Activate Security Tweaks

In order to hide the WordPress from Theme Detectors you need to activate some extra features in Hide My WP Ghost.

These features don’t affect the website security but the Theme Detectors will also check some WP signals like plugins HTML comments, WordPress version, RSD header, and more.


Hide Admin Toolbar

This feature is useful when the website is an e-commerce or a profile site and the admin toolbar should not show while the customer is logged in.

Because the admin toolbar uses admin classes, it’s better to use this feature to hide the WordPress CMS from the logged in users.

To hide the admin toolber, switch on Hide My WP > Tweaks > Hide Admin Toolbar

Hide Admin Toolbar

Hide WordPress Version

It’s important to hide the version info from all plugins, themes and WordPress core in order to hide from Theme Detectors.

For every new website, WordPress is adding a Generator META in the header with its signature. Many other plugins are doing the same so the choice is to completely remove Generator META from the header.

This feature also:

  • removes the version parameters from CSS Styles loaded in the source-code
  • removes the version parameters fromJS Scripts loaded in the source-code
  • removes the generator Meta to WordPress
  • removes the generator Meta to WPML (WordPress Multilingual Plugin)
  • removes the generator Meta to Slider Revolution Meta Generator
  • removes the generator Meta to Visual Composer / WPBakery Page Builder
  • removes the dns-prefetch link to WP.org
  • hides the Jetpack analytics trails to WordPress

To activate this feature, switch on Hide My WP > Tweaks > Hide Version and WordPress Tags

Hide WordPress Version

Hide RSD (Really Simple Discovery) header

Really Simple Discovery (RSD) is an XML format and a publishing convention for making services exposed by a blog, or other web software, discoverable by client software.

In our case this header will expose the WordPress service on every website call.

Hiding the RSD header is mandatory when you want to hide the WordPress CSM from Theme Detectors.

This feature also:

  • removes all the WordPress cache plugins headers
  • removes the x-cf-powered-by header
  • removes the Link header
  • removes the rsd_link header
  • removes the PHP info header

To activate this feature, switch on Hide My WP > Tweaks > Hide RSD (Really Simple Discovery) header

Hide RSD (Really Simple Discovery) header

Hide WordPress HTML Comments

Not only WordPress is adding comments into source-code but also the plugins and themes. Most Theme Detectors will read the comments from HTML to identify the plugins and versions.

Removing the HTML comments is also a must if you want to hide the website from detectors.

To remove the HTML comments, switch on Hide My WP > Tweaks > Hide WordPress HTML Comments

Hide WordPress HTML Comments

Hide Emoji icons

Emojis are little icons used to express ideas or emotions. If you don’t use them into your website you don’t need to load them.

Another reason to disable Emojicons is for speed optimization. You will notice a significant improvement in your page loading when these libraries are not loaded.

To disable Emojicons, switch on Hide My WP > Tweaks > Hide Emojicons

Hide Emoji icons

Change Paths For Logged Users

Most of the themes are working fine with the paths changed while the user is logged in but there are some who need the WordPress common paths unchanged.

We recommend to activate this option so that the customers can’t see the common paths while they’re logged in their account.

To activate this feature, switch on Hide My WP > Tweaks > Change Paths for Logged Users

Change Paths For Logged Users

Change Paths In Cached Files

This feature is useful when the website has a cache plugin installed. Once the website is loaded in frontend, the cache plugin will add all the CSS Styles, JS and HTML content into the cache directory.

Hide My WP Ghost runs a background process who checks the cache directory for unchanged paths and changes them. This feature will not affect the loading speed and works with all the WordPress cache plugins.

To change the paths in cached files, switch on Hide My WP > Tweaks > Change Paths In Cached Files

Change Paths In Cached Files

Change Paths in Ajax Calls

Some plugins are using Lazy Load options to load videos and images only when the user scrolls to that specific image. In this case the images are usually called through Ajax and you need to be sure that these images’ path are also changed.

If some themes are loading CSS styles through Ajax you may have CSS duplicates if the paths are not always the same.

To change the paths in ajax calls, switch on Hide My WP > Tweaks > Change Paths in Ajax Calls

Change Paths in Ajax Calls

Disable XML-RPC access

The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.

This xml-rpc.php path is also used for Brute Force attacks because it’s not protected with limit attempts by WordPress.

Please read before activating this feature: Should You Disable XML-RPC on WordPress?

To disable XML-RPC access, switch on Hide My WP > Tweaks > Disable XML-RPC access

Disable XML-RPC access

Disable Embed scripts

oEmbed allows users to embed YouTube videos, tweets and many other resources on their sites simply by pasting a URL, which WordPress automatically converts into an embed and provides a live preview in the visual editor. Most of the themes are already coming with this option included so you don’t need to load these scripts anymore.

Another reason to disable oEmbed scripts is for speed optimization. You will notice a significant improvement in your page loading when these libraries are not loaded.

To disable Embed scripts, switch on Hide My WP > Tweaks > Disable Embed scripts

Disable Embed scripts

Disable WLW Manifest scripts

If you don’t use Windows Live Writer, then this code is completely useless to you and should be removed.

To disable WLW Manifest scripts, switch on Hide My WP > Tweaks > Disable WLW Manifest scripts

Disable WLW Manifest scripts

Disable DB Debug in Frontent

It’s not safe to have Database Debug turned on in frontend. Make sure you don’t use Database debug on live websites.

To disable DB Debug, switch on Hide My WP > Tweaks > Disable DB Debug in Frontent

Disable DB Debug in Frontent

Website Security Check

Run a website security check and make sure that the WordPress Debug and Database Debug options are turned off in frontend.

To run a security check go to Hide My WP > Security Check

Was This Article Helpful?

0 Comments

There are no comments yet

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.