Skip to contentSkip to main navigation Skip to footer

Installation & Setup

Download the Plugin

The very first step is to download Hide My WP Ghost from your Hide My WP Ghost account.

Download

Connect to your account and download the Hide My WP Ghost premium plugin.

Download Plugin

Hide My WP Ghost Free

If you want to test the FREE version of Hide My WP Ghost, you can download the plugin from https://wordpress.org/plugins/hide-my-wp/

Requirements

To install Hide My WP Ghost, you need at least WordPress 4.3 and PHP 5.6.

Server Requirements

You can install Hide My WP on Apache Server, NGINX Server, LiteSpeed Server, IIS Windows Server.

Don’t forget to read the setup instructions for each server type.

WordPress.com

Hide My WP Ghost doesn’t work with WordPress.com Business account, as WordPress doesn’t allow any Login and Admin paths.


Download the ZIP file containing the plugin and upload it to WordPress:

  1. Log in as an Admin on your WordPress site.
  2. In the menu displayed on the left, there is a “Plugins” tab. Click on it.
  3. Now click on “Add New”.
  4. There, you have the “Upload Plugin” button.
  5. Upload the hide-my-wp.zip file.
  6. After the upload is complete, click on Activate Plugin.
Steps to install Hide My WP Ghost on your WordPress website.

Complete Plugin Activation

Once you’ve completely installed the plugin following the steps detailed above, go to Hide My WP Ghost > Settings

This image has an empty alt attribute; its file name is image-1-1024x93.png

Clicking on Settings will take you to a new panel where you will be required to enter your Activation Token. Your Activation Token is listed in your account information (inside the Order History / Active Licenses section)

Find it at:

https://account.hidemywpghost.com/user/auth/orders

👋 In case you lost your login credentials or if you didn’t receive the account email after buying the plugin, you can reset the password using your email address here: https://hidemywpghost.com/lostpass

After you’ve added the Activation Token from your account, click on the Activate button to complete the plugin activation process.

Once you click on the Activate button, you will be taken to the Overview section where you will be able to see:

  • a performance graphic indicating your site’s current level of security;
  • a report containing the first list of actions that you should take to improve the security of your site (this list of actions is generated based on insights that Hide My WP Ghost uncovered after scanning your site for security issues).

Here is an example of how this looks like:

Activating either Safe Mode or Ghost Mode is going to help you address most of the issues highlighted in that initial report, which is why we recommend doing this next.

Note! Please backup your website before activating in Safe Mode or Ghost Mode in case of misconfiguration.

Activate the Plugin in Safe Mode or Ghost Mode

1️⃣ Go to Hide My WP Ghost > Change Paths > Level of Security and choose from Safe Mode or Ghost Mode.

You can learn more about the differences between Safe Mode and Ghost Mode here.

By Activating Safe Mode, Hide My WP Ghost will change the following paths (for each path listed below, it will set a new, predefined path)

  • Login Path: /wp-login.php 
  • Core Contents Path: /wp-content 
  • Core Includes Path: /wp-includes 
  • Uploads Path: /wp-content/uploads 
  • Author Path: /author 
  • Plugins Path: /wp-content/plugins 
  • Themes Path: /wp-content/themes 
  • Comments Path: /wp-comments-post.php 

Note! Paths are NOT physically changed on your server. The Safe Mode will add the rewrites rules in the config file to hide the old paths from hackers.

Once you select Safe Mode, you will be shown a pop-up detailing all the predefined paths that Hide My WP Ghost sets in this mode.

