Skip to content Skip to main navigation Skip to footer

Customize Paths in Hide My WP Ghost

To go deeper into customizing the paths and better understand why you need all these customizations, let’s have a look at the most important features that will significantly increase your website’s security.

Change WordPress Admin Path

The most important path in WordPress is the wp-admin – and the only way to protect this path is by changing its name and hiding it from hacker bots.

To do this with Hide My WP Ghost, just change the name for the wp-admin with your custom name in Hide My WP > Change Paths > Admin Security.

Paths are NOT physically changed

Hide My WP Ghost will not physically change the paths on your server. It uses rewrite rules to prevent any functionality errors.


Hide “wp-admin” from Non-Admin Users

By default, the wp-admin path is visible for all logged users.

However, Hide My WP Ghost gives you the option to only show the wp-admin path for site administrators.

Switch on Hide My WP > Change Paths > Admin Security > Hide “wp-admin” from Non-Admin Users and logged site users will ONLY be able to access the wp-admin path if they are website administrators.

Enabling this option allows you to hide the /wp-admin path from users who don’t have the Administrator role.

Note! Having the wp-admin path visible when you’re logged as administrator will prevent your website from crashing if you deactivate the plugin or if another plugin uses the old admin path in the backend.

Change WordPress Login Path

WordPress wp-login, wp-login.php, and login paths are the first ones a hacker bot will access for Brute Force attacks. Changing these paths and hiding them is mandatory when you have a WordPress CMS.

To do this with Hide My WP Ghost, just change the name for the wp-login with your custom name in Hide My WP > Change Paths > Login Security .

Paths are not physically changed

Hide My WP Ghost will not physically change the paths on your server. It uses rewrite rules to prevent any functionality errors.


Note! Once you’ve customized the wp-login path, it’s important to make sure that other plugins have NOT also customized this path. Hide My WP Ghost automatically checks for this and if it identifies a different path for wp-login, you will see a notification letting you know there’s already a customization in place for the wp-login path.

However, be mindful of the fact that there may be situations when you’ve customized the wp-login path using Hide My WP Ghost and then installed a different plugin that also customizes this path. If that plugin doesn’t have a similar check in place, you can end up performing multiple customizations to the wp-login path which can lead to conflicts.

Hide wp-login.php and login paths

Once you customize the login path, you can hide the WordPress common login paths from visitors.

Select the redirect or the error message you want to return when someone accesses the common login paths.


Hide Language Switcher

If your website has multiple languages activated in Settings > General or if you use a multilingual plugin, you will get the option to select the language for the login page.

To disable this with Hide My WP Ghost, just activate the option Hide My WP > Change Paths > Login Security > Hide Language Switcher.


Change Author Path and Hide ID

Many hacker bots are scrapping for the author username by calling your website with the author ID. In return, they will get the author username without even guessing it. The username will be used to access the dashboard from your login form.

To change the author path, go to Hide My WP > Change Paths > User Security > Custom author Path and change the name.

Author Page redirect to Home Page

Some profile plugins and themes use the author path for user portfolio and custom profile page, and don’t work if the author path is changed. In this case, just remove the custom author path and let the default path instead.

To disable the author ID calls, simply switch on Hide Author URL in Hide My WP > Change Paths > User Security > Hide Author ID URL


How does the option to Hide Author ID URL help you improve site security?

Whenever someone types in a URL like http://www.example.com/?author=1 on a WordPress site, they will be automatically redirected to: http://www.example.com/author/username/, where username is (by default) the login name of the author with an ID of 1 (commonly, this is the admin user).

Likewise, if someone were to type http://www.example.com/?author=2, he/she will be redirected to http://www.example.com/author/person2/ where person2 is the login name of the author with an ID of 2 (if such an account exists). And so on.

This is bad, security-wise, because it exposes your authors’ login information.

By enabling the Hide Author ID URL, URLs like domain.com/?author=1 won’t show the user login name.

Change Lost Password Path

Change the lost-password path to prevent spam emails with the new password requests.

To change the lost-password path, go to Hide My WP > Change Paths > Login Security > Custom Lost Password Path and change the name.


Change Register Path

Change the register path to prevent spam emails with the new user requests.

To change the register path, go to Hide My WP > Change Paths > Login Security > Custom Register Path and change the name.


Change Logout Path

Changing the logout path is not mandatory. However, it is useful when you have a customized dashboard for customers. The custom logout path is also applied for WordPress plugins like WooCommerce in the account page.

