How to Use WP Ghost on Nginx Hosting Without Editing Config Files
November 8, 2023
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Quick summary: Use WP Ghost on Nginx hosting without editing nginx.conf by loading the Minimal (No Config Rewrites) preset. You still get custom login paths, brute force protection, firewall, 2FA, security headers, and version hiding – all through WordPress hooks, no server config changes needed.
Why Some Nginx Hosts Block Config Editing
Many Nginx hosting environments do not give you access to the server configuration. Managed WordPress hosts like Kinsta, WP Engine, Flywheel, and Cloudways manage the Nginx config at the platform level. Shared Nginx hosting and containerized deployments also lock down these files. Unlike Apache, where plugins can write to .htaccess automatically, Nginx requires manual edits to nginx.conf for server-level rewrite rules.
The good news: WP Ghost has two categories of features. Some require server-level rewrite rules (path renaming for wp-content, wp-includes, wp-admin, plugins, and themes), and others work entirely through WordPress hooks and PHP. When you cannot edit nginx.conf, the second category still gives you a strong security stack.
What Works Without Config Rewrites
Here is the breakdown of what you can and cannot use when server config editing is not available:
| Feature | Needs Config Rewrites? | Works on Restricted Nginx? |
|---|---|---|
| Custom login, lost password, and signup paths | No | Yes |
| Brute force protection (reCAPTCHA, rate limits) | No | Yes |
| 7G/8G Firewall | No (runs at WordPress init) | Yes |
| Two-factor authentication (code, email, passkey) | No | Yes |
| Security headers (HSTS, CSP, X-Frame-Options) | No (sent via PHP) | Yes |
| Hide WordPress version, generator, RSD | No | Yes |
| User Events Log and Security Threats Log | No | Yes |
| Rename wp-content, wp-includes, wp-admin paths | Yes | No |
| Rename plugin and theme directory paths | Yes | No |
| Hide common WordPress files (404 on originals) | Yes | No |
Custom login paths combined with the firewall, brute force protection, and 2FA cover the most critical attack vectors. You are protected against login attacks, injection attempts, and credential theft even without the advanced path renaming features.
How to Set Up WP Ghost Without Config Changes
Option 1: Load the Minimal Preset (Recommended)
The fastest approach. The Minimal preset activates only features that work without server configuration changes.
1. Go to WP Ghost > Change Paths.
2. Select the Minimal (No Config Rewrites) preset.
3. Click Load Preset and confirm.
The default login path will be set to /newlogin. Change it to something unique right away in WP Ghost > Change Paths > Login Path. Using a predictable path like /newlogin defeats the purpose. Pick something only you know.
Option 2: Restore a Pre-Built Backup
An alternative if you want a ready-made configuration file with non-rewrite features pre-configured.
1. Download the no_custom_core_backup.txt file (a WP Ghost backup with non-rewrite settings only).
2. Go to WP Ghost > Backup/Restore.
3. Click Restore, select the downloaded file, and click Restore Backup.
After restoring, the login path defaults to /newlogin. Change it to a custom path in WP Ghost > Change Paths.
Verify Your Setup
After loading the preset or restoring the backup, test everything to make sure it works correctly.
1. Test the custom login path. Open an incognito browser and go to yourdomain.com/newlogin (or your custom path). The login form should appear. Verify that yourdomain.com/wp-login.php returns a 404 or redirects.
2. Check brute force protection. The reCAPTCHA widget (Math or Google) should appear on the login form if you enabled it.
3. Confirm the firewall is active. Go to WP Ghost > Firewall and verify the firewall is enabled.
4. Run a Security Check. Go to WP Ghost > Security Check and click Start Scan to confirm your configuration is complete.
Troubleshooting
Custom login path returns 404
Your Nginx server may not have WordPress permalink rewrite rules configured. WP Ghost’s custom login path depends on WordPress permalinks working. Check with your hosting provider that permalink support is enabled. If permalinks work for posts and pages but not for the login path, try a different path name or contact your host.
Locked out after loading the preset
The default login path after loading the Minimal preset is /newlogin. Try yourdomain.com/newlogin first. If that does not work, use the emergency disable guide or add the HMWP_DISABLE constant in wp-config.php to disable WP Ghost temporarily.
Want full path security on Nginx later
If you later get access to nginx.conf (for example, by upgrading to a VPS or dedicated server), you can enable Safe Mode or Ghost Mode for full path renaming. See the Setup WP Ghost on Nginx Server guide for complete Nginx rewrite rule instructions.
Frequently Asked Questions
Is WP Ghost still effective without path rewriting?
Yes. Custom login paths, brute force protection, the 7G/8G firewall, 2FA, security headers, and version hiding cover the most critical attack vectors. Path rewriting (renaming wp-content, wp-includes, etc.) adds an additional layer by hiding your WordPress identity from theme detectors and bot scanners, but the features available without config changes provide strong protection on their own.
Which Nginx hosting environments cannot edit config files?
Managed WordPress hosting like Kinsta, WP Engine, Flywheel, and Cloudways managed plans. Also some shared Nginx hosting providers and containerized deployments where the Nginx config is managed by the platform. If your hosting panel does not have an Nginx config editor and your provider says you cannot add custom location blocks, use this guide.
Does this work with WooCommerce?
Yes. All non-rewrite features are fully compatible with WooCommerce on Nginx without config changes. Custom login paths, brute force, firewall, 2FA, and security headers all work with WooCommerce.
Is the Minimal preset a free feature?
Yes. The Minimal (No Config Rewrites) preset and all the features it enables are available in the free version of WP Ghost. No premium license is needed for this setup.
Does WP Ghost modify WordPress core files?
No. All features in this guide work through WordPress hooks, PHP filters, and database-level configuration. No core files and no server configuration files are modified.
Related Tutorials
For Nginx setup and more security configuration:
Setup WP Ghost on Nginx Server – Full Nginx setup with rewrite rules when you have config access.
Preset Security Options – Details on all four security presets including Safe Mode and Ghost Mode.
Brute Force Attack Protection – Configure reCAPTCHA and rate limiting on your login form.
Two-Factor Authentication – Add 2FA by code, email, or passkey for login security.
Disable WP Ghost in Case of Error – Emergency recovery steps if you get locked out.