Read the information written down in that pop-up and then click on the button that reads Continue > >

Set Hide My WP Ghost in Ghost Mode

By Activating Ghost Mode, Hide My WP Ghost will change the following paths (for each path listed below, it will set a new, predefined path)

  • Admin Path: /wp-admin 
  • Login Path: /wp-login.php
  • Ajax URL: /wp-admin/admin-ajax.php 
  • Core Contents Path: /wp-content 
  • Core Includes Path: /wp-includes
  • Uploads Path: /wp-content/uploads
  • Author Path: /author
  • Plugins Path: /wp-content/plugins
  • Themes Path: /wp-content/themes
  • Comments Path: /wp-comments-post.php 

Note! Paths are NOT physically change on your server. The Ghost Mode will add the rewrites rules in the config file to hide the old paths from hackers. If you notice any functionality issues, we recommend selecting the Safe Mode.

Once you select Ghost Mode, you will be shown a pop-up detailing all the predefined paths that Hide My WP Ghost sets in this mode.

Read the information written down in that pop-up and then click on the button that reads Continue > >

Once you confirm the Safe Mode or the Ghost Mode by clicking on the Save button, you will see a popup where you will be asked to perform a Frontend Login test to make sure the CSS and JS are loaded correctly.

The popup will show regardless of whether you chose Safe Mode or Ghost Mode.

Follow the instructions from the image below. If everything loads correctly in frontend, click on the button that reads: Yes, it’s working.

🚨 NOTE! This will only show for Apache servers. For NGINX, you will be shown different instructions at the top of the screen, so make sure to keep an eye out for them.

Copy the Safe URL

Don’t forget to copy the safe URL to be able to login if there is a compatibility issue or a server configuration error.

(optional) If Hide My WP Ghost can’t apply the rewrite codes on your config files (.htaccess for Apache, nginx.conf for Nginx, web.config for IIS), you will be asked to do this manually. Follow the instructions and click on the button that reads: “Okay, I set it up

(optional) If you installed the plugin on NGINX Server, you need to have access to nginx.conf file or to have a managed hosting plan.

You will need to add the config line in NGINX and restart the server only once. All the rewrite rules are present in the hidemywp.conf file.

Learn how to include the config line in NGINX File.

Note: For NGINX Servers, you need to restart NGINX after each customization with the command: sudo nginx -s reload

Note: For Apache Servers, you need to make sure you set the AllowOverride All option for your current directory in httpd.conf or apache2.conf.

2️⃣ Once you complete step 1, the paths will be automatically changed with the predefined ones.

Note! You have to remember the new login path because you will have to access it every time you connect to your website.

But you can also further customize Safe Mode or Ghost Mode (including the predefined paths) using the options you see in the left menu. (shown in the screenshot below)

Next up, we’ll briefly go every single item you can customize here and provide details on what it helps you achieve.

  • Go to Admin Security if you want to customize the wp-admin path (this is recommended but NOT mandatory, as there are some servers that don’t allow wp-admin path customization). If you want to hide the old wp-admin from visitors, you can also set this up inside the Admin Security panel.
  • Go to Login Security if you want to customize the wp-login.php path and hide it from visitors.

💡As a best practice, we recommend NOT using words like ‘admin’ or ‘login’ when customizing the wp-login path.

Note! Once you’ve customized the wp-login path, it’s important to make sure that other plugins have NOT also customized this path. Hide My WP Ghost automatically checks for this and if it identifies a different path for wp-login, you will see a notification letting you know there’s already a customization in place for the wp-login path.

However, be mindful of the fact that there may be situations when you’ve customized the wp-login path using Hide My WP Ghost and then installed a different plugin that also customizes this path. If that plugin doesn’t have a similar check in place, you can end up performing multiple customizations to the wp-login path which can lead to conflicts.

Other customizations you can make here are:

✔️ Customize the Lost Password Path

✔️ Customize the Register Path

✔️ Customize the Logout Path

For WordPress Multisite, there will be an EXTRA option included here, namely the Activation option.

  • Go to Ajax Security if you want to customize the admin-ajax.php path in frontend.

Other customizations you can make here are:

✔️ Choose to hide wp-admin from Ajax URL (this will show /ajax-call instead of /customadmin/ajax-call for Ghost Mode, and /admin-ajax.php instead of /wp-admin/admin-ajax.php when Safe Mode is enabled). This only works with the custom admin-ajax path to avoid infinite loops.

