Skip to contentSkip to main navigation Skip to footer

Firewall & Geo Security

Hide My WP Ghost enhances your website’s defense by incorporating filters within the configuration file, blocking harmful parameters and queries. This protection mechanism helps shield your site from such script injection attacks.

Firewall Updates

The harmful query list in Hide My WP Ghost is continuously updated. To ensure optimal protection, always maintain the latest version of the plugin on your site.


One of the most prevalent methods hackers employ to breach websites is by accessing the domain and injecting malicious queries, aiming to extract sensitive data from files and databases. These attacks target not only WordPress sites but any website. A successful attack can make it too late to save the website.

8g firewall

To activate the firewall feature:

  1. Go to Hide My WP > Overview or Hide My WP > Firewall.
  2. Switch on the Firewall Against Script Injection option.

After activating this option, you can select between 4 firewall options: 

  • Minimal (most compatible)
  • Medium (added in 2018)
  • 7G Firewall (added in 2020)
  • 8G Firewall (added in 2024)

On Apache servers, you can place the firewall rules in htaccess file or load the firewall on the WordPress Initialization process.

8G Firewall

The 8G Firewall is the most advanced and modern option, supported by security expert Jeff Starr. This firewall layer offers the following:

– Comprehensive protection against a wide array of threats.

– Lightweight, server-level security without impacting performance.

Learn more about the 8G Firewall

Note: The 7G and 8G Firewall options may not be compatible with all server configurations. For broader compatibility, consider selecting minimal or medium protection levels.

With Hide My WP Ghost’s firewall feature, your website is better safeguarded against script injection attacks, ensuring a more secure online presence.

Remove Unsafe Headers

Moreover, you have an option to remove potentially unsafe headers:

  1. Go to Hide My WP > Firewall > Header Security.
  2. Switch on the Remove Unsafe Headers option.

This feature removes unsafe information such as:

  • PHP version
  • Server info
  • Server Signature
  • WordPress-related headers

By configuring these settings with Hide My WP Ghost, you ensure an additional layer of security to protect your website from various vulnerabilities and attacks.

Block Theme Detectors

To prevent theme detectors from accessing your website, follow these steps:

  1. Go to Hide My WP > Firewall > Header Security.
  2. Switch on the Block Theme Detectors Crawlers option.

This feature blocks known user agents and IP addresses associated with popular theme detectors, keeping your website’s privacy and security by making it harder for these detectors to access theme-related information.

Security Headers

To add an extra layer of security against XSS and code injection attacks, you can easily add security headers using Hide My WP Ghost.

To activate this feature:

  1. Go to Hide My WP > Overview or Hide My WP > Firewall > Header Security.
  2. Switch on the Add Security Headers for XSS and Code Injection Attacks option.

Setting Recommended Security HTTP Headers in OpenLiteSpeed:

This image has an empty alt attribute; its file name is add_security_headers.png

When activated, Hide My WP Ghost implements essential headers through the configuration file and PHP, providing both functionality and enhanced security. This adds an extra defense layer against various attack types, such as Cross-Site Scripting (XSS).

Here are the security headers you can add:

You can add all headers that are not already added by default by selecting them from the drop-down list shown in the screenshot below.

After adding the desired headers and saving your changes, you can test your website’s headers at for confirmation.

Geo Security

Geo security involves the use of geographical data to manage and control access to your website. By identifying the geographic location of incoming traffic, administrators can make informed decisions about which countries to allow or block. This level of control is particularly valuable for websites that are targeted by cyber threats originating from specific regions.

geo country blocking

Cyber-attacks often originate from specific countries known for high levels of malicious activity. By blocking traffic from these regions, you can significantly reduce the risk of attacks such as brute-force attempts, DDoS attacks, and other malicious activities. Geo security acts as a first line of defense, preventing potential attackers from even reaching your site.

Country Blocking

The country blocking feature allows you to restrict access to your website from specific countries. This can be especially useful for increasing your site’s security by preventing malicious activities from certain geographic locations.

To activate this feature:

  1. Go to Hide My WP > Overview or Hide My WP > Firewall > Geo Security.
  2. Switch on the Country Blocking option.

Hide My WP Ghost uses a geolocation database to identify the country of an IP address. Although the accuracy is over 99%, occasional inaccuracies may occur due to changes in IP addresses.

Issues when using server cache

When using a caching plugin or external page cache such as Varnish, cached pages might be served to visitors without reaching the Hide My WP Ghost plugin filter. If blocking a country is crucial, consider disabling such caches to ensure efficient country blocking.

Block specific countries

  • Navigate to the Blocked Countries section within Hide My WP > Firewall > Geo Security.
  • Search and select the countries you want to block.

Minimize Blocked Countries: Only block countries that pose a threat, such as those frequently generating failed logins, numerous 404 errors, or engaging in other malicious activities.

Re-evaluate Periodically: Regularly review and update your country blocks to ensure optimal security without unnecessarily restricting legitimate access.

