Activate Security Tweaks

In order to hide your WordPress from Theme Detectors, you will need to activate some extra features in Hide My WP Ghost.

These features don’t affect the website’s security. However, the Theme Detectors will also check some WordPress signals like:

• plugins HTML comments,
• WordPress version,
• RSD header,
• and more.

Redirect Hidden Paths

If you have visitors that try to access the protected (changed and hidden) WordPress common paths (such as: /wp-admin and /wp-login) you can use the Redirect Hidden Paths feature to redirect those visitors to another page whenever they reach those WordPress common paths.

So, for example, if someone tries to access your /wp-admin once you’ve used Hide My WP Ghost to protect that path, that visitor will instantly be redirect to another page.

The default option for this is: the Front Page.

But you can also use the Drop Down you see pictured below to select the page where you want visitors or hackers who try to access your protected paths to be redirected to.

To customize the redirect, just select the page you want to use for the redirect from Hide My WP > Tweaks > Redirects > Redirect Hidden Paths

If you’re NOT satisfied with the options included in the drop-down, you can always create a NEW Page in your site and come back to to this section of Hide My WP Ghost and choose that page as the redirect.

You can also tell Hide My WP Ghost to trigger an HTML Error when a visitor tries to access your protected path (404 HTML error or 403 HTML error – again, you choose this from the drop-down).

OR you can redirect those trying to access your protected paths to a 404 Page by selecting the option 404 page from the drop-down.

For logged users (users who can log in and log out of your website such as Authors, Editors and Administrators), you can use the Do Login and Logout Redirects option, which we will cover in the next section of this tutorial.

Login Redirect URL & Logout Redirect URL

Since Hide My WP Ghost version 5.0.13, you have the option to set the login and logout redirects based on user role.

With this option, authors, editors and administrators can be redirected on login to the right page.

To customize the redirects, go to Hide My WP > Tweaks > Redirect > Do Login & Logout Redirects.

Here, you can customize the Login Redirect URL as well as the Logout Redirect URL (you can enter whatever URL you want, it can even be an an external URL, which means you can redirect users to a page on a different site).

• Go to Default to set the Login Redirect URL and the Logout Redirect URL for ALL users (with this option, ALL users on your site will be redirected to the same login URL / the same logout URL)
• Go to the User Role option and set up individual Login Redirect URLs and individual Logout Redirect URLs based on user roles. (with this option you can set a Login Redirect URL for site Customers, for example, and a different Login Redirect URL for site Editors)

!Note that the settings you make in the User Role panel trump the settings in the Default panel (the User Role redirect has higher priority than the Default redirect URL). Use these options with caution.

Redirect Logged Users To Dashboard

With this option, a previously logged user will be automatically redirected to the admin dashboard when he goes on the login page.

To activate this option, go to Hide My WP > Tweaks > Redirect > Redirect Logged Users To Dashboard.

Change Paths for Logged Users

Most of the themes work fine with the paths changed while the user is logged in, but there are some that need the WordPress common paths unchanged.

We recommend activating this option so that site customers, for example, can’t see the common paths while logged in to their accounts.

To activate this feature, switch on Hide My WP > Tweaks > Change Options > Change Paths for Logged Users

Change Paths In Cached Files

With this option, Hide My WP Ghost will change paths in cached files. This feature is useful when the website has a cache plugin installed. Once the website is loaded in the frontend, the cache plugin will add all the CSS Styles, JS, and HTML content into the cache directory.

Hide My WP Ghost automatically runs a background process that checks the cache directory for unchanged paths and changes them (this process is done every minute). This feature will not affect the loading speed and works with all WordPress cache plugins.

To change the paths in cached files, switch on Hide My WP > Tweaks > Change Paths In Cached Files (sidebar)

Change Relative URLs to Absolute URLs

Having all the WordPress common paths changed with custom ones will avoid having any relative URLs pointing to the old paths. We recommend using this feature to change all the HTML URLs into absolute URLs.