✔️ Change Paths in Ajax calls. (enabling this option will prevent from showing the old paths when an image or font is called through Ajax)

  • Go to User Security if you want to customize the author path in frontend. Another customization you can make from this panel is choosing to hide the Author ID URL. By enabling this, URLs like domain.com?author=1 won’t show the user login name. You can learn more about why this is important here.
  • Go to WP Core Security if you want to customize the WordPress common paths and hide them together with the common files.

The customizations you can make here are:

✔️ Customize the wp-content path

✔️ Customize the wp-includes path

✔️ Customize the wp-content/uploads path

✔️ Customize the comments path

Once the path names have been customized, you also have the option to hide the changed WordPress common paths, and select the file extensions you want to hide on old paths (excluding image file extensions).

Note that the file extensions will only be hidden for the OLD paths; and can still be called via the new, customized paths.

Finally, in this section of Change Paths, you can:

  • hide WordPress common files (like: wp-config.php, wp-config-sample.php, readme.html, license.txt, etc) which can display information about your WordPress (for example: the WordPress version you are using)
  • disable directory browsing.

By disabling directory browsing, you’re not allowing hackers to see any directory content. See an example for a test site here (shows what potential hackers will see when accessing your content directory if the option: Disable Directory Browsing is active).

  • Go to Plugins Security if you want to customize the plugins path and names in frontend.

From this section, you can:

✔️ Set a custom plugins path (example: wp-content/plugins becomes modules if you set it up like in the screenshot below)

✔️ Enable Hide Plugin Names (when this option is enabled; Hide My WP Ghost will attribute random names to each active plugin in your site).

^^ If you enable this option, you’ll also be able to choose whether to hide all the plugins (meaning: both plugins that are active AND plugins you’ve deactivated for your site)

✔️ Enable Hide WordPress Old Plugin Path (this tells Hide My WP Ghost to hide the old /wp-content/plugins path once it’s changed with the new one)

✔️ Manually customize each plugin name and overwrite the random name(s) given by Hide My WP Ghost (if you enabled Hide Plugins Names). To set this up, activate Show Advanced Options.

Note! This option will only show IF you’ve enabled: Hide Plugin Names. The customized plugin names you set up here will only overwrite the random names for the plugins you select. If you don’t attribute a custom name to a plugin, Hide My WP Ghost will continue to display the random name.

To attribute a custom name to a plugin:

  • select a plugin from the drop-down list

Hide My WP Ghost will automatically detect all active plugins you currently have installed on your site and display them in the drop-down list.

If you want Hide My WP Ghost to show both plugins that are active AND plugins you’ve deactivated for your site, make sure to enable: Hide All the Plugins.

For WordPress Multisite, Hide My WP Ghost will display all plugins, regardless of whether the Hide All the Plugins option is enabled or not.

  • write down the custom name in the dedicated filed. As a best practice, we recommend that you don’t use the same words you’ve used for the Custom Plugins Path or any other custom path.

In the example below, we’ve customized the name for the woocommerce plugin. The custom name that will appear is: shop

💡 You can set up this customization for as many plugins as you want, following the same process.

If you want to remove an item and disable a name customization you’ve set up for a certain plugin, simply click on the X symbol.

  • Go to Themes Security if you want to customize the themes path and names in frontend.

From this section, you can:

✔️ Set a custom themes path (example: wp-content/themes becomes views if you set it up like in the screenshot below)

✔️ Enable Hide Theme Names. When this option is enabled, Hide My WP Ghost will attribute a random name to each theme (works in WordPress Multisite).

✔️ Enable Hide WordPress Old Themes Path (this tells Hide My WP Ghost to hide the old /wp-content/themes path once it’s changed with the new one)

✔️ Customize the theme style name (allows you to customize the WordPress default name, which is: style.css)

✔️ Manually customize each theme name and overwrite the random name(s) given by Hide My WP Ghost (if you enabled Hide Theme Names). To set this up, activate Show Advanced Options.