To change the logout path, go to Hide My WP > Change Paths > Login Security > Custom Logout Path and change the name.


Change Activation Path

Changing the activation path on WordPress Multisite is useful when you add a new user to your sub-site and you don’t want the user to know that you have WordPress CMS.

To change the activation path, go to Hide My WP > Change Paths > Login Security > Custom Activation URL and change the name.


Change admin-ajax.php Path

All the ajax calls in the frontend are made by the default URL /wp-admin/admin-ajax.php. This URL is also used by hackers to upload viruses and scrips on your website.

To change the admin-ajax.php path, go to Hide My WP > Change Paths > Ajax Security > Custom admin-ajax Path and change the name.

To hide the wp-admin path from ajax calls, switch on Hide My WP > Change Paths > Ajax Security > Hide wp-admin from ajax URL .

Changing this URL is mandatory. Hiding the wp-admin from ajax calls is also a required action.

Theme compatibility check

Not all WP themes work with custom ajax path. Make sure the theme is working properly after you change this path.


Change Paths in Ajax Calls

Some plugins use Lazy Load options to load videos and images only when the user scrolls to that specific image. In this case, the images are usually called through Ajax, and you need to be sure that these images’ paths are also changed.

If some themes load CSS styles through Ajax, you may have CSS duplicates if the paths are not always the same.

To change the paths in Ajax calls, switch on Hide My WP > Change Paths > Ajax Security > Change Paths in Ajax Calls


Change wp-content Path

All the plugins and themes are added in the wp-content directory. Changing the wp-content and hiding it from the source-code is an important step in hiding the website from Theme detectors.

Once the wp-content is changed, you can choose to restrict the call to wp-content from here.

To change the wp-content path, go to Hide My WP > Change Paths > WP Core Security > Custom wp-content Path and change the name.


Change wp-includes Path

WordPress core scripts and styles are located in this directory. To hide your WordPress site from Theme detectors, you must customize its name and hide it from source-code in frontend.

To change the wp-includes path, go to Hide My WP > Change Paths > WP Core Security > Custom wp-includes URL and change the name.


Change wp-content/uploads Path

Since all the uploaded images are located in this directory by default, you need to change this path in order to hide your website from Theme detectors.

You can also protect the vulnerable script from uploads directory here.

To change the wp-content/uploads path, go to Hide My WP > Change Paths > WP Core Security > Custom uploads Path and change the name.


Change comment Path

To change the comment path, go to Hide My WP > Change Paths > WP Core Security > Custom comment Path and change the name.


Change Plugins Path

There are two layers of security in this feature. Hide My WP Ghost lets you change the path to all plugins, and automatically adds custom names to each active plugin. After wp-content/plugins path is changed, it’s important to restrict access to it from here.

To change the wp-content/plugins path, go to Hide My WP > Change Path > Plugins Security > Custom plugins Path and change the name.

Example: wp-content/plugins becomes wp-content/modules if you set it up like in the screenshot below.

To change all plugin names, switch on Hide My WP > Change Paths > Plugins Security > Hide plugin names.

 When this option is enabled, Hide My WP Ghost will attribute random names to each active plugin in your site.

^^ If you enable this option, you’ll also be able to choose whether to hide all the plugins (meaning: both plugins that are active AND plugins you’ve deactivated for your site)


Show Advanced Options

To manually customize each plugin name and overwrite the random name(s) given by Hide My WP Ghost, activate Show Advanced Options.

Note! This option will only show IF you’ve enabled: Hide Plugin Names. The customized plugin names you set up here will only overwrite the random names for the plugins you select. If you don’t attribute a custom name to a plugin, Hide My WP Ghost will continue to display the random name.

To attribute a custom name to a plugin:

  • select a plugin from the drop-down list

Hide My WP Ghost will automatically detect all active plugins you currently have installed on your site and display them in the drop-down list.

If you want Hide My WP Ghost to show both plugins that are active AND plugins you’ve deactivated for your site, make sure to enable: Hide All the Plugins.

For WordPress Multisite, Hide My WP Ghost will display all plugins, regardless of whether the Hide All the Plugins option is enabled or not.

  • write down the custom name in the dedicated filed. As a best practice, we recommend that you don’t use the same words you’ve used for the Custom Plugins Path or any other custom path.