To change relative to absolute URLs, switch on Hide My WP > Tweaks > Change Options > Change Relative URLs to Absolute URLs

Hide Feed and Sitemap Link Tags

When this option is tuned on, Hide My WP Ghost will hide the /feed and /sitemap.xml link Tags from the frontend.

To hide Feed and Sitemap Link Tags, switch on Hide My WP > Tweaks > Feed & Sitemap > Hide Feed and Sitemap Link Tags

Change Paths in RSS Feed

This option allows you to change all the images paths with custom ones in your site’s RSS feed (the RSS feed can be accessed at: https://your site’s name/feed/).

To change paths in RSS feed, switch on Hide My WP > Tweaks > Feed & Sitemap > Change Paths in RSS Feed

Change Paths in Sitemaps XML

For better Search Engine Optimization, we recommend using this feature to change all the image paths with custom ones in sitemap.xml.

The sitemap will be shown as required by Google and other search engines.

To change the image URLs in sitemap.xml, switch on Hide My WP > Tweaks > Feed & Sitemap > Change Paths in Sitemaps XML

Also, by activating the option Remove Plugin Authors & Style from Sitemap XML, you can remove the sitemap style & author name added by SEO plugins like Yoast SEO, Squirrly SEO, Google Sitemap XML, which reveal the plugin’s author.

Note! The sitemap style author doesn’t help with SEO but it tells the users who created the sitemap. It also tells the theme detectors and they will say you’re using WordPress even if all paths are secured.

Change Paths in Robots.txt

This option will remove any trail to WordPress common paths that show that you’re using WordPress as your Content Management System (CMS).

Robots.txt will have the minimum requirements for Google Search Engine to index the website and not affect rankings.

To activate the Robots.txt security, switch on Hide My WP > Tweaks > Feed & Sitemap > Hide Paths in Robots.txt

Hide Admin Toolbar

With this feature, Hide My WP Ghost allows you to hide the WordPress Admin Toolbar for logged users while in frontend.

This feature is useful, for example, if you have a website that is an e-commerce or a profile site; in which case the admin toolbar should NOT show while the customer is logged in.

Because the admin toolbar uses admin classes, it’s better to use this feature to hide the WordPress CMS from users who are logged in.

To hide the admin toolbar, switch on Hide My WP > Tweaks > Hide Options > Hide Admin Toolbar

You can also select the user roles for whom to hide the Admin Toolbar. From the drop down menu you see above, select the User Roles for whom you DON’T want the Admin Toolbar to be visible.

By default, Hide My WP Ghost will hide the Admin Toolbar for Subscribers and Customers (when the Hide Admin Toolbar option is turned ON).

However, you can use the drop-down menu to select, add, and remove User Roles as you need. (multiple User Roles can be selected)

Note that if you activate the Hide Admin Toolbar option, you must have at least one USER ROLE selected. If you don’t select a user role, the plugin will use the default option.

Hide Version from Images, CSS and JS in WordPress

It’s important to hide the version info from all plugins, themes, and WordPress core in order to hide from Theme Detectors. By activating this option, Hide My WP Ghost will hide all information regarding versions from the end of any Image, CSS and JavaScript files.

For every new website, WordPress adds a Generator META in the header with its signature. Many other plugins do the same, so the choice is to completely remove Generator META from the header.

This feature also:

• removes the version parameters from CSS Styles loaded in the source-code
• removes the version parameters from JS Scripts loaded in the source-code
• removes the version parameters from Images loaded in the source-code

To activate this feature, switch on Hide My WP > Tweaks > Hide Options > Hide Version from Images, CSS and JS in WordPress

Hide IDs from META Tags

By activating this option, Hide My WP Ghost will hide the IDs from all <links>, <style>, and <scripts> META Tags.

To activate this feature, switch on  Hide My WP > Tweaks > Hide Options > Hide IDs from META Tags

Hide WordPress Generator META Tags

By activating this option, Hide My WP Ghost will hide the Hide the WordPress Generator META tags.

