Customize Paths in Hide My WP Ghost

change wordpress admin path

To go deeper into customizing the paths and to understand why you need all these customizations, let us look into the most important features which will increase your website security significantly.

Change WordPress Admin Path

The most important path in WordPress is the wp-admin and the only way to protect this path is by changing its name and hiding it from hacker bots.

To do this with Hide My WP Ghost, just change the name for the wp-admin with your custom name in Hide My WP > Change Paths > Admin Security.

Paths are not physically changed

Hide My WP Ghost will not physically change the paths on your server. It uses rewrite rules to prevent any functionality errors.


Change WordPress Login Path

WordPress wp-login, wp-login.php, and login paths are the first ones a hacker bot will access for Brute Force attacks. Changing these paths and hiding them is mandatory when you have a WordPress CMS.

To do this with Hide My WP Ghost, just change the name for the wp-login with your custom name in Hide My WP > Change Paths > Login Security .

Paths are not physically changed

Hide My WP Ghost will not physically change the paths on your server. It uses rewrite rules to prevent any functionality errors.


Change Author Path and Hide ID

Many hacker bots are scrapping for the author username by calling your website with the author ID. In return, they will get the author username without even guessing it. The username will use to access the dashboard from your login form.

To change the author path, go to Hide My WP > Change Paths > User Security > Custom author Path and change the name.

Author Page redirect to Home Page

Some profile plugins and themes are using the author path for user portfolio and custom profile page and don’t work if the author path is changed. In this case, just remove the custom author path and let the default path instead.

To disable the author ID calls, simply switch on Hide Author URL in Hide My WP > Change Paths > User Security > Hide Author ID URL


Change Lost Password Path

Change the lost-password path to prevent spam emails with the new password requests.

To change the lost-password path, go to Hide My WP > Change Paths > Login Security > Custom Lost Password Path and change the name.


Change Register Path

Change the register path to prevent spam emails with the new user requests.

To change the register path, go to Hide My WP > Change Paths > Login Security > Custom Register Path and change the name.


Change Logout Path

Changing the logout path is not mandatory but is useful when you have a customized dashboard for customers. The custom logout path is applied also for the WordPress plugins like Woocommerce in the account page.

To change the logout path, go to Hide My WP >

To change the register path, go to Hide My WP > Change Paths > Login Security > Custom Logout Path and change the name.

and change the name.


Change Activation Path

Changing the activation path on WordPress Multisite useful when you add a new user to your subsite and you don’t want the user to know that you have WordPress CMS.

To change the activationpath, go to Hide My WP > Permalinks > Custom Activation URL and change the name.


Change admin-ajax.php Path

All the ajax calls in the frontend are made by the default URL /wp-admin/admin-ajax.php. This URL is also used by hackers to upload viruses and scrips on your website.

To change the admin-ajax.php path, go to Hide My WP > Change Paths > Ajax Security > Custom admin-ajax Path and change the name.

To hide the wp-admin path from ajax calls, switch on Hide My WP > Change Paths > Ajax Security > Hide wp-admin from ajax URL .

Changing this URL is mandatory and hiding the wp-admin from ajax calls is also a required action.

Theme compatibility check

Not all the WP themes are working with custom ajax path. Make sure the theme is working properly after you change this path.


Change Paths in Ajax Calls

Some plugins use Lazy Load options to load videos and images only when the user scrolls to that specific image. In this case, the images are usually called through Ajax, and you need to be sure that these images’ paths are also changed.

If some themes load CSS styles through Ajax, you may have CSS duplicates if the paths are not always the same.

To change the paths in Ajax calls, switch on Hide My WP > Change Paths > Ajax Security > Change Paths in Ajax Calls


Change wp-content Path

All the plugins and themes are added in the wp-content directory. Changing the wp-content and hiding it from source-code it’s an important step in hiding the website from Theme detectors.

Once it’s changed, you can choose to restrict the call to wp-content from here

To change the wp-content path, go to Hide My WP > > Change Paths >WP Core Security > Custom wp-content Path and change the name.


Change wp-includes Path

WordPress core scripts and styles are located in this directory. To hide your WordPress site from Theme detectors you must customize its name and hide it from source-code in frontend.

To change the wp-includes path, go to Hide My WP > Change Paths >WP Core Security > Custom wp-includes URL and change the name.


