Lesson 3 – How to Hide Your Site From WordPress Theme Detectors

Now that you have learned how to customize the common WordPress paths, and how to protect your login page from Brute Force attacks, it’s time to learn how to hide your website from WordPress theme detectors and hacker’s bots.

Changing the common WordPress paths will not guarantee that the WordPress CMS is completely hidden. The old paths are still accessible and hackers are still able to inject SQL and Javascript into vulnerable installed plugins and themes.

Follow the next four steps, and learn what you need to do to fully protect your website.

Note! For the following features, you need to have the Hide My WP Ghost version installed.

Use custom content to hide from theme detectors!

Don’t use the WordPress demo article, Tagline, footer text, etc. Make sure you have your own posts, pages, categories, tags.

Don’t load the theme demo data into your website. This will easily be detected by theme detectors.

Step 1. Hide WordPress Common Paths

If you changed wp-admin, wp-login, wp-content, wp-includes, plugins and themes paths using Hide My WP Ghost, you should now hide the old paths from hackers to protect vulnerable plugins and themes.

Hide WordPress Common Paths

To hide the common WordPress paths, you need to switch on the option, “Hide My WP > PermalinksHide WordPress Common Paths” and save the settings.
After you activate the option, you can access the /wp-content URL,  and you should receive the 404 error (Page not found).

Now it’s time to hide the common WordPress files from hackers,  who can easily detect the WordPress CMS if they can access the common WordPress files: /wp-config.php,  /readme.html, etc. All these files should be accessible only if you are logged into your website.

Hide My WP Ghost will add a filter to protect all these files if you switch on the option “Hide My WP > Hide WordPress Common Files“.

Hidden URLs:

Step 2. Activate Tweaks

Now activate the main options from Hide My WP tweaks to hide the CMS version, header and referrals.

Switch ON the options:

  1. Change Paths in Cached Files
  2. Change Paths in Ajax Calls (optional)
  3. Hide Versions and WP Tags
  4. Hide RSD header
  5. Hide WordPress Comments
  6. Hide XML-RPC access
  7. Hide Embed Scripts
  8. Hide Emoji Icons (optional)
  9. Hide WLW Manifest Scripts

Step 3. Check the Source Code

It’s time to check the website source code and make sure there are no bit URLs containing /wp-content/.

Most browsers let you see the website’s source-code if you type “view-source:” before your domain, like this:
view-source:https://demo.wpplugins.tips/. Now search for wp- using the search option (Ctrl + F).

If you find URLs containing “/wp-content/”, make sure they were not generated by a cache plugin like Wp-Rocket. If they were, activate the Combine JS and Combine CSS option in Wp-Rocket to add all the JS and CSS in the same file.

If you don’t use a cache plugin, and you want to change some URLs in your source code, use the “Hide My WP Ghost > URL Mapping” option.

Step 4. Use URL Mapping

This option will let you change any URL from your website to one that is more user-friendly.

For example, let’s take the Autoptimize cache URL:

It’s easy to notice that we use Autoptimize to cache the demo website. A more friendly URL would be:

URL Mapping

Just enter the source URL in the left field, and the destination URL in the right field, as seen in the image below:

Note! URL Mapping may slow your loading speed if you add too many URLs. Try to limit the URLs to max 10.

Step 5. Use Theme Detectors Tools

If you applied all the steps in the last three lessons, your website should be safe from hacker’s bots, and hidden from all WordPress theme detectors:

We checked with many other detectors, but some of them save a long term cache, and the results are not relevant.

Don’t use browser detector extensions!

If you install a Chrome extension with a WordPress theme detector, the extension will detect the WP CMS when you’re loged as admin and it may keep a cache with this info. Some detectors like Builtwith and Wappalyzer keep a long term cache once they detect the WordPress CMS.


Hide My WP Ghost is a complex security tool and covers all the security needs for a WordPress website.

Note! The plugin is compatible with other security plugins and you don’t have to deactivate all other security plugins if you install Hide My WP Ghost.

To see what Hide My WP Ghost can’t do on your website in order to avoid errors, please read:

Feel free to contact us with feedback and suggestions here

In the next lesson, you will learn how to use the User Events Log feature, and how to set Security Email Alerts in your WPPlugins account.