Activate Security Tweaks

In order to hide your WordPress from Theme Detectors, you will need to activate some extra features in Hide My WP Ghost.

These features don’t affect the website’s security. However, the Theme Detectors will also check some WordPress signals like:

  • plugins HTML comments,
  • WordPress version,
  • RSD header,
  • and more.

Redirect Hidden Paths

If you have visitors that try to access the protected (changed and hidden) WordPress common paths (such as: /wp-admin and /wp-login) you can use the Redirect Hidden Paths feature to redirect those visitors to another page whenever they reach those WordPress common paths.

So, for example, if someone tries to access your /wp-admin once you’ve used Hide My WP Ghost to protect that path, that visitor will instantly be redirect to another page.

The default option for this is: the Front Page.

But you can also use the Drop Down you see pictured below to select the page where you want visitors or hackers who try to access your protected paths to be redirected to.

To customize the redirect, just select the page you want to use for the redirect from Hide My WP > Tweaks > Redirects > Redirect Hidden Paths

If you’re NOT satisfied with the options included in the drop-down, you can always create a NEW Page in your site and come back to to this section of Hide My WP Ghost and choose that page as the redirect.

You can also tell Hide My WP Ghost to trigger an HTML Error when a visitor tries to access your protected path (404 HTML error or 403 HTML error – again, you choose this from the drop-down).

OR you can redirect those trying to access your protected paths to a 404 Page by selecting the option 404 page from the drop-down.

For logged users (users who can log in and log out of your website such as Authors, Editors and Administrators), you can use the Do Login and Logout Redirects option, which we will cover in the next section of this tutorial.

Login Redirect URL & Logout Redirect URL

Since Hide My WP Ghost version 5.0.13, you have the option to set the login and logout redirects based on user role.

With this option, authors, editors and administrators can be redirected on login to the right page.

To customize the redirects, go to Hide My WP > Tweaks > Redirect > Do Login & Logout Redirects.

Here, you can customize the Login Redirect URL as well as the Logout Redirect URL (you can enter whatever URL you want, it can even be an an external URL, which means you can redirect users to a page on a different site).

  • Go to Default to set the Login Redirect URL and the Logout Redirect URL for ALL users (with this option, ALL users on your site will be redirected to the same login URL / the same logout URL)
  • Go to the User Role option and set up individual Login Redirect URLs and individual Logout Redirect URLs based on user roles. (with this option you can set a Login Redirect URL for site Customers, for example, and a different Login Redirect URL for site Editors)

!Note that the settings you make in the User Role panel trump the settings in the Default panel (the User Role redirect has higher priority than the Default redirect URL). Use these options with caution.

Login & Logouts URL

Make sure that the redirect URLs exist on your website. Don’t use URLs that lead to 404 Page not found.

The User Role redirect URL has higher priority than the Default redirect URL.

You can use relative or absolute URLs for redirects. We recommend using relative URLs to prevent any error in case the website domain is changed.


Change Paths for Logged Users

Most of the themes work fine with the paths changed while the user is logged in, but there are some that need the WordPress common paths unchanged.

We recommend activating this option so that site customers, for example, can’t see the common paths while logged in to their accounts.

To activate this feature, switch on Hide My WP > Tweaks > Change Options > Change Paths for Logged Users


Change Paths In Cached Files

With this option, Hide My WP Ghost will change paths in cached files. This feature is useful when the website has a cache plugin installed. Once the website is loaded in the frontend, the cache plugin will add all the CSS Styles, JS, and HTML content into the cache directory.

Hide My WP Ghost automatically runs a background process that checks the cache directory for unchanged paths and changes them (this process is done every minute). This feature will not affect the loading speed and works with all WordPress cache plugins.

To change the paths in cached files, switch on Hide My WP > Tweaks > Change Paths In Cached Files (sidebar)

Background Process & Cache Files

To see the changes, please check the page as a visitor (incognito mode or with a different browser) and wait one minute after the cache is created for Hide My WP Ghost to change all the paths from the cached files.


Change Relative URLs to Absolute URLs

Having all the WordPress common paths changed with custom ones will avoid having any relative URLs pointing to the old paths. We recommend using this feature to change all the HTML URLs into absolute URLs.

To change relative to absolute URLs, switch on Hide My WP > Tweaks > Change Options > Change Relative URLs to Absolute URLs


Hide Feed and Sitemap Link Tags

When this option is tuned on, Hide My WP Ghost will hide the /feed and /sitemap.xml link Tags from the frontend.

