Customize Paths in Hide My WP Ghost
To go deeper into customizing the paths and better understand why you need all these customizations, let’s have a look at the most important features that will significantly increase your website’s security.
- Change WordPress Admin Path
- Change WordPress Login Path
- Hide Language Switcher
- Change Author Path and Hide ID
- Change Lost Password Path
- Change Register Path
- Change Logout Path
- Change Activation Path
- Change admin-ajax.php Path
- Change Paths in Ajax Calls
- Change wp-content Path
- Change wp-includes Path
- Change wp-content/uploads Path
- Change Comments Path
- Change Plugins Path
- Show Advanced Options
- Hide WordPress Old Plugins Path
- Change Themes Path
- Show Advanced Options
- Hide WordPress Old Themes Path
- Change REST API Path
- Disable XML-RPC access
- Hide RSD (Really Simple Discovery) endpoint
- Hide WordPress Common Paths
- Hide WordPress Common Files
- Add Security Headers for XSS and Code Injection Attacks
- Remove Unsafe Headers
- Block Theme Detectors
- Firewall Against Script Injection
- Disable Directory Browsing
Change WordPress Admin Path
The most important path in WordPress is the wp-admin – and the only way to protect this path is by changing its name and hiding it from hacker bots.
To do this with Hide My WP Ghost, just change the name for the wp-admin with your custom name in Hide My WP > Change Paths > Admin Security.
More Details: How to Change and Hide WP-Admin Path with Hide My WP Ghost Plugin
Change WordPress Login Path
WordPress wp-login, wp-login.php, login.php, and login paths are the first ones a hacker bot will access for Brute Force attacks. Changing and hiding these paths is mandatory when you have a WordPress CMS.
To do this with Hide My WP Ghost, just change the name for the wp-login with your custom name in Hide My WP > Change Paths > Login Security .
More details: How to Change WordPress Login Path with Hide My WP Ghost Plugin
Hide Language Switcher
If your website has multiple languages activated in Settings > General or if you use a multilingual plugin, you will get the option to select the language for the login page.
To disable this with Hide My WP Ghost, just activate the option Hide My WP > Change Paths > Login Security > Hide Language Switcher.
Change Author Path and Hide ID
Many hacker bots are scrapping for the author username by calling your website with the author ID. In return, they will get the author username without even guessing it. The username will be used to access the dashboard from your login form.
To change the author path, go to Hide My WP > Change Paths > User Security > Custom author Path and change the name.
To disable the author ID calls, simply switch on Hide Author URL in Hide My WP > Change Paths > User Security > Hide Author ID URL
How does the option to Hide Author ID URL help you improve site security?
Whenever someone types in a URL like http://www.example.com/?author=1 on a WordPress site, they will be automatically redirected to: http://www.example.com/author/username/, where username is (by default) the login name of the author with an ID of 1 (commonly, this is the admin user).
Likewise, if someone were to type http://www.example.com/?author=2, he/she will be redirected to http://www.example.com/author/person2/ where person2 is the login name of the author with an ID of 2 (if such an account exists). And so on.
This is bad, security-wise, because it exposes your authors’ login information.
By enabling the Hide Author ID URL, URLs like domain.com/?author=1 won’t show the user login name.
More Details: How to Change Author Path and Hide ID with Hide My WP Ghost Plugin
Change Lost Password Path
Change the lost-password path to prevent spam emails with the new password requests.
To change the lost-password path, go to Hide My WP > Change Paths > Login Security > Custom Lost Password Path and change the name.
More Details: How to Change Lost Password Path with Hide My WP Ghost Plugin
Change Register Path
Change the register path to prevent spam emails with the new user requests.
To change the register path, go to Hide My WP > Change Paths > Login Security > Custom Register Path and change the name.
More Details: How to Change Register Path for Enhanced WordPress Security with Hide My WP Ghost
Change Logout Path
Changing the logout path is not mandatory. However, it is useful when you have a customized dashboard for customers. The custom logout path is also applied for WordPress plugins like WooCommerce in the account page.
To change the logout path, go to Hide My WP > Change Paths > Login Security > Custom Logout Path and change the name.
More Details: How to Change WordPress Logout Path for Enhanced Security with Hide My WP
Change Activation Path
Changing the activation path on WordPress Multisite is useful when you add a new user to your sub-site and you don’t want the user to know that you have WordPress CMS.