To activate this feature, switch on  Hide My WP > Tweaks > Hide Options > Hide WordPress Generator META Tags

Hide WordPress DNS Prefetch META Tags

By activating this option, Hide My WP Ghost will hide the DNS Prefetch that points to WordPress.

To activate this feature, switch on  Hide My WP > Tweaks > Hide Options > Hide WordPress DNS Prefetch META Tags

Hide HTML Comments

WordPress adds comments not only into the site’s source-code but also into plugins and themes. Most Theme Detectors will read the comments from HTML to identify the plugins and versions.

Removing the HTML comments is also a must if you want to hide your WordPress website from detectors.

To remove the HTML comments, switch on Hide My WP > Tweaks > Hide Options > Hide HTML Comments

Hide Emoji icons

Emojis are little icons used to express ideas or emotions. If you don’t use them in your website, you do NOT need to load them.

Another reason to disable Emojicons is for speed optimization. You are likely to notice a significant improvement in your page loading times when these libraries are NOT loaded.

To disable Emojicons, switch on Hide My WP > Tweaks > Hide Options > Hide Emojicons

Disable Embed scripts

oEmbed allows users to embed YouTube videos, tweets, and many other resources on their sites simply by pasting a URL, which WordPress then automatically converts into an embed (also provides a live preview inside the visual editor). Most of the themes already include this option, so you don’t need to load these scripts anymore.

Another reason to disable oEmbed scripts is for speed optimization. You will notice a significant improvement in your page loading times when these libraries are NOT loaded.

To disable Embed scripts, switch on Hide My WP > Tweaks > Hide Option > Hide Embed scripts

Disable WLW Manifest scripts

If you don’t use Windows Live Writer, then this code is completely useless to you and should be removed, as this tells the whole world you’re using WordPress as your CMS.

To disable WLW (Windows Live Writer) Manifest scripts, switch on Hide My WP > Tweaks > Hide Options > Disable WLW Manifest scripts

Disable Options

To reach the Disable options available in Hide My WP Ghost, navigate to Hide My WP > Tweaks > Disable Options. Here you will find the following options:

• Disable Right-Click. By activating this option, Hide My WP Ghost will disable right-click functionality on your website, which can help thwart security violations and improve the perceived security of your site. Disabling right-click functionality on your site will prevent opening the menu which features the Inspect Element option.
• Disable Inspect Element. By activating this option, Hide My WP Ghost will disable the key combination that shows the Inspect Element on your website.
• Disable View Source. By activating this option, Hide My WP Ghost will disable the the key combination that shows the View Source element.

• Disable Copy/Paste. By activating this option, Hide My WP Ghost will disable Copy & Paste functions on your website.
• Disable Drag/Drop Images. By activating this option, Hide My WP Ghost will disable visitors’ ability to drag and drop images on your site.

^^ If visitors on your site will try to perform one of these actions after you’ve activated the corresponding feature in Hide My WP Ghost, they will see a message letting them know that the action they wanted to perform is not possible on your website.

For example, say you’ve activated the Disable Right-Click option using Hide My WP Ghost. If a site visitor will try to click right on one of your pages, they will see the following message by default: Right click is disabled!

But you can also choose to customize the message that appears (as shown in the image below).

• The option to customize the message that appears is available for all options in the Disable Options section of Hide My WP Ghost.
• If you do NOT want to display any message, simply leave the text field blank.

Disable DB Debug in Frontend

There is one more option you can activate in the Disable Options section of Hide My WP Ghost, namely: Disable DB Debug in Frontend.

It’s not safe to have Database Debug turned on in frontend. Make sure you don’t use Database debug on live websites.

To disable DB Debug, switch on Hide My WP > Tweaks > Disable Options > Disable DB Debug in Frontend

Best Practices

• We recommend activating ALL features from Hide My WP > Tweaks > Hide Options.