In order to hide your WordPress from Theme Detectors, you will need to activate some extra features in Hide My WP Ghost.
These features don’t affect the website’s security. However, the Theme Detectors will also check some WordPress signals like:
- plugins HTML comments,
- WordPress version,
- RSD header,
- and more.
Redirect Hidden Paths
If you have visitors that try to access the protected (changed and hidden) WordPress common paths (such as: /wp-admin and /wp-login) you can use the Redirect Hidden Paths feature to redirect those visitors to another page whenever they reach those WordPress common paths.
So, for example, if someone tries to access your /wp-admin once you’ve used Hide My WP Ghost to protect that path, that visitor will instantly be redirect to another page.
The default option for this is: the Front Page.
But you can also use the Drop Down you see pictured below to select the page where you want visitors or hackers who try to access your protected paths to be redirected to.
To customize the redirect, just select the page you want to use for the redirect from Hide My WP > Tweaks > Redirects > Redirect Hidden Paths
If you’re NOT satisfied with the options included in the drop-down, you can always create a NEW Page in your site and come back to to this section of Hide My WP Ghost and choose that page as the redirect.
You can also tell Hide My WP Ghost to trigger an HTML Error when a visitor tries to access your protected path (404 HTML error or 403 HTML error – again, you choose this from the drop-down).
OR you can redirect those trying to access your protected paths to a 404 Page by selecting the option 404 page from the drop-down.
For logged users (users who can log in and log out of your website such as Authors, Editors and Administrators), you can use the Do Login and Logout Redirects option, which we will cover in the next section of this tutorial.
Login Redirect URL & Logout Redirect URL
Since Hide My WP Ghost version 5.0.13, you have the option to set the login and logout redirects based on user role.
With this option, authors, editors and administrators can be redirected on login to the right page.
To customize the redirects, go to Hide My WP > Tweaks > Redirect > Do Login & Logout Redirects.
Here, you can customize the Login Redirect URL as well as the Logout Redirect URL (you can enter whatever URL you want, it can even be an an external URL, which means you can redirect users to a page on a different site).
- Go to Default to set the Login Redirect URL and the Logout Redirect URL for ALL users (with this option, ALL users on your site will be redirected to the same login URL / the same logout URL)
- Go to the User Role option and set up individual Login Redirect URLs and individual Logout Redirect URLs based on user roles. (with this option you can set a Login Redirect URL for site Customers, for example, and a different Login Redirect URL for site Editors)
!Note that the settings you make in the User Role panel trump the settings in the Default panel (the User Role redirect has higher priority than the Default redirect URL). Use these options with caution.
Change Paths for Logged Users
Most of the themes work fine with the paths changed while the user is logged in, but there are some that need the WordPress common paths unchanged.
We recommend activating this option so that site customers, for example, can’t see the common paths while logged in to their accounts.
To activate this feature, switch on Hide My WP > Tweaks > Change Options > Change Paths for Logged Users
Change Paths In Cached Files
With this option, Hide My WP Ghost will change paths in cached files. This feature is useful when the website has a cache plugin installed. Once the website is loaded in the frontend, the cache plugin will add all the CSS Styles, JS, and HTML content into the cache directory.
Hide My WP Ghost automatically runs a background process that checks the cache directory for unchanged paths and changes them (this process is done every minute). This feature will not affect the loading speed and works with all WordPress cache plugins.
To change the paths in cached files, switch on Hide My WP > Tweaks > Change Paths In Cached Files (sidebar)
Change Relative URLs to Absolute URLs
Having all the WordPress common paths changed with custom ones will avoid having any relative URLs pointing to the old paths. We recommend using this feature to change all the HTML URLs into absolute URLs.
To change relative to absolute URLs, switch on Hide My WP > Tweaks > Change Options > Change Relative URLs to Absolute URLs
Hide Feed and Sitemap Link Tags
When this option is tuned on, Hide My WP Ghost will hide the /feed and /sitemap.xml link Tags from the frontend.
