Skip to contentSkip to main navigation Skip to footer

Activate Security Tweaks

In order to hide your WordPress from Theme Detectors, you will need to activate some extra features in Hide My WP Ghost.

These features don’t affect the website’s security. However, the Theme Detectors will also check some WordPress signals like:

  • plugins HTML comments,
  • WordPress version,
  • RSD header,
  • and more.

Redirect Hidden Paths

If you have visitors that try to access the protected (changed and hidden) WordPress common paths (such as: /wp-admin and /wp-login) you can use the Redirect Hidden Paths feature to redirect those visitors to another page whenever they reach those WordPress common paths.

So, for example, if someone tries to access your /wp-admin once you’ve used Hide My WP Ghost to protect that path, that visitor will instantly be redirect to another page.

The default option for this is: the Front Page.

But you can also use the Drop Down you see pictured below to select the page where you want visitors or hackers who try to access your protected paths to be redirected to.

To customize the redirect, just select the page you want to use for the redirect from Hide My WP > Tweaks > Redirects > Redirect Hidden Paths

If you’re NOT satisfied with the options included in the drop-down, you can always create a NEW Page in your site and come back to to this section of Hide My WP Ghost and choose that page as the redirect.

You can also tell Hide My WP Ghost to trigger an HTML Error when a visitor tries to access your protected path (404 HTML error or 403 HTML error – again, you choose this from the drop-down).

OR you can redirect those trying to access your protected paths to a 404 Page by selecting the option 404 page from the drop-down.

For logged users (users who can log in and log out of your website such as Authors, Editors and Administrators), you can use the Do Login and Logout Redirects option, which we will cover in the next section of this tutorial.


Login Redirect URL & Logout Redirect URL

Since Hide My WP Ghost version 5.0.13, you have the option to set the login and logout redirects based on user role.

With this option, authors, editors and administrators can be redirected on login to the right page.

To customize the redirects, go to Hide My WP > Tweaks > Redirect > Do Login & Logout Redirects.

Here, you can customize the Login Redirect URL as well as the Logout Redirect URL (you can enter whatever URL you want, it can even be an an external URL, which means you can redirect users to a page on a different site).

  • Go to Default to set the Login Redirect URL and the Logout Redirect URL for ALL users (with this option, ALL users on your site will be redirected to the same login URL / the same logout URL)
  • Go to the User Role option and set up individual Login Redirect URLs and individual Logout Redirect URLs based on user roles. (with this option you can set a Login Redirect URL for site Customers, for example, and a different Login Redirect URL for site Editors)

!Note that the settings you make in the User Role panel trump the settings in the Default panel (the User Role redirect has higher priority than the Default redirect URL). Use these options with caution.

Login & Logouts URL

Make sure that the redirect URLs exist on your website. Don’t use URLs that lead to 404 Page not found.

The User Role redirect URL has higher priority than the Default redirect URL.

You can use relative or absolute URLs for redirects. We recommend using relative URLs to prevent any error in case the website domain is changed.


Redirect Logged Users To Dashboard

With this option, a previously logged user will be automatically redirected to the admin dashboard when he goes on the login page.

To activate this option, go to Hide My WP > Tweaks > Redirect > Redirect Logged Users To Dashboard.


Change Paths for Logged Users

Most of the themes work fine with the paths changed while the user is logged in, but there are some that need the WordPress common paths unchanged.

We recommend activating this option so that site customers, for example, can’t see the common paths while logged in to their accounts.

To activate this feature, switch on Hide My WP > Tweaks > Change Options > Change Paths for Logged Users


Change Paths In Cached Files

With this option, Hide My WP Ghost will change paths in cached files. This feature is useful when the website has a cache plugin installed. Once the website is loaded in the frontend, the cache plugin will add all the CSS Styles, JS, and HTML content into the cache directory.

Hide My WP Ghost automatically runs a background process that checks the cache directory for unchanged paths and changes them (this process is done every minute). This feature will not affect the loading speed and works with all WordPress cache plugins.

To change the paths in cached files, switch on Hide My WP > Tweaks > Change Paths In Cached Files (sidebar)

Background Process & Cache Files

To see the changes, please check the page as a visitor (incognito mode or with a different browser) and wait one minute after the cache is created for Hide My WP Ghost to change all the paths from the cached files.


Change Relative URLs to Absolute URLs

Having all the WordPress common paths changed with custom ones will avoid having any relative URLs pointing to the old paths. We recommend using this feature to change all the HTML URLs into absolute URLs.

To change relative to absolute URLs, switch on Hide My WP > Tweaks > Change Options > Change Relative URLs to Absolute URLs


Hide Feed and Sitemap Link Tags

When this option is turned on, Hide My WP Ghost will hide the /feed and /sitemap.xml link Tags from the frontend.