💡 You can set up this customization for as many plugins as you want, following the same process.

If you want to remove an item and disable a name customization you’ve set up for a certain plugin, simply click on the X symbol.


Hide WordPress Old Plugins Path

To hide the old /wp-content/plugins path once it’s changed with the new one, activate Hide My WP > Change Path > Plugins Security > Hide WordPress Old Plugins Path.


Change Themes Path

There are two layers of security in this feature. Hide My WP Ghost lets you change the path to all themes, and automatically adds custom names to each active theme. After wp-content/themes path is changed, it’s important to restrict access to it from here.

To change the wp-content/themes path, go to Hide My WP > Change Path > Themes Security > Custom themes Path and change the name.

To change all theme names, switch on Hide My WP > Change Path > Themes Security > Hide theme names.


When this option is enabled, Hide My WP Ghost will attribute a random name to each theme (works in WordPress Multisite).


Show Advanced Options

To manually customize each theme name and overwrite the random name(s) given by Hide My WP Ghost, activate Show Advanced Options.

Note! This option will only show IF you’ve enabled: Hide Theme Names. The customized theme names you set up here will only overwrite the random names for the theme(s) you select. If you don’t attribute a custom name to a theme, Hide My WP Ghost will continue to display the random name.

To attribute a custom name to a theme:

  • select a theme from the drop-down list. Hide My WP Ghost will automatically detect all themes (including deactivated themes) you have on your WordPress site in the drop-down list.
  • write down the custom name in the dedicated filed. As a best practice, we recommend that you don’t use the same words you’ve used for the Custom Themes Path or any other custom path.

💡 You can set up this customization for as many themes as you want, following the same process. If you want to remove an item and disable a name customization you’ve set up for a certain theme, simply click on the X symbol.


Hide WordPress Old Themes Path

To hide the old /wp-content/themes path once it’s changed with the new one, activate Hide My WP > Change Path > Themes Security > Hide WordPress Old Themes Path.

Change REST API Path

REST API is recently used by WP 5 for many admin actions and even in post editor but WordPress works with any custom API path and not only with /wp-json.

By default, for both Safe Mode and Ghost Mode, Hide My WP Ghost will leave the default wp-json as the custom wp-json Path (the reason for this is that many plugins still use this default path to access the REST API’s index).

However, you can customize this.

Changing the /wp-json and hiding it from hackers is a big step in improving the security of the website.

To change the API path, go to Hide My WP > Change Paths > API Security > Custom wp-json Path and change the name.

REST API Path Update Delayed

Sometimes, WP needs some time to update the settings with the new API path.
To make sure WordPress is changing the API path with the custom one, save the settings in Settings > Change Paths > API Security.

To hide Rest API link tag from website header, switch on Hide My WP > Change Paths > API Security > Hide REST API URL Link.

To disable the Rest API access, switch on Hide My WP > Change Paths > API Security > Disable REST API access.


Note! Even if the REST API is disabled, Hide My WP Ghost will only restrict site visitors from accessing the API – NOT logged users. This will prevent most of the errors that might appear in the admin area.


Disable XML-RPC access

The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.

This xml-rpc.php path is also used for Brute Force attacks because it’s not protected with limit attempts by WordPress.

Please read before activating this feature: Should You Disable XML-RPC on WordPress?

JetPack Plugin Compatibility: To hide the XML-RPC from hackers but to let Jetpack IPs access the website: add this code in .htaccess at the beginning of the file:

<Files xmlrpc.php>
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from *.wordpress.com
Allow from 192.0.64.0/18
Allow from 185.64.140.0/22
Allow from 2a04:fa80::/29
Allow from 76.74.255.0/22
Allow from 192.0.65.0/22
Allow from 192.0.80.0/22
Allow from 192.0.96.0/22
Allow from 192.0.123.0/22
Satisfy All
ErrorDocument 404 /
</Files>

Now, whenever someone tries to directly access xmlrpc.php, they’ll see the 403 Forbidden error.

To completely disable XML-RPC access, switch on Hide My WP > Change Paths > API Security > Disable XML-RPC access

Remote XML-RPC Access

XML-RPC is still used by remote services like Jetpack and Zapier.

Make sure there are no services on your website that use this function before you disable it.


Hide RSD (Really Simple Discovery) endpoint

Really Simple Discovery (RSD) is an XML format and a publishing convention for making services exposed by a blog, or other web software, discoverable by client software.