To change the activation path, go to Hide My WP > Change Paths > Login Security > Custom Activation URL and change the name.
More Details: How to Change Activation Path with Hide My WP Ghost Plugin
Change admin-ajax.php Path
All the ajax calls in the frontend are made by the default URL /wp-admin/admin-ajax.php. This URL is also used by hackers to upload viruses and scrips on your website.
To change the admin-ajax.php path, go to Hide My WP > Change Paths > Ajax Security > Custom admin-ajax Path and change the name.
To hide the wp-admin path from ajax calls, switch on Hide My WP > Change Paths > Ajax Security > Hide wp-admin from ajax URL .
Changing this URL is mandatory. Hiding the wp-admin from ajax calls is also a required action.
More Details: How to Change WordPress admin-ajax.php Path with Hide My WP Ghost Plugin
Change Paths in Ajax Calls
Some plugins use Lazy Load options to load videos and images only when the user scrolls to that specific image. In this case, the images are usually called through Ajax, and you need to be sure that these images’ paths are also changed.
If some themes load CSS styles through Ajax, you may have CSS duplicates if the paths are not always the same.
To change the paths in Ajax calls, switch on Hide My WP > Change Paths > Ajax Security > Change Paths in Ajax Calls
Change wp-content Path
All the plugins and themes are added in the wp-content directory. Changing the wp-content and hiding it from the source-code is an important step in hiding the website from Theme detectors.
Once the wp-content is changed, you can choose to restrict the call to wp-content from here.
To change the wp-content path, go to Hide My WP > Change Paths > WP Core Security > Custom wp-content Path and change the name.
Change wp-includes Path
WordPress core scripts and styles are located in this directory. To hide your WordPress site from Theme detectors, you must customize its name and hide it from source-code in frontend.
To change the wp-includes path, go to Hide My WP > Change Paths > WP Core Security > Custom wp-includes URL and change the name.
Change wp-content/uploads Path
Since all the uploaded images are located in this directory by default, you need to change this path in order to hide your website from Theme detectors.
You can also protect the vulnerable script from uploads directory here.
To change the wp-content/uploads path, go to Hide My WP > Change Paths > WP Core Security > Custom uploads Path and change the name.
Change Comments Path
To change the comment path, go to Hide My WP > Change Paths > WP Core Security > Custom comment Path and change the name.
Change Plugins Path
There are two layers of security in this feature. Hide My WP Ghost lets you change the path to all plugins, and automatically adds custom names to each active plugin. After wp-content/plugins path is changed, it’s important to restrict access to it from here.
To change the wp-content/plugins path, go to Hide My WP > Change Path > Plugins Security > Custom plugins Path and change the name.
Example: wp-content/plugins becomes wp-content/modules if you set it up like in the screenshot below.
To change all plugin names, switch on Hide My WP > Change Paths > Plugins Security > Hide plugin names.
When this option is enabled, Hide My WP Ghost will attribute random names to each active plugin in your site.
^^ If you enable this option, you’ll also be able to choose whether to hide all the plugins (meaning: both plugins that are active AND plugins you’ve deactivated for your site)
Show Advanced Options
To manually customize each plugin name and overwrite the random name(s) given by Hide My WP Ghost, activate Show Advanced Options.
Note! This option will only show IF you’ve enabled: Hide Plugin Names. The customized plugin names you set up here will only overwrite the random names for the plugins you select. If you don’t attribute a custom name to a plugin, Hide My WP Ghost will continue to display the random name.
To attribute a custom name to a plugin:
- select a plugin from the drop-down list
Hide My WP Ghost will automatically detect all active plugins you currently have installed on your site and display them in the drop-down list.
If you want Hide My WP Ghost to show both plugins that are active AND plugins you’ve deactivated for your site, make sure to enable: Hide All the Plugins.
For WordPress Multisite, Hide My WP Ghost will display all plugins, regardless of whether the Hide All the Plugins option is enabled or not.
- write down the custom name in the dedicated filed. As a best practice, we recommend that you don’t use the same words you’ve used for the Custom Plugins Path or any other custom path.
💡 You can set up this customization for as many plugins as you want, following the same process.
If you want to remove an item and disable a name customization you’ve set up for a certain plugin, simply click on the X symbol.