To hide Feed and Sitemap Link Tags, switch on Hide My WP > Tweaks > Feed & Sitemap > Hide Feed and Sitemap Link Tags


Change Paths in RSS Feed

This option allows you to change all the images paths with custom ones in your site’s RSS feed (the RSS feed can be accessed at: https://your site’s name/feed/).

To change paths in RSS feed, switch on Hide My WP > Tweaks > Feed & Sitemap > Change Paths in RSS Feed


Change Paths in Sitemaps XML

For better Search Engine Optimization, we recommend using this feature to change all the image paths with custom ones in sitemap.xml.

The sitemap will be shown as required by Google and other search engines.

To change the image URLs in sitemap.xml, switch on Hide My WP > Tweaks > Feed & Sitemap > Change Paths in Sitemaps XML

Also, by activating the option Remove Plugin Authors & Style from Sitemap XML, you can remove the sitemap style & author name added by SEO plugins like Yoast SEO, Squirrly SEO, Google Sitemap XML, which reveal the plugin’s author.

Note! The sitemap style author doesn’t help with SEO but it tells the users who created the sitemap. It also tells the theme detectors and they will say you’re using WordPress even if all paths are secured.


Change Paths in Robots.txt

This option will remove any trail to WordPress common paths that show that you’re using WordPress as your Content Management System (CMS).

Robots.txt will have the minimum requirements for Google Search Engine to index the website and not affect rankings.

To activate the Robots.txt security, switch on Hide My WP > Tweaks > Feed & Sitemap > Hide Paths in Robots.txt


Hide Admin Toolbar

With this feature, Hide My WP Ghost allows you to hide the WordPress Admin Toolbar for logged users while in frontend.

This feature is useful, for example, if you have a website that is an e-commerce or a profile site; in which case the admin toolbar should NOT show while the customer is logged in.

Because the admin toolbar uses admin classes, it’s better to use this feature to hide the WordPress CMS from users who are logged in.

To hide the admin toolbar, switch on Hide My WP > Tweaks > Hide Options > Hide Admin Toolbar


You can also select the user roles for whom to hide the Admin Toolbar. From the drop down menu you see above, select the User Roles for whom you DON’T want the Admin Toolbar to be visible.

By default, Hide My WP Ghost will hide the Admin Toolbar for Subscribers and Customers (when the Hide Admin Toolbar option is turned ON).

However, you can use the drop-down menu to select, add, and remove User Roles as you need. (multiple User Roles can be selected)

Note that if you activate the Hide Admin Toolbar option, you must have at least one USER ROLE selected. If you don’t select a user role, the plugin will use the default option.


Hide Version from Images, CSS and JS in WordPress

It’s important to hide the version info from all plugins, themes, and WordPress core in order to hide from Theme Detectors. By activating this option, Hide My WP Ghost will hide all information regarding versions from the end of any Image, CSS and JavaScript files.

For every new website, WordPress adds a Generator META in the header with its signature. Many other plugins do the same, so the choice is to completely remove Generator META from the header.

This feature also:

  • removes the version parameters from CSS Styles loaded in the source-code
  • removes the version parameters from JS Scripts loaded in the source-code
  • removes the version parameters from Images loaded in the source-code

To activate this feature, switch on Hide My WP > Tweaks > Hide Options > Hide Version from Images, CSS and JS in WordPress


Hide IDs from META Tags

By activating this option, Hide My WP Ghost will hide the IDs from all <links>, <style>, and <scripts> META Tags.

To activate this feature, switch on  Hide My WP > Tweaks > Hide Options > Hide IDs from META Tags


Hide WordPress Generator META Tags

By activating this option, Hide My WP Ghost will hide the Hide the WordPress Generator META tags.

To activate this feature, switch on  Hide My WP > Tweaks > Hide Options > Hide WordPress Generator META Tags


Hide WordPress DNS Prefetch META Tags

By activating this option, Hide My WP Ghost will hide the DNS Prefetch that points to WordPress.

To activate this feature, switch on  Hide My WP > Tweaks > Hide Options > Hide WordPress DNS Prefetch META Tags


Hide HTML Comments

WordPress adds comments not only into the site’s source-code but also into plugins and themes. Most Theme Detectors will read the comments from HTML to identify the plugins and versions.

Removing the HTML comments is also a must if you want to hide your WordPress website from detectors.

To remove the HTML comments, switch on Hide My WP > Tweaks > Hide Options > Hide HTML Comments


Hide Emoji icons

Emojis are little icons used to express ideas or emotions. If you don’t use them in your website, you do NOT need to load them.

Another reason to disable Emojicons is for speed optimization. You are likely to notice a significant improvement in your page loading times when these libraries are NOT loaded.

