How to Change and Hide the wp-includes Path in WordPress with WP Ghost
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Change and hide the WordPress wp-includes path with WP Ghost (formerly Hide My WP Ghost) to remove the most visible WordPress fingerprint from your source code. The /wp-includes/ path appears dozens of times in every page’s HTML and is the primary way scanners identify WordPress. Change it once, and every jQuery URL, block editor script, and core CSS reference updates automatically.
The wp-includes directory contains the WordPress core library: jQuery, the block editor, REST API framework, core PHP classes, and every stylesheet that WordPress loads on every page. Its presence in your source code is the single strongest signal that a site runs WordPress. Every CMS scanner checks for it first.
When a core vulnerability is disclosed, attackers immediately target known paths inside /wp-includes/. According to Patchstack’s 2026 report, attackers weaponize new vulnerabilities within a median of just 5 hours. Changing the path means their exploit scripts point to URLs that do not exist on your server.
Why You Need to Secure the wp-includes Path
| Default /wp-includes/ (exposed) | With WP Ghost (secured) |
|---|---|
| Appears dozens of times in page source | Custom name, zero WordPress references |
| Scanners instantly confirm WordPress | CMS detection tools lose their primary signal |
| Exploit scripts target known file paths | Exploit URLs return 404 |
| Directory browsing reveals version info | Old path blocked, directory hidden |
If you have already changed the wp-content path but left wp-includes at its default, scanners still see the “wp-” prefix in your page source and can confirm WordPress. Both core directories need to be renamed for complete CMS hiding.
How to Secure wp-includes with WP Ghost
Activate Safe Mode or Ghost Mode
Go to WP Ghost > Change Paths > Level of Security. Select Safe Mode or Ghost Mode and click Save. Both modes change the wp-includes path automatically with a predefined name.
Change the wp-includes Path
This replaces every visible reference to /wp-includes/ in your page source with a custom name. jQuery URLs, block editor scripts, core CSS files, and every other asset loaded from wp-includes will show the new path instead. One change, dozens of references updated.
Go to WP Ghost > Change Paths > WP Core Security. Find the Custom wp-includes Path field. A predefined name is already filled in. Enter a different name or keep the predefined one. Click Save.
Do not use names that suggest core libraries, like “core”, “lib”, “includes”, or “framework”. Choose something random that does not hint at what is inside.
No files are moved
WP Ghost does not physically move or rename any files. The wp-includes folder stays exactly where WordPress expects it. WP Ghost creates virtual paths through URL rewrite rules. Deactivating the plugin restores all original paths instantly.
Hide the Old wp-includes Path
Changing the path gives you a new URL, but the original /wp-includes/ might still respond to direct requests. The Hide WordPress Common Paths option blocks this. Anyone accessing the old path gets a 404 error.
Go to WP Ghost > Change Paths > WP Core Security. Switch on Hide WordPress Common Paths. Under Hide File Extensions, select file types to block from the old paths (PHP and JS are the most important). Click Save.
This option also covers /wp-content/ paths simultaneously. If you have already changed the wp-content path, enabling Hide WordPress Common Paths protects both core directories with a single toggle.
Verify with a Security Check
Go to WP Ghost > Security Check. Click Start Scan. The scan confirms the wp-includes path is changed and the old path is hidden.
For a quick manual test, open a private browser window, view your page source (Ctrl+U), and search for “wp-includes”. If the change is working, you will not find any matches.
Troubleshooting
Site displays errors after changing the path
If your site breaks after changing the wp-includes path, try these steps in order:
Clear all caches. Clear your browser cache, WordPress caching plugin, CDN cache, and server-level cache. Cached pages may still reference the old path. If you use a caching plugin, also enable Change Paths in Cached Files in WP Ghost > Tweaks.
Revert to the predefined name. Remove your custom name and use the predefined one that WP Ghost suggests. Save and test again.
Check plugin compatibility. Some plugins hardcode /wp-includes/ paths. Deactivate plugins one by one to identify the conflict. Check the Compatibility Plugins List.
Use the Safe URL. If you cannot access the dashboard, use the Safe URL parameter or the Emergency Disable guide.
Frequently Asked Questions
Will this break jQuery or the block editor?
No. jQuery and all other core scripts continue loading normally. WP Ghost uses rewrite rules that transparently serve files from the original wp-includes directory through the new URL. The block editor, media handlers, and all front-end interactions work exactly as before.
What is the difference between wp-includes and wp-content?
wp-includes contains the WordPress core library: the code that makes WordPress itself work, including jQuery, the editor, REST API framework, and core PHP classes. wp-content contains your customizations: themes, plugins, and uploaded media. Both directories are WordPress fingerprints and both should be renamed for complete CMS hiding.
Do I need to clear my cache after changing this path?
Yes. If you use a caching plugin, clear your cache after making the change. Cached pages may still contain the old wp-includes references. If your caching plugin minifies CSS and JS, also enable Change Paths in Cached Files in WP Ghost.
Does this work with CDNs?
Yes, but you may need to update your CDN configuration. If your CDN caches assets by URL path, it needs to know about the new path. Add your CDN domain in WP Ghost > Mapping > CDN URLs for automatic path mapping.
Does WP Ghost physically move the wp-includes folder?
No. WP Ghost never moves, renames, or modifies any file or folder. The wp-includes directory stays where WordPress installed it. Virtual paths are created through URL rewrite rules. Deactivating WP Ghost restores all original paths instantly.
Related Tutorials
Customize All WordPress Paths – change every WordPress path in one guide.
Change the wp-content Path – rename the other core directory fingerprint.
Activate Security Tweaks – hide version tags, generator META, and other fingerprints.
URL Mapping and Text Mapping – change remaining class names and URLs in source code.
Website Security Check – verify your configuration after making changes.