Change wp-content/uploads Path

Because all the uploaded images are located in this directory by default, you need to change this path in order to hide your website from Theme detectors.

You can also protect the vulnerable script from uploads directory here

To change the wp-content/uploads path, go to Hide My WP > Change Paths >WP Core Security > Custom uploads Path and change the name.


Change comments Path

To change the comment path, go to Hide My WP > Change Paths >WP Core Security > Custom comment Path and change the name.


Change Plugins Path

There are two layers of security in this feature. Hide My WP Ghost lets you change the path to all plugins and it will automatically add custom names to each active plugin. After wp-content/plugins path is changed, it’s important to restrict access to it from here.

To change the wp-content/plugins path, go to Hide My WP > Change Path > Plugin Security > Custom plugins Path and change the name.

To change all the plugins name, switch on Hide My WP > Change Path> Plugin Security > Hide plugins name.


Change Themes Path

There are two layers of security in this feature. Hide My WP Ghost lets you change the path to all themes and it will automatically add custom names to each active theme. After wp-content/themes path is changed, it’s important to restrict access to it from here.

To change the wp-content/themes path, go to Hide My WP > Change Path > Themes Security > Custom themes Path and change the name.

To change all the themes name, switch on Hide My WP > Change Path > Themes Security > Hide themes names.


Change REST API Path

REST API is recently used by WP 5 for many admin actions and even in post editor but WordPress works with any custom API path and not only with /wp-json.

Changing the /wp-json and hiding it from hackers it’s a big step in improving the security of the website.

Even if the REST API is disabled, Hide My WP Ghost will only block the visitors from accessing the API and not the logged users. This way will prevent most of the errors that might appear in the admin area.

To change the API path, go to Hide My WP > Change Paths > API Security > Custom wp-json Path and change the name.

REST API Path Update Delayed

Sometimes WP needs some time to update the settings with the new API path.
To make sure WordPress is changing the API path with the custom one, save the settings in Settings > Change Paths > API Security.

To hide Rest API paths, switch on Hide My WP > Change Paths > API Security > Disable Rest API access.


Hide WordPress Common Paths

An important action in protecting your website from hacker attacks is by hiding the WordPress common paths after the path names are changed.

Hide My WP Ghost will add a filter in the config file to show 404 error when the user is not logged on website and access the paths.

The main paths this option hides are: /wp-content, /wp-include, /plugins, /themes. If will also hide upgrade.php and install.php for visitors.

To hide WordPress common paths, switch on Hide My WP > Change Paths > WP Core Security > Hide WordPress Common Paths.

Theme compatibility check

Not all the WP themes are working if this option is on. Make sure the website is working properly after you activate this option.


Hide WordPress Common Files

An important action in hiding your website from Theme detectors and protecting your website from hacker attacks is hiding the WordPress common files.

Hide My WP Ghost will add a filter in the config file to show 404 error when the user is not logged on website and access the files.

The hidden files are wp-config.php, readme.html, license.txt, etc.

To hide WordPress common files, switch on Hide My WP > Change Paths > WP Core Security > Hide WordPress Common Files.


Add Security Headers for XSS and Code Injection Attacks

Add security headers to your website and add a layer of security for different kind of attacks like Cross-Site Scripting.

By activating this option, Hide My WP Ghost will add through the config file and PHP the headers with the required values for good functionality of the website and also for good protection.

To add Security Headers, switch on Hide My WP > Change Paths > Firewall & Headers > Add Security Headers for XSS and Code Injection Attacks.


Firewall Against Script Injection

The most common way to hack a website is by accessing the domain and adding harmful queries in order to reveal information from files and database. These attacks are made on any website, WordPress or not, and if a call succeeds … it will be probably too late to save the website.

Hide My WP Ghost will add a filter in the config file to block harmful params and queries and to protect the website from these types of attacks.

Firewall Updates

The harmful list queries is continuously updated in Hide My WP Ghost so make sure you have the plugin always up to date.

To activate the Firewall, switch on Hide My WP > Change Paths > Firewall & Headers > Firewall Against Script Injection.


Disable Directory Browsing

Don’t let hackers see the directory content when you don’t have an index file in that directory. For example, it’s easy to find vulnerable files if you see the list of files in wp-content/uploads.

To disable the directory browsing on your server, switch on Hide My WP > Change Paths > WP Core Security > Disable Directory Browsing .