Install WP Ghost Free Plugin – Setup Guide for WordPress
September 10, 2018
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Install and activate WP Ghost (formerly Hide My WP Ghost) from the WordPress directory. The free version includes 115+ security features including path changes, 8G firewall, 2FA, brute force protection, and security headers. This guide covers installation, activation, choosing a security level, and verifying your setup.
Install WP Ghost
Install from WordPress Directory (recommended)
Log in to your WordPress dashboard. Go to Plugins > Add New. Search for “WP Ghost”. Click Install Now on the WP Ghost plugin, then click Activate.
Install Manually via Upload
Download the plugin from wordpress.org/plugins/hide-my-wp. Go to Plugins > Add New > Upload Plugin. Upload the zip file. Click Activate.
Activate Your License
After activation, WP Ghost asks for your email to register a free license. This connects your site to the WP Ghost Dashboard where you can manage connected websites, monitor security, and receive reports. Enter your email and click Activate.
Activation is optional. If you click Skip Activation, the plugin works without it, but you will not have access to cloud monitoring, security reports, or Events Log cloud storage. You can activate later from the plugin settings.
Select a Security Level
Go to WP Ghost > Change Paths > Level of Security. Choose your protection level:
| Level | What it does | Best for |
|---|---|---|
| Lite Mode | Changes the most targeted paths (login, wp-content, wp-includes, plugins, themes) | First-time setup, maximum compatibility |
| Safe Mode | Everything in Lite Mode plus author paths, comments path, and API paths | Most WordPress sites |
| Ghost Mode | Everything in Safe Mode plus wp-admin path, admin-ajax.php path, and auto-enabled firewall | Maximum path security |
Select a level and click Save. WP Ghost generates predefined custom paths automatically. You can customize each path or keep the defaults.
Bookmark your new login URL
After saving, the default /wp-login.php and /wp-admin are no longer accessible to visitors. Your new login path is shown at the top of the settings page. Bookmark it immediately. If you forget it, use the Safe URL parameter to regain access.
Server Configuration (If Required)
If WP Ghost cannot write rewrite rules to your server config file automatically, it shows the rules you need to add manually. Follow the on-screen instructions and click Okay, I set it up.
For Nginx servers: add the config include line to your nginx.conf and restart Nginx with sudo nginx -s reload. See the Nginx setup guide.
For Apache servers: ensure AllowOverride All is set for your directory. See the AllowOverride guide.
Verify Your Setup
After saving, clear your cache (browser, caching plugin, CDN). Then verify:
Run a Security Check. Go to WP Ghost > Security Check. Click Start Scan. The scanner verifies all paths are changed and flags any remaining issues. Click Fix It on any flagged item to resolve it automatically.
Test with a CMS detector. Visit WhatCMS.org and enter your domain. If it does not identify WordPress, your path security is working.
View your page source. Open a private browser window, visit your site, and view source (Ctrl+U). Search for “wp-content” and “wp-includes”. If no matches appear, the paths are successfully changed.
Frequently Asked Questions
Which security level should I start with?
Start with Lite Mode or Safe Mode. Both are compatible with virtually all plugins and themes. After confirming your site works, you can upgrade to Ghost Mode for maximum protection. You can switch between levels at any time without losing your custom path names.
What if I get locked out after activating?
Use the Safe URL shown at the top of the WP Ghost settings page. If you did not save it, you can also disable WP Ghost by renaming the plugin folder via FTP. See the Emergency Disable guide.
Is activation with email required?
No. The plugin works without activation. But activating with your email connects your site to the WP Ghost Dashboard for cloud monitoring, weekly security reports, and Events Log cloud storage. You can activate later.
Does WP Ghost work with my hosting provider?
WP Ghost works on Apache, Nginx, LiteSpeed, and IIS servers. It is compatible with all major hosts including WP Engine, Kinsta, SiteGround, Cloudways, and shared hosting. Some managed hosts may need manual server config. Check the Compatibility List for hosting-specific notes.
Is the free version enough for most sites?
Yes. The free version includes 115+ security features: path changes, 8G firewall, 2FA (code, email, passkey), brute force protection, security headers, temporary logins, and text/URL mapping. Premium adds the Security Threats Log, Events Log, geo-blocking, extended file extension hiding, and priority support. See the Free vs Premium comparison.
Does WP Ghost modify WordPress core files?
No. All path changes use URL rewrite rules and WordPress filters. No files are moved, renamed, or modified. Deactivating WP Ghost restores every default path instantly.
Related Tutorials
Customize All WordPress Paths – configure every path after installation.
Preset Security Options – one-click configurations for common setups.
Safe Mode vs Ghost Mode – detailed comparison of security levels.
Website Security Check – verify your configuration after setup.
Free vs Premium – full feature comparison.