How to Change the Plugins Path and Hide Plugin Names in WordPress with WP Ghost
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Prevent plugin detection and block targeted exploits by changing the plugins path, renaming plugin directories, and hiding the old path with WP Ghost (formerly Hide My WP Ghost). According to Patchstack, 91% of WordPress vulnerabilities are found in plugins. Scanners like WPScan enumerate your plugin directories to build a list of what you run. Hide the path, and they lose the map.
Every plugin you install creates a directory inside /wp-content/plugins/ with its exact name. If you use Contact Form 7, your source shows /wp-content/plugins/contact-form-7/. WooCommerce, Elementor, Yoast SEO – they all announce themselves through their directory names. Vulnerability scanners exploit this predictability by checking each plugin name against known vulnerability databases.
WP Ghost gives you three layers of plugin protection: change the path to the entire plugins directory, assign random names to each individual plugin, and block access to the old path completely.
Why You Need to Secure the Plugins Path
| Default /wp-content/plugins/ (exposed) | With WP Ghost (secured) |
|---|---|
| Plugin names visible in page source | Random names or custom names assigned |
| WPScan enumerates all installed plugins | Scanner reports zero detected plugins |
| readme.txt reveals plugin versions | Old path returns 404, version files unreachable |
| Deactivated plugins still exploitable via path | All plugins hidden, active and deactivated |
How to Secure the Plugins Path with WP Ghost
Activate Safe Mode or Ghost Mode
Go to WP Ghost > Change Paths > Level of Security. Select Safe Mode or Ghost Mode and click Save.
Change the Plugins Path
This replaces the /wp-content/plugins/ directory name in your page source with a custom name. Every CSS, JavaScript, and image URL that references a plugin path will show the new name instead.
Go to WP Ghost > Change Paths > Plugins Security. Find the Custom Plugins Path field. Enter a custom name (e.g., “modules” instead of “plugins”). Click Save.
No files are moved
WP Ghost does not physically move or rename any files. Plugin files stay in /wp-content/plugins/ exactly where WordPress expects them. Virtual paths are created through URL rewrite rules. Deactivating restores all original paths instantly.
Hide Plugin Names
Changing the path alone replaces “plugins” in the URL, but each plugin’s directory name (like “elementor” or “woocommerce”) is still visible. This option assigns random codes to every plugin directory name.
In the same Plugins Security tab, switch on Hide Plugin Names. Click Save.
To also hide deactivated plugins, switch on Hide All the Plugins. This is important because deactivated plugins are still exploitable. Their PHP files remain on the server and are accessible through the default path even when not active.
Hide the Old Plugins Path
After changing the path, the original /wp-content/plugins/ URL might still respond to direct requests. This option blocks it. Any request to the old path returns a 404 error.
In the Plugins Security tab, switch on Hide WordPress Old Plugins Path. Click Save.
Advanced: Custom Plugin Names
By default, Hide Plugin Names assigns random codes. If you want to control those names (useful for developers who need to identify specific plugins in the source code), the Advanced Options let you assign custom names to individual plugins.
Make sure Hide Plugin Names is enabled first. Click Show Advanced Options to reveal the customization panel. Select a plugin from the dropdown and enter a custom name. Click Save.
Use unique names that do not match your custom path names. To remove a custom name, click the X next to the plugin name to revert to a random code. For WordPress Multisite, WP Ghost displays all plugins regardless of the Hide All setting.
Verify with a Security Check
Go to WP Ghost > Security Check. Click Start Scan. The scan confirms the plugins path is changed and names are hidden.
For a quick manual test, view your page source and search for any plugin name you know you have installed (e.g., “elementor”, “woocommerce”, “contact-form-7”). If none appear, plugin security is working.
Frequently Asked Questions
Will changing the plugins path break my plugins?
No. All plugin functionality continues working normally. Contact forms submit, page editors load, WooCommerce carts update, and SEO plugins generate sitemaps. WP Ghost serves files from the original directories through the new URLs. Nothing changes for visitors or your admin experience.
Why should I hide deactivated plugins?
Because deactivated plugins are still exploitable. Their PHP files remain on the server and are accessible through the default path even when not active. If a deactivated plugin has a known vulnerability, attackers can still target its files directly.
Should I also change the themes path?
Yes. Plugins and themes are both inside /wp-content/. If you hide plugins but leave themes visible, scanners can still confirm WordPress through theme paths. Change both for complete protection. See the Change Themes Path section.
Does this work with WooCommerce?
Yes. WP Ghost is fully compatible with WooCommerce. All WooCommerce functionality continues working through the custom path. For specific WooCommerce hiding tips, see the Hide Plugins Like WooCommerce and Elementor guide.
Does WP Ghost modify WordPress core files?
No. WP Ghost never touches, moves, or renames any file or folder. Plugin files stay in /wp-content/plugins/ exactly where WordPress expects them. Virtual paths are created through URL rewrite rules. Deactivating restores all original paths.
Related Tutorials
Customize All WordPress Paths – change every WordPress path in one guide.
Change Themes Path and Names – hide theme directories alongside plugins.
Hide Plugins Like WooCommerce and Elementor – specific tips for popular plugins.
URL Mapping and Text Mapping – change remaining plugin class names in source code.
Website Security Check – verify your configuration after making changes.