Hide WordPress Old Plugins Path
To hide the old /wp-content/plugins path once it’s changed with the new one, activate Hide My WP > Change Path > Plugins Security > Hide WordPress Old Plugins Path.
Change Themes Path
There are two layers of security in this feature. Hide My WP Ghost lets you change the path to all themes, and automatically adds custom names to each active theme. After wp-content/themes path is changed, it’s important to restrict access to it from here.
To change the wp-content/themes path, go to Hide My WP > Change Path > Themes Security > Custom themes Path and change the name.
To change all theme names, switch on Hide My WP > Change Path > Themes Security > Hide theme names.
When this option is enabled, Hide My WP Ghost will attribute a random name to each theme (works in WordPress Multisite).
Show Advanced Options
To manually customize each theme name and overwrite the random name(s) given by Hide My WP Ghost, activate Show Advanced Options.
Note! This option will only show IF you’ve enabled: Hide Theme Names. The customized theme names you set up here will only overwrite the random names for the theme(s) you select. If you don’t attribute a custom name to a theme, Hide My WP Ghost will continue to display the random name.
To attribute a custom name to a theme:
- select a theme from the drop-down list. Hide My WP Ghost will automatically detect all themes (including deactivated themes) you have on your WordPress site in the drop-down list.
- write down the custom name in the dedicated filed. As a best practice, we recommend that you don’t use the same words you’ve used for the Custom Themes Path or any other custom path.
💡 You can set up this customization for as many themes as you want, following the same process. If you want to remove an item and disable a name customization you’ve set up for a certain theme, simply click on the X symbol.
Hide WordPress Old Themes Path
To hide the old /wp-content/themes path once it’s changed with the new one, activate Hide My WP > Change Path > Themes Security > Hide WordPress Old Themes Path.
Change REST API Path
REST API is recently used by WP 5 for many admin actions and even in post editor but WordPress works with any custom API path and not only with /wp-json.
By default, for both Safe Mode and Ghost Mode, Hide My WP Ghost will leave the default wp-json as the custom wp-json Path (the reason for this is that many plugins still use this default path to access the REST API’s index).
However, you can customize this.
Changing the /wp-json and hiding it from hackers is a big step in improving the security of the website.
To change the API path, go to Hide My WP > Change Paths > API Security > Custom wp-json Path and change the name.
To hide Rest API link tag from website header, switch on Hide My WP > Change Paths > API Security > Hide REST API URL Link.
To disable the Rest API access, switch on Hide My WP > Change Paths > API Security > Disable REST API access.
Note! Even if the REST API is disabled, Hide My WP Ghost will only restrict site visitors from accessing the API – NOT logged users. This will prevent most of the errors that might appear in the admin area.
Disable XML-RPC access
The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.
This xml-rpc.php path is also used for Brute Force attacks because it’s not protected with limit attempts by WordPress.
Please read before activating this feature: Should You Disable XML-RPC on WordPress?
JetPack Plugin Compatibility: To hide the XML-RPC from hackers but to let Jetpack IPs access the website: add this code in .htaccess at the beginning of the file:
<Files xmlrpc.php> Order deny,allow Deny from all Allow from 127.0.0.1 Allow from *.wordpress.com Allow from 192.0.64.0/18 Allow from 185.64.140.0/22 Allow from 2a04:fa80::/29 Allow from 76.74.255.0/22 Allow from 192.0.65.0/22 Allow from 192.0.80.0/22 Allow from 192.0.96.0/22 Allow from 192.0.123.0/22 Satisfy All ErrorDocument 404 / </Files>
Now, whenever someone tries to directly access xmlrpc.php, they’ll see the 403 Forbidden error.
To completely disable XML-RPC access, switch on Hide My WP > Change Paths > API Security > Disable XML-RPC access
Hide RSD (Really Simple Discovery) endpoint
Really Simple Discovery (RSD) is an XML format and a publishing convention for making services exposed by a blog, or other web software, discoverable by client software.
In our case, this header will expose the WordPress service on every website call.
Hiding the RSD header is mandatory when you want to hide the WordPress CSM from Theme Detectors.
This feature also:
- removes the RSD META link from source code
- removes the rsd_link header
- removes the PHP info header
To activate this feature, switch on Hide My WP > Change Paths > API Security > Disable RSD (Really Simple Discovery) endpoint from XML-RPC
Hide WordPress Common Paths
An important action in protecting your website from hacker attacks is hiding the WordPress common paths after the path names are changed.