To hide Feed and Sitemap Link Tags, switch on Hide My WP > Tweaks > Feed & Sitemap > Hide Feed and Sitemap Link Tags
Change Paths in RSS Feed
This option allows you to change all the images paths with custom ones in your site’s RSS feed (the RSS feed can be accessed at: https://your site’s name/feed/).
To change paths in RSS feed, switch on Hide My WP > Tweaks > Feed & Sitemap > Change Paths in RSS Feed
Change Paths in Sitemaps XML
For better Search Engine Optimization, we recommend using this feature to change all the images paths with custom ones in sitemap.xml.
Also, Hide My WP Ghost will remove all the Sitemap style added by SEO plugins like Yoast SEO, Squirrly SEO, Google Sitemap XML, that reveal the plugin’s author. The sitemap will be shown as required by Google and other search engines.
To change the image URLs in sitemap.xml, switch on Hide My WP > Tweaks > Feed & Sitemap > Change Paths in Sitemaps XML
Change Paths in Robots.txt
This option will remove any trail to WordPress common paths that show that you’re using WordPress as your Content Management System (CMS).
Robots.txt will have the minimum requirements for Google Search Engine to index the website and not affect rankings.
To activate the Robots.txt security, switch on Hide My WP > Tweaks > Feed & Sitemap > Hide Paths in Robots.txt
Hide Admin Toolbar
With this feature, Hide My WP Ghost allows you to hide the WordPress Admin Toolbar for logged users while in frontend.
This feature is useful, for example, if you have a website that is an e-commerce or a profile site; in which case the admin toolbar should NOT show while the customer is logged in.
Because the admin toolbar uses admin classes, it’s better to use this feature to hide the WordPress CMS from users who are logged in.
To hide the admin toolbar, switch on Hide My WP > Tweaks > Hide Options > Hide Admin Toolbar
You can also select the user roles for whom to hide the Admin Toolbar. From the drop down menu you see above, select the User Roles for whom you DON’T want the Admin Toolbar to be visible.
By default, Hide My WP Ghost will hide the Admin Toolbar for Subscribers and Customers (when the Hide Admin Toolbar option is turned ON).
However, you can use the drop-down menu to select, add, and remove User Roles as you need. (multiple User Roles can be selected)
Note that if you activate the Hide Admin Toolbar option, you must have at least one USER ROLE selected. If you don’t select a user role, the plugin will use the default option.
Hide Version from Images, CSS and JS in WordPress
For every new website, WordPress adds a Generator META in the header with its signature. Many other plugins do the same, so the choice is to completely remove Generator META from the header.
This feature also:
- removes the version parameters from CSS Styles loaded in the source-code
- removes the version parameters from JS Scripts loaded in the source-code
- removes the version parameters from Images loaded in the source-code
To activate this feature, switch on Hide My WP > Tweaks > Hide Options > Hide Version from Images, CSS and JS in WordPress
Hide IDs from META Tags
By activating this option, Hide My WP Ghost will hide the IDs from all <links>, <style>, and <scripts> META Tags.
To activate this feature, switch on Hide My WP > Tweaks > Hide Options > Hide IDs from META Tags
Hide WordPress DNS Prefetch META Tags
By activating this option, Hide My WP Ghost will hide the DNS Prefetch that points to WordPress.
To activate this feature, switch on Hide My WP > Tweaks > Hide Options > Hide WordPress DNS Prefetch META Tags
Hide RSD (Really Simple Discovery) header
Really Simple Discovery (RSD) is an XML format and a publishing convention for making services exposed by a blog, or other web software, discoverable by client software.
In our case, this header will expose the WordPress service on every website call.
Hiding the RSD header is mandatory when you want to hide the WordPress CSM from Theme Detectors.
This feature also:
- removes all the WordPress cache plugins headers
- removes the x-cf-powered-by header
- removes the Link header
- removes the rsd_link header
- removes the PHP info header
To activate this feature, switch on Hide My WP > Change Paths > API Security > Disable RSD (Really Simple Discovery) endpoit from XML-RPC
Hide HTML Comments
WordPress adds comments not only into the site’s source-code but also into plugins and themes. Most Theme Detectors will read the comments from HTML to identify the plugins and versions.
Removing the HTML comments is also a must if you want to hide your WordPress website from detectors.