Note! This option will only show IF you’ve enabled: Hide Theme Names. The customized theme names you set up here will only overwrite the random names for the theme(s) you select. If you don’t attribute a custom name to a theme, Hide My WP Ghost will continue to display the random name.

To attribute a custom name to a theme:

  • select a theme from the drop-down list. Hide My WP Ghost will automatically detect all themes (including deactivated themes) you have on your WordPress site in the drop-down list.
  • write down the custom name in the dedicated filed. As a best practice, we recommend that you don’t use the same words you’ve used for the Custom Themes Path or any other custom path.

💡 You can set up this customization for as many themes as you want, following the same process. If you want to remove an item and disable a name customization you’ve set up for a certain theme, simply click on the X symbol.

  • Go to API Security if you want to customize the REST API path and XML-RPC.

For both Safe Mode and Ghost Mode, Hide My WP Ghost will leave the default wp-json as the custom wp-json Path (the reason for this is that many plugins still use this default path to access the REST API’s index). Hide My WP Ghost will also hide this path from frontend.

Furthermore, you have the option to disable REST API access for users who are not logged in (site visitors).

Note! Even if the REST API is disabled, Hide My WP Ghost will only restrict site visitors from accessing the API – NOT logged users. This will prevent most of the errors that might appear in the admin area.

Other customization you can make from this section:

✔️Disable XML-RPC access

✔️ Disable RSD (Really Simple Discovery) endpoit from XML-RPC

  • Go to Firewall & Headers if you want to add Security Headers and Firewall against Script & SQL Injections.

Click here to learn more about the options available in this section of the plugin.

  • Go to Other Options if you want to customize the category path and/or customize the tags path.

3️⃣ After customizing, click on the Save button to confirm your choices and enable Hide My WP Ghost to apply the changes.

4️⃣ Finally, go to Hide My WP >> Security Check section and run a test to make sure all the settings and tweaks are set correctly. If you see that there are still security issues you need to address, click on the Info button to learn more about each issue Hide My WP Ghost uncovered.

Some of them can automatically be fixed with a single click by using the button that reads: “Fix it”

For more customization in Hide My WP Ghost, follow these tutorials:


Simulate CMS

After the plugin is set in Safe Mode or Ghost Mode, the CMS simulator will appear with the options to choose between Drupal or Joomla versions.

Select any custom CMS you like and Hide My WP Ghost will know what headers and tags to add for Theme Detectors like BuiltWith.

Error Messages

  • If you connect to admin while checking the Frontend Login, the security codes are changed and you need to refresh the settings in Hide My WP Ghost (F5 key) to reload the correct security key. Click “Yes, it’s working” after refresh and the settings will be saved.

Attention! Please check the rewrite rules in the config file.

  • NGINX Server: The rules are not set correctly on NGINX config file or the NGINX server was not reloaded after the settings were saved.
  • On Apache server: The Allowoverride is set to None instead of All and the rewrite rules are not loaded from .htaccess
  • On Litespeed server: The Allowoverride is set to None instead of All and the rewrite rules are not loaded from Litespeed.
  • On IIS server: The Rewrite Rules add-on is NOT installed and the rules are not loaded from config. https://hidemywpghost.com/kb/when-the-website-loads-slower-with-hide-my-wp-ghost/

403 Forbidden Error caused by ModSecurity (mod_security)

ModSecurity is an open-source firewall application (or WAF) supported by different web servers (such as Apache, Nginx, IIS) and used by a lot of hosts.

The issue: If they have rule #212340 in place – which they most likely do by default – then it will prevent the Code Editor from working in Ghost Mode from Hide My WP Ghost.

The solution: If you encounter this issue, make sure to contact your host to turn off Rule 212340 or whitelist you from it.

Once you do that, you should no longer see the 403 Forbidden Error.