To hide Feed and Sitemap Link Tags, switch on Hide My WP > Tweaks > Feed & Sitemap > Hide Feed and Sitemap Link Tags


Change Paths in RSS Feed

This option allows you to change all the images paths with custom ones in your site’s RSS feed (the RSS feed can be accessed at: https://your site’s name/feed/).

To change paths in RSS feed, switch on Hide My WP > Tweaks > Feed & Sitemap > Change Paths in RSS Feed


Change Paths in Sitemaps XML

For better Search Engine Optimization, we recommend using this feature to change all the images paths with custom ones in sitemap.xml.

Also, Hide My WP Ghost will remove all the Sitemap style added by SEO plugins like Yoast SEO, Squirrly SEO, Google Sitemap XML, that reveal the plugin’s author. The sitemap will be shown as required by Google and other search engines.

To change the image URLs in sitemap.xml, switch on Hide My WP > Tweaks > Feed & Sitemap > Change Paths in Sitemaps XML


Change Paths in Robots.txt

This option will remove any trail to WordPress common paths that show that you’re using WordPress as your Content Management System (CMS).

Robots.txt will have the minimum requirements for Google Search Engine to index the website and not affect rankings.

To activate the Robots.txt security, switch on Hide My WP > Tweaks > Feed & Sitemap > Hide Paths in Robots.txt


Hide Admin Toolbar

With this feature, Hide My WP Ghost allows you to hide the WordPress Admin Toolbar for logged users while in frontend.

This feature is useful, for example, if you have a website that is an e-commerce or a profile site; in which case the admin toolbar should NOT show while the customer is logged in.

Because the admin toolbar uses admin classes, it’s better to use this feature to hide the WordPress CMS from users who are logged in.

To hide the admin toolbar, switch on Hide My WP > Tweaks > Hide Options > Hide Admin Toolbar


You can also select the user roles for whom to hide the Admin Toolbar. From the drop down menu you see above, select the User Roles for whom you DON’T want the Admin Toolbar to be visible.

By default, Hide My WP Ghost will hide the Admin Toolbar for Subscribers and Customers (when the Hide Admin Toolbar option is turned ON).

However, you can use the drop-down menu to select, add, and remove User Roles as you need. (multiple User Roles can be selected)

Note that if you activate the Hide Admin Toolbar option, you must have at least one USER ROLE selected. If you don’t select a user role, the plugin will use the default option.


Hide Version from Images, CSS and JS in WordPress

It’s important to hide the version info from all plugins, themes, and WordPress core in order to hide from Theme Detectors. By activating this option, Hide My WP Ghost will hide all information regarding versions from the end of any Image, CSS and JavaScript files.

For every new website, WordPress adds a Generator META in the header with its signature. Many other plugins do the same, so the choice is to completely remove Generator META from the header.

This feature also:

  • removes the version parameters from CSS Styles loaded in the source-code
  • removes the version parameters from JS Scripts loaded in the source-code
  • removes the version parameters from Images loaded in the source-code

To activate this feature, switch on Hide My WP > Tweaks > Hide Options > Hide Version from Images, CSS and JS in WordPress


Hide IDs from META Tags

By activating this option, Hide My WP Ghost will hide the IDs from all <links>, <style>, and <scripts> META Tags.

To activate this feature, switch on  Hide My WP > Tweaks > Hide Options > Hide IDs from META Tags


Hide WordPress DNS Prefetch META Tags

By activating this option, Hide My WP Ghost will hide the DNS Prefetch that points to WordPress.

To activate this feature, switch on  Hide My WP > Tweaks > Hide Options > Hide WordPress DNS Prefetch META Tags

Hide RSD (Really Simple Discovery) header

Really Simple Discovery (RSD) is an XML format and a publishing convention for making services exposed by a blog, or other web software, discoverable by client software.

In our case, this header will expose the WordPress service on every website call.

Hiding the RSD header is mandatory when you want to hide the WordPress CSM from Theme Detectors.

This feature also:

  • removes all the WordPress cache plugins headers
  • removes the x-cf-powered-by header
  • removes the Link header
  • removes the rsd_link header
  • removes the PHP info header

To activate this feature, switch on Hide My WP > Change Paths > API Security > Disable RSD (Really Simple Discovery) endpoit from XML-RPC


Hide HTML Comments

WordPress adds comments not only into the site’s source-code but also into plugins and themes. Most Theme Detectors will read the comments from HTML to identify the plugins and versions.