To disable Emojicons, switch on Hide My WP > Tweaks > Hide Options > Hide Emojicons


Disable Embed scripts

oEmbed allows users to embed YouTube videos, tweets, and many other resources on their sites simply by pasting a URL, which WordPress then automatically converts into an embed (also provides a live preview inside the visual editor). Most of the themes already include this option, so you don’t need to load these scripts anymore.

Another reason to disable oEmbed scripts is for speed optimization. You will notice a significant improvement in your page loading times when these libraries are NOT loaded.

To disable Embed scripts, switch on Hide My WP > Tweaks > Hide Options > Hide Embed scripts


Disable WLW Manifest scripts

If you don’t use Windows Live Writer, then this code is completely useless to you and should be removed, as this tells the whole world you’re using WordPress as your CMS.

To disable WLW (Windows Live Writer) Manifest scripts, switch on Hide My WP > Tweaks > Hide Options > Disable WLW Manifest scripts


Disable Options

To reach the Disable options available in Hide My WP Ghost, navigate to Hide My WP > Tweaks > Disable Options. Here you will find the following options:

jQuery Dependency

This functionality is dependent on the presence of the jQuery library on the frontend for optimal operation. The exclusive method for deactivating frontend options is through the utilization of JavaScript. If JavaScript is missing, there exists no means to exert control over the mouse cursor and keyboard inputs within the web browser.

Disable Right-Click

If you’re new to website security and want to enhance the perceived safety of your site, one effective measure is to disable right-click functionality. Enabling this option will prevent visitors from right-clicking on your website. This feature helps deter potential security breaches and reinforces the overall security of your site.

When right-click functionality is disabled, users won’t be able to access the context menu, which includes options like “Inspect Element.” This prevents unauthorized individuals from easily inspecting and manipulating your website’s code, adding an extra layer of protection to your valuable content.

Disable Inspect Element

When you activate the “Disable Inspect Element” option, not only does it disable the key combination that reveals the Inspect Element feature, but it also blocks several other commonly used combinations. These combinations include Ctrl + Shift + I, Option + Shift + Command + I, Ctrl + Shift + C, Ctrl + Shift + K, Ctrl + Shift + J, F12, etc.

By disabling these key combinations, Hide My WP Ghost ensures that unauthorized individuals cannot access the Inspect Element tool or other browser developer tools easily. By implementing this feature, Hide My WP Ghost enhances the overall security and integrity of your valuable online content, offering you peace of mind in protecting your website from potential threats.

Disable View Source

When you enable the “Disable View Source” option, it effectively disables the key combinations that reveal the View Source element on your website. Specifically, it disables combinations such as Option + Command + U on macOS and Ctrl + U on Windows.

View Source is a feature in web browsers that allows users to access and view the underlying HTML source code of a webpage. By disabling these key combinations, Hide My WP Ghost prevents unauthorized individuals from easily accessing and analyzing the source code of your website.

This feature adds an extra layer of protection to your website’s source code, safeguarding it against potential security breaches and unauthorized copying or modification.

Disable Copy/Paste

When you activate this option in Hide My WP Ghost, it disables the ability for visitors to copy and paste content from your website. This feature helps protect your valuable textual content, preventing unauthorized duplication or plagiarism.

Disable Drag/Drop Images

By enabling this option, Hide My WP Ghost prevents visitors from dragging and dropping images on your website. This feature ensures that images cannot be easily downloaded or misused without your permission.

If a visitor attempts to perform any of these restricted actions after you’ve activated the corresponding feature, Hide My WP Ghost will display a message informing them that the action is not possible on your website. For example, if the “Disable Right-Click” option is enabled, and a visitor tries to right-click on a page, they will see a default message saying, “Right click is disabled!

If you do NOT want to display any message, simply leave the text field blank.

Furthermore, Hide My WP Ghost allows you to customize the message that appears, providing you with the flexibility to convey your own unique message to visitors attempting to perform these restricted actions. This customization feature gives you the opportunity to add a personalized touch or provide specific instructions to your visitors.

Overall, these features in Hide My WP Ghost empower you to protect your website’s content, prevent unauthorized actions, and maintain control over how your content is accessed and used by visitors.


Disable DB Debug in Frontend

There is one more option you can activate in the Disable Options section of Hide My WP Ghost, namely: Disable DB Debug in Frontend.

It’s not safe to have Database Debug turned on in frontend. Make sure you don’t use Database debug on live websites.

To disable DB Debug, switch on Hide My WP > Tweaks > Disable Options > Disable DB Debug in Frontend

Website Security Check

Run a website security check and make sure that the WordPress Debug and Database Debug options are turned off in frontend.

To run a security check, go to Hide My WP > Security Check