Block specific paths

Blocking access to specific paths like /login or /my-account can effectively prevent brute-force login attacks from specific countries.

Note! By leaving this field blank, Hide My WP Ghost will block access from all countries.


Hide My WP Ghost offers comprehensive whitelisting options, allowing you to customize access and visibility based on specific IP addresses and paths.

Here’s what you can do:

Whitelist IP Addresses: Add individual IP addresses or IP ranges to ensure they are never blocked.

Whitelist Paths: Specify particular website paths that should always be accessible.

Whitelisting Level

  • Allow Hidden Paths: Display only the hidden paths in the source code for whitelisted IP addresses.
  • Show Default WordPress Paths & Allow Hidden Paths: Display both hidden paths and default WordPress paths in the source code for whitelisted IP addresses.
  • Allow Everything: Grant full access with default paths, without security checks, without keys and mouse restrictions, and without hidden paths for the specified IP addresses.

Whitelist IP Addresses

If you want to ensure that specific IP addresses, such as your own or those of your team members, are never blocked even after multiple failed login attempts, you can add these IPs to the whitelist. This can prevent accidental lockouts and ensure smoother access for trusted users.

You can enter an IP address range like 192.168.0.*, 192.168.*.* or even 192.*.*.* if you want to whitelist an entire IP class.

whitelist ip addresses

Whitelist Paths

The Whitelist Paths feature in Hide My WP Ghost is a powerful tool that allows website administrators to specify certain root paths and subpaths that can be accessed.

whitelist paths

For example, by setting the path /cart/ as a whitelisted path, any URL that begins with /cart/ will be accessible.

This path is useful for e-commerce websites, membership sites, or any platform that requires differentiated access levels for various sections of the site.

The ability to define specific root paths and subpaths provides administrators with precise control over which areas of the website are accessible. This is particularly beneficial for websites with multiple user roles and access levels.


This feature is designed to block unwanted traffic and increase your website’s security against bad-bots and bag crawlers.

To activate this feature, simply go to Hide My WP > Firewall > Blacklist. It becomes active once you add data in one of its options. Let’s explore the various aspects of this powerful tool and understand how it can safeguard your WordPress site.

The blacklisting feature offers several benefits that significantly enhance your website’s security:

Stopping Bad Bots: Malicious bots can scrape your content, attempt brute-force attacks, and exploit vulnerabilities. By blocking these bots, you can reduce the risk of such activities.

Thwarting Repeated Attackers: Known IPs that repeatedly try to hack your website can be effectively blocked, preventing them from accessing your site.

Reducing Server Load: By filtering out unwanted traffic, you can reduce the load on your server, improving your site’s performance and user experience.

Improving Security: Each layer of blocking adds to your site’s security, making it more challenging for attackers to penetrate.

Blacklist IP Address or IP Address Range

Blocking specific IP addresses or a range of IP addresses is one of the most effective ways to prevent known malicious crawlers from accessing your site. This option allows you to deny access to IPs that have previously attempted to hack your website or engage in other harmful activities.

You can enter an IP address range like 192.168.0.*, 192.168.*.* or even 192.*.*.* if you want to block an entire IP class.

block ip addresses

Block by User Agent

User agents are strings that browsers and software applications send to identify themselves when making requests to your server. Unfortunately, malicious bots often use user agents to disguise themselves as legitimate traffic.

By blocking specific user agents, you can filter out these harmful bots and protect your site from potential threats.


Block by Referrer

Referrer blocking allows you to deny access to traffic coming from specific URLs. This is particularly useful for blocking visits from suspicious or malicious referrers known to host or propagate harmful activities.

By filtering out these sources, you can reduce the risk of unwanted traffic reaching your site.


Block by Hostname

Blocking by hostname enables you to deny access based on the visitor’s hostname. This option is valuable for blocking traffic from known malicious networks or ISPs associated with cyber-attacks. By preventing these hostnames from accessing your site, you can enhance your overall security.

Note! This option requires more process time to obtain the hostname from the IP address, so we recommend using it only if necessary.


Avoid Blocking Valid Search Engine Bots

While the blacklisting feature is a powerful tool, it’s essential to use it wize. Blocking legitimate traffic, such as search engine bots from Google, Bing, and Yandex, can negatively impact your site’s search engine rankings and visibility.

Hide My WP Ghost allows you to whitelist these valid bots, ensuring that your site remains accessible to search engines while keeping malicious entities at bay.

Search Engine Crawlers

Blocking access to countries in North America and Europe could prevent search engine crawlers like Googlebot from indexing your site, negatively affecting your search engine rankings.

If you use Google Ads, be cautious with country blocking to avoid penalties. Google Ads policies prohibit participants from blocking any country from viewing pages completely. If you receive a warning from Google Ads, add in Block Specific Paths only the paths without Google Ads.

By following these steps, you can utilize Hide My WP Ghost’s country blocking feature effectively to enhance your website’s security and control access based on geographic locations.