Removing the HTML comments is also a must if you want to hide your WordPress website from detectors.

To remove the HTML comments, switch on Hide My WP > Tweaks > Hide Options > Hide HTML Comments


Hide Emoji icons

Emojis are little icons used to express ideas or emotions. If you don’t use them in your website, you do NOT need to load them.

Another reason to disable Emojicons is for speed optimization. You are likely to notice a significant improvement in your page loading times when these libraries are NOT loaded.

To disable Emojicons, switch on Hide My WP > Tweaks > Hide Options > Hide Emojicons


Disable XML-RPC access

The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.

This xml-rpc.php path is also used for Brute Force attacks because it’s not protected with limit attempts by WordPress.

Please read before activating this feature: Should You Disable XML-RPC on WordPress?

JetPack Plugin Compatibility: To hide the XML-RPC from hackers but to let Jetpack IPs access the website: add this code in .htaccess at the beginning of the file:

<Files xmlrpc.php>
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from *.wordpress.com
Allow from 192.0.64.0/18
Allow from 185.64.140.0/22
Allow from 2a04:fa80::/29
Allow from 76.74.255.0/22
Allow from 192.0.65.0/22
Allow from 192.0.80.0/22
Allow from 192.0.96.0/22
Allow from 192.0.123.0/22
Satisfy All
ErrorDocument 404 /
</Files>

Now, whenever someone tries to directly access xmlrpc.php, they’ll see the 403 Forbidden error.

To completely disable XML-RPC access, switch on Hide My WP > Change Paths > API Security > Disable XML-RPC access

Remote XML-RPC Access

XML-RPC is still used by remote services like Jetpack and Zapier.

Make sure there are no services on your website that use this function before you disable it.


Disable Embed scripts

oEmbed allows users to embed YouTube videos, tweets, and many other resources on their sites simply by pasting a URL, which WordPress then automatically converts into an embed (also provides a live preview inside the visual editor). Most of the themes already include this option, so you don’t need to load these scripts anymore.

Another reason to disable oEmbed scripts is for speed optimization. You will notice a significant improvement in your page loading times when these libraries are NOT loaded.

To disable Embed scripts, switch on Hide My WP > Tweaks > Hide Option > Hide Embed scripts


Disable WLW Manifest scripts

If you don’t use Windows Live Writer, then this code is completely useless to you and should be removed.

To disable WLW (Windows Live Writer) Manifest scripts, switch on Hide My WP > Tweaks > Hide Options > Disable WLW Manifest scripts


Disable Options

To reach the Disable options available in Hide My WP Ghost, navigate to Hide My WP > Tweaks > Disable Options. Here you will find the following options:

  • Disable Right-Click. By activating this option, Hide My WP Ghost will disable right-click functionality on your website, which can help prevent security violations and improve the perceived security of your site)
  • Disable Inspect Element. By activating this option, Hide My WP Ghost will disable the inspect element view on your website.
  • Disable View Source. By activating this option, Hide My WP Ghost will disable the source-code view on your website.
  • Disable Copy/Paste. By activating this option, Hide My WP Ghost will disable Copy & Paste functions on your website.
  • Disable Drag/Drop Images. By activating this option, Hide My WP Ghost will disable visitors’ ability to drag and drop images on your site.

^^ If visitors on your site will try to perform one of these actions after you’ve activated the corresponding feature in Hide My WP Ghost, they will see a message letting them know that the action they wanted to perform is not possible on your website.

For example, say you’ve activated the Disable Right-Click option using Hide My WP Ghost. If a site visitor will try to click right on one of your pages, they will see the following message by default: Right click is disabled!

But you can also choose to customize the message that appears (as shown in the image below).

  • The option to customize the message that appears is available for all options in the Disable Options section of Hide My WP Ghost.
  • If you do NOT want to display any message, simply leave the text field blank.

There is one more option you can activate in the Disable Options section of Hide My WP Ghost, namely: Disable DB Debug in Frontend.

Disable DB Debug in Frontend

It’s not safe to have Database Debug turned on in frontend. Make sure you don’t use Database debug on live websites.

To disable DB Debug, switch on Hide My WP > Tweaks > Disable Options > Disable DB Debug in Frontend

Website Security Check

Run a website security check and make sure that the WordPress Debug and Database Debug options are turned off in frontend.

To run a security check, go to Hide My WP > Security Check

Best Practices

  • We recommend activating ALL features from Hide My WP > Tweaks > Hide Options.
0 Comments

There are no comments yet

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.