WP Ghost

March 15, 2017

Category:

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

Table of Contents

Every Path WP Ghost Can Change
Additional Protection Beyond Path Changes
What WP Ghost Does Not Change
Frequently Asked Questions
Related Tutorials

WP Ghost (formerly Hide My WP Ghost) changes and hides every common WordPress path, blocks access to old paths, and adds firewall rules to prevent exploits. One plugin covers login security, directory paths, API endpoints, and file-level protection. Here is everything WP Ghost can change and how to set it up.

Every Path WP Ghost Can Change

WordPress path	WP Ghost setting location	Tutorial
wp-login.php	Change Paths > Login Security	Change Login Path
wp-admin	Change Paths > Admin Security	Change wp-admin Path
wp-content	Change Paths > WP Core Security	Change wp-content Path
wp-includes	Change Paths > WP Core Security	Change wp-includes Path
wp-content/uploads	Change Paths > WP Core Security	Change Uploads Path
wp-content/plugins	Change Paths > Plugins Security	Change Plugins Path
wp-content/themes	Change Paths > Themes Security	Change Themes Path
wp-comments-post.php	Change Paths > Login Security	Change Comments Path
author path	Change Paths > User Security	Change Author Path
REST API wp-json	Change Paths > API Security	Change REST API Path
admin-ajax.php	Change Paths > Ajax Security	Change Ajax Path
Plugin and theme names	Change Paths > Plugins/Themes Security	Change Plugins Path
Lost password, register, logout, activation paths	Change Paths > Login Security	Customize All Paths

WP Ghost also hides the old paths by returning a 404 error (or custom page) when anyone accesses the original WordPress URLs. This blocks both bots and manual probing.

Additional Protection Beyond Path Changes

Path changes are one layer. WP Ghost also provides: 7G/8G Firewall blocking SQL injection and script injection at the server level. Security Headers (HSTS, CSP, X-Frame-Options). Brute Force Protection with reCAPTCHA and login limits. 2FA with passkeys, codes, and email. URL Mapping and Text Mapping for renaming remaining class names and URLs in source code. Country Blocking (Premium). Security Threats Log and Events Log (Premium).

What WP Ghost Does Not Change

WP Ghost intentionally does not change certain things to protect site functionality:

Absolute font and image paths inside CSS files. CSS files can reference fonts and images using absolute URLs. WP Ghost changes these when Change Paths in Cached Files is enabled (WP Ghost > Tweaks). Without this option, paths inside static CSS files are not rewritten. See the Page Builder Image Paths tutorial.

Plugin CSS class names in frontend HTML. Plugin class names (like elementor-widget, woocommerce-product) are not renamed automatically because doing so would break layouts. Use WP Ghost > Mapping > Text Mapping to manually rename specific class names. See the Text Mapping tutorial.

Paths returned through AJAX calls. WP Ghost rewrites paths in the initial HTML output. Some plugins load additional content via AJAX after the page loads. Enable Change Paths in AJAX Calls in WP Ghost > Tweaks to extend path rewriting to AJAX responses.

For a complete overview of limitations and workarounds, see What WP Ghost Can’t Do.

Frequently Asked Questions

Do I need to change every path manually?

No. Select Safe Mode or Ghost Mode and WP Ghost generates predefined custom paths for every location automatically. You can customize individual paths afterward or keep the defaults. See the Preset Security Options for one-click configurations.

Will changing all paths break my site?

No. WP Ghost uses URL rewrite rules that serve files from the original locations through the new URLs. Nothing is physically moved. Your plugins, themes, and media continue working normally. If anything does break, switch to Lite Mode or use the Safe URL to recover.

Are all these features free?

All path changes, the 8G firewall, brute force protection, 2FA, security headers, and text/URL mapping are free. Premium adds Ghost Mode, extended file extension hiding, geo-blocking, Security Threats Log, and Events Log. See the Free vs Premium comparison.

Does WP Ghost modify WordPress core files?

No. All changes use URL rewrite rules and WordPress filters. No files are moved, renamed, or modified. Deactivating WP Ghost restores every default path instantly.

Customize All WordPress Paths – the step-by-step guide to configuring every path.

What WP Ghost Can’t Do – full limitations overview with workarounds.

Text Mapping and URL Mapping – rename class names and remaining URLs in source code.

Safe Mode vs Ghost Mode – which security level to choose.

Website Security Check – verify your complete configuration.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Get Protected

Top Features

Resources

Company