In our case, this header will expose the WordPress service on every website call.

Hiding the RSD header is mandatory when you want to hide the WordPress CSM from Theme Detectors.

This feature also:

  • removes the RSD META link from source code
  • removes the rsd_link header
  • removes the PHP info header

To activate this feature, switch on Hide My WP > Change Paths > API Security > Disable RSD (Really Simple Discovery) endpoint from XML-RPC


Hide WordPress Common Paths

An important action in protecting your website from hacker attacks is hiding the WordPress common paths after the path names are changed.

Hide My WP Ghost will add a filter in the config file to show a 404 error when the user is not logged on website and tries to access the paths.

The main paths this option hides are: /wp-content, /wp-include, /plugins, /themes. It will also hide upgrade.php and install.php for visitors.

To hide WordPress common paths, switch on Hide My WP > Change Paths > WP Core Security > Hide WordPress Common Paths.

Theme compatibility check

Not all the WP themes work if this option is activated. Make sure the website is working properly after you activate this option.


Hide WordPress Common Files

An important action in hiding your website from Theme detectors and protecting your website from hacker attacks is hiding the WordPress common files.

Hide My WP Ghost will add a filter in the config file to show 404 error when the user is not logged on website and access the files.

To hide WordPress common files, switch on Hide My WP > Change Paths > WP Core Security > Hide WordPress Common Files.

After activating the option, select the files you want to hide from hackers.

To significantly reduce the comments spam on your website, select the file wp-comments-post.php which will appear after you changed the comments path.

Once the files are selected, they will be hidden from visitors, hackers bots, and theme detectors.

Note! Hiding the file wp-comments-post.php will NOT stop the people who fill in the comment forms on your site and send you spam comments. To completely stop spam comments, we recommend also installing a dedicated Anti-Spam plugin which has a database of spam emails and messages. 


Add Security Headers for XSS and Code Injection Attacks

To add Security Headers, switch on Hide My WP > Change Paths > Firewall & Headers > Add Security Headers for XSS and Code Injection Attacks.

Setting Recommended Security HTTP Headers in OpenLiteSpeed:
https://amireslampanah.com/2020/09/setting-recommended-security-http-headers-in-openlitespeed/

This image has an empty alt attribute; its file name is add_security_headers.png

By activating this option, Hide My WP Ghost will add through the config file and PHP the headers with the required values for good functionality of the website and also for good protection.

By adding these security headers to your website, you’re adding another layer of security for different kinds of attacks like Cross-Site Scripting.

You can add all headers that are not already added by default by selecting them from the drop-down list shown in the screenshot below.


Once you’ve added the headers and clicked on Save, you can go ahead and test your website headers at securityheaders.com


Remove Unsafe Headers

You also have the option to activate: Remove Unsafe Headers.

This removes PHP version, Server info, Server Signature, WordPress related headers from the page header.


Firewall Against Script Injection

The most common way to hack a website is by accessing the domain and adding harmful queries in order to reveal information from files and database. These attacks are made on any website, WordPress or not, and if a call succeeds … it will probably be too late to save the website.

Hide My WP Ghost will add filters in the config file to block harmful params and queries, and therefore protect the website from these types of attacks.

Firewall Updates

The list of harmful queries is continuously updated in Hide My WP Ghost, so make sure you always have the latest version of the plugin installed on your site.

To activate the Firewall, switch on Hide My WP > Change Paths > Firewall & Headers > Firewall Against Script Injection.

After activating this option, you can select between 3 firewall options: Minimal, Medium and 7G Firewall.

7G Firewall is the most advanced firewall supported by Jeff Starr: https://perishablepress.com/7g-firewall/

The 7G Firewall offers lightweight, server-level protection against a wide range of malicious requests, bad bots, automated attacks, spam, and many other types of threats and nonsense.

Note! 7G Firewall may not work with all server configurations. Select minimal or medium protection for more compatibility.


Disable Directory Browsing

Don’t let hackers see the directory content when you don’t have an index file in that directory. For example, it’s easy to find vulnerable files if you see the list of files in wp-content/uploads.

To disable directory browsing on your server, switch on Hide My WP > Change Paths > WP Core Security > Disable Directory Browsing.

By disabling directory browsing, you’re not allowing hackers to see any directory content. See an example for a test site here (shows what potential hackers will see when accessing your content directory if the option: Disable Directory Browsing is active).