Hide My WP Ghost will add a filter in the config file to show a 404 error when the user is not logged on website and tries to access the paths.
The main paths this option hides are: /wp-content, /wp-include, /plugins, /themes. It will also hide upgrade.php and install.php for visitors.
To hide WordPress common paths, switch on Hide My WP > Change Paths > WP Core Security > Hide WordPress Common Paths.
Hide WordPress Common Files
An important action in hiding your website from Theme detectors and protecting your website from hacker attacks is hiding the WordPress common files.
Hide My WP Ghost will add a filter in the config file to show 404 error when the user is not logged on website and access the files.
To hide WordPress common files, switch on Hide My WP > Change Paths > WP Core Security > Hide WordPress Common Files.
After activating the option, select the files you want to hide from hackers.
To significantly reduce the comments spam on your website, select the file wp-comments-post.php which will appear after you changed the comments path.
Once the files are selected, they will be hidden from visitors, hackers bots, and theme detectors.
Note! Hiding the file wp-comments-post.php will NOT stop the people who fill in the comment forms on your site and send you spam comments. To completely stop spam comments, we recommend also installing a dedicated Anti-Spam plugin which has a database of spam emails and messages.
Add Security Headers for XSS and Code Injection Attacks
To add Security Headers, switch on Hide My WP > Change Paths > Firewall & Headers > Add Security Headers for XSS and Code Injection Attacks.
Setting Recommended Security HTTP Headers in OpenLiteSpeed:
https://amireslampanah.com/2020/09/setting-recommended-security-http-headers-in-openlitespeed/
By activating this option, Hide My WP Ghost will add through the config file and PHP the headers with the required values for good functionality of the website and also for good protection.
By adding these security headers to your website, you’re adding another layer of security for different kinds of attacks like Cross-Site Scripting.
- Add Strict-Transport-Security header more details
- Add Content-Security-Policy header more details
- Add X-Frame-Options header more details
- Add X-XSS-Protection header more details
- Add X-Content-Type-Options header more details
- Add Cross-Origin-Embedder-Policy header more details
- Add X-Frame-Options header more details
- Add Cross-Origin-Opener-Policy header more details
You can add all headers that are not already added by default by selecting them from the drop-down list shown in the screenshot below.
Once you’ve added the headers and clicked on Save, you can go ahead and test your website headers at securityheaders.com
Remove Unsafe Headers
You also have the option to activate: Remove Unsafe Headers.
This removes PHP version, Server info, Server Signature, WordPress related headers from the page header.
Block Theme Detectors
To ensure that theme detectors can’t access the website anymore, switch on Hide My WP > Change Paths > Firewall & Headers > Block Theme Detectors Crawlers.
This option will block the detectors by IPs and User-Agent names.
Firewall Against Script Injection
The most common way to hack a website is by accessing the domain and adding harmful queries in order to reveal information from files and database. These attacks are made on any website, WordPress or not, and if a call succeeds … it will probably be too late to save the website.
Hide My WP Ghost will add filters in the config file to block harmful params and queries, and therefore protect the website from these types of attacks.
To activate the Firewall, switch on Hide My WP > Change Paths > Firewall & Headers > Firewall Against Script Injection.
After activating this option, you can select between 4 firewall options: Minimal, Medium, 7G Firewall and 8G Firewall. On Apache servers you can select to place the firewall rules in htaccess file or to load the firewall on WordPress Initialization process.
8G Firewall is the most advanced firewall supported by Jeff Starr: 8G Firewall | Perishable Press
The 8G Firewall is an advanced security layer designed to defend your WordPress site against a wide range of threats. Developed by security expert Jeff Starr, this firewall provides lightweight, server-level protection without compromising performance. Read more about 8G Firewall
Note! 7G & 8G Firewalls may not work with all server configurations. Select minimal or medium protection for more compatibility.
Disable Directory Browsing
Don’t let hackers see the directory content when you don’t have an index file in that directory. For example, it’s easy to find vulnerable files if you see the list of files in wp-content/uploads.
To disable directory browsing on your server, switch on Hide My WP > Change Paths > WP Core Security > Disable Directory Browsing.
By disabling directory browsing, you’re not allowing hackers to see any directory content. See an example for a test site here (shows what potential hackers will see when accessing your content directory if the option: Disable Directory Browsing is active).