To remove the HTML comments, switch on Hide My WP > Tweaks > Hide Options > Hide HTML Comments
Hide Emoji icons
Emojis are little icons used to express ideas or emotions. If you don’t use them in your website, you do NOT need to load them.
Another reason to disable Emojicons is for speed optimization. You are likely to notice a significant improvement in your page loading times when these libraries are NOT loaded.
To disable Emojicons, switch on Hide My WP > Tweaks > Hide Options > Hide Emojicons
Disable XML-RPC access
The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.
This xml-rpc.php path is also used for Brute Force attacks because it’s not protected with limit attempts by WordPress.
Please read before activating this feature: Should You Disable XML-RPC on WordPress?
JetPack Plugin Compatibility: To hide the XML-RPC from hackers but to let Jetpack IPs access the website: add this code in .htaccess at the beginning of the file:
<Files xmlrpc.php> Order deny,allow Deny from all Allow from 127.0.0.1 Allow from *.wordpress.com Allow from 184.108.40.206/18 Allow from 220.127.116.11/22 Allow from 2a04:fa80::/29 Allow from 18.104.22.168/22 Allow from 22.214.171.124/22 Allow from 126.96.36.199/22 Allow from 188.8.131.52/22 Allow from 184.108.40.206/22 Satisfy All ErrorDocument 404 / </Files>
Now, whenever someone tries to directly access xmlrpc.php, they’ll see the 403 Forbidden error.
To completely disable XML-RPC access, switch on Hide My WP > Change Paths > API Security > Disable XML-RPC access
Disable Embed scripts
oEmbed allows users to embed YouTube videos, tweets, and many other resources on their sites simply by pasting a URL, which WordPress then automatically converts into an embed (also provides a live preview inside the visual editor). Most of the themes already include this option, so you don’t need to load these scripts anymore.
Another reason to disable oEmbed scripts is for speed optimization. You will notice a significant improvement in your page loading times when these libraries are NOT loaded.
To disable Embed scripts, switch on Hide My WP > Tweaks > Hide Option > Hide Embed scripts
Disable WLW Manifest scripts
If you don’t use Windows Live Writer, then this code is completely useless to you and should be removed.
To disable WLW (Windows Live Writer) Manifest scripts, switch on Hide My WP > Tweaks > Hide Options > Disable WLW Manifest scripts
To reach the Disable options available in Hide My WP Ghost, navigate to Hide My WP > Tweaks > Disable Options. Here you will find the following options:
- Disable Right-Click. By activating this option, Hide My WP Ghost will disable right-click functionality on your website, which can help prevent security violations and improve the perceived security of your site)
- Disable Inspect Element. By activating this option, Hide My WP Ghost will disable the inspect element view on your website.
- Disable View Source. By activating this option, Hide My WP Ghost will disable the source-code view on your website.
- Disable Copy/Paste. By activating this option, Hide My WP Ghost will disable Copy & Paste functions on your website.
- Disable Drag/Drop Images. By activating this option, Hide My WP Ghost will disable visitors’ ability to drag and drop images on your site.
^^ If visitors on your site will try to perform one of these actions after you’ve activated the corresponding feature in Hide My WP Ghost, they will see a message letting them know that the action they wanted to perform is not possible on your website.
For example, say you’ve activated the Disable Right-Click option using Hide My WP Ghost. If a site visitor will try to click right on one of your pages, they will see the following message by default: Right click is disabled!
But you can also choose to customize the message that appears (as shown in the image below).
- The option to customize the message that appears is available for all options in the Disable Options section of Hide My WP Ghost.
- If you do NOT want to display any message, simply leave the text field blank.
There is one more option you can activate in the Disable Options section of Hide My WP Ghost, namely: Disable DB Debug in Frontend.
Disable DB Debug in Frontend
It’s not safe to have Database Debug turned on in frontend. Make sure you don’t use Database debug on live websites.
To disable DB Debug, switch on Hide My WP > Tweaks > Disable Options > Disable DB Debug in Frontend
- We recommend activating ALL features from Hide My WP > Tweaks > Hide Options.