Now that you have learned how to customize the common WordPress paths, and how to protect your login page from Brute Force attacks, it’s time to learn how to hide your website from WordPress theme detectors and hacker’s bots.
Follow the next four steps, and learn what you need to do to fully protect your website.
Note! For the following features, you need to have the Hide My WP Ghost version installed.
Step 1. Hide WordPress Common Paths
If you changed wp-admin, wp-login, wp-content, wp-includes, plugins and themes paths using Hide My WP Ghost, you should now hide the old paths from hackers to protect vulnerable plugins and themes.
To hide the common WordPress paths, you need to switch on the option, “Hide My WP > Permalinks > Hide WordPress Common Paths” and save the settings.
After you activate the option, you can access the /wp-content URL, and you should receive the 404 error (Page not found).
Now it’s time to hide the common WordPress files from hackers, who can easily detect the WordPress CMS if they can access the common WordPress files: /wp-config.php, /readme.html, etc. All these files should be accessible only if you are logged into your website.
Hide My WP Ghost will add a filter to protect all these files if you switch on the option “Hide My WP > Hide WordPress Common Files“.
Step 2. Activate Tweaks
Now activate the main options from Hide My WP > Tweaks to hide the CMS version, header and referrals.
Switch ON the options:
- Change Paths in Cached Files
- Change Paths in Ajax Calls (optional)
- Hide Versions and WP Tags
- Hide RSD header
- Hide WordPress Comments
- Hide XML-RPC access
- Hide Embed Scripts
- Hide Emoji Icons (optional)
- Hide WLW Manifest Scripts
Step 3. Use Text Mapping
You can use Text Mapping to hide classes like wp- from your website that may be detected by Theme detectors. Even if it’s a good option to add all the plugins’ classes in Text Mapping, this is not always a good idea because it may affect the website functionality.
Some Theme Detectors are looking for classes that are used by WordPress plugins and they will jump to say that you’re using WordPress CMS even if you don’t have any WordPress common path.
Add these records in Hide My WP > Mapping > Text Mapping and hide the WordPress common classes:
- wp-caption => caption
- wp-custom => custom
- wp-block => block
- wp-image => image
- wp-smiley => smiley
- wp-embed => embed
- wp-i18n => i18n
- wp-hooks => hooks
- wp-util => util
- wp-polyfill => polyfill
- wp-escape => escape
- wp-element => element
- wp-post => post
- wp-switch-editor => switch-editor
Step 4. Use URL Mapping or Cache Plugins
Some plugins use filenames with the same name as the plugin. To hide these files, you can use Hide My WP > Mapping > URL Mapping or a cache plugin.
URL Mapping option will let you change any URL from your website to one that is more user-friendly and hides a plugin name.
Now, If you already have a cache plugin installed, check if the cache plugin has the option to minify/combine the CSS and JS files that can be detected.
We recommend the WP Rocket and Autoptimize cache plugins for caching which work perfect with Hide My WP Ghost.
Step 5. Run a Security Check
It’s time to check the website security and make sure there are no URLs containing /wp-content/.
Go to Hide My WP > Security Check and run a report. If the report doesn’t find the old WordPress paths in source code than the config is correct.
You can also check the Source Code of your website using a different browser or from incognito.
Most browsers let you see the website’s source-code if you type “view-source:” before your domain, like this:
view-source:https://demo.wpplugins.tips/. Now search for wp- using the search option (Ctrl + F).
If you find URLs containing “/wp-content/”, make sure they were not generated by a cache plugin like Autoptimizer or Wp-Rocket. If they were, activate the Combine JS and Combine CSS option in your cache plugin to add all the JS and CSS in the same file.
If you don’t use a cache plugin, and you want to change some URLs in your source code, use the “Hide My WP Ghost > URL Mapping” option and follow the instruction in the next step.
Step 6. Hide Path in Sitemap XML and Robots.txt
Some themes detectors are looking in the /sitemap.xml URL to check if there is any reference to the plugin’s author.
In /robots.txt URL you can also find restrictions to the wp-admin and wp-includes paths and the theme detectors will know that you’re using WordPress CMS because of that.
Hide My WP Ghost is removing any style from sitemap.xml and all the WordPress common paths from robots.txt.
Step 7. Use Theme Detectors Tools
If you applied all the steps in the last three lessons, your website should be safe from hacker’s bots, and hidden from all WordPress theme detectors:
We checked with many other detectors, but some of them save a long term cache, and the results are not relevant.
Hide My WP Ghost is a complex security tool and covers all the security needs to protect the vulnerable plugins and themes from Script and SQL Injections. It can be used together with other security plugins like Wordfence, Sucuri, etc.
Note! The plugin is compatible with other security plugins and you don’t have to deactivate all other security plugins if you install Hide My WP Ghost.
To see what Hide My WP Ghost can’t do on your website in order to avoid errors, please read:
Feel free to contact us with feedback and suggestions here
In the next lesson, you will learn how to use the User Events Log feature, and how to set Security Email Alerts in your WPPlugins account.