Search: 2fa

… WordPress application running on it. WP Ghost works through three pillars of prevention. First, path security: it changes every default WordPress path so bots can’t identify your site as WordPress. Second, firewall filtering: the 8G firewall blocks SQL injection, script injection, and malicious payloads at the server edge. Third, login security: brute force protection with reCAPTCHA and two-factor authentication (including passkeys with Face ID, Touch ID, and Windows Hello) ensure stolen passwords aren’t enough.

WP Ghost includes 115+ free features covering path security, 7G/8G firewall, brute force protection, 2FA, security headers, and hardening options. On …

… They control different URLs. You can have one enabled without the other depending on your security needs.

Is it less secure to switch off “Hide the New Admin Path”?

Slightly, but in practice the difference is minimal. With this option off, someone who discovers your custom admin path gets redirected to the login page. They still need valid credentials to get in, and your login page is protected by brute force protection and 2FA. The main security benefit of hiding the admin path is preventing bots from even confirming the login form exists.

Can I customize the redirect for hidden

… settings?

No. The file is included once by Kinsta. WP Ghost updates the contents of that file automatically when you change settings. You only need to contact Kinsta for the initial setup. After that, saving settings in WP Ghost updates the rules without requiring server restarts.

Is WP Ghost still effective on Kinsta without the Nginx config?

Yes. Without config rewrites you lose full path hiding (renaming wp-content, wp-includes, etc.), but custom login paths, brute force protection, firewall, 2FA, security headers, and version hiding all work through WordPress hooks. These features cover the most critical attack vectors …

… API access if you use the BuddyBoss App or any BuddyBoss feature that relies on remote API access.

What Works

WP Ghost has been tested with the BuddyBoss website platform. Path security (changing admin, login, plugins, themes, wp-content, and wp-includes paths), the 7G/8G firewall, brute force protection, 2FA, and all security headers work alongside BuddyBoss without conflict. BuddyBoss social features like activity feeds, groups, forums, messaging, and member profiles continue functioning normally because they operate through standard WordPress page templates and AJAX calls, which WP Ghost handles transparently.

Important: REST API and the BuddyBoss App

BuddyBoss relies …

… license, they get support on their own account. WP Ghost does not provide direct support to third parties, like an agency’s clients.

Does the free version still protect the site if the license expires?

Yes. WP Ghost Free includes 115+ features: path security, 7G/8G firewall, brute force protection, 2FA with passkeys, security headers, and more. The Premium features (advanced logs, country blocking, file permissions, SALT regeneration) become unavailable, but the core hack-prevention functionality continues working. See the Free vs Premium comparison for the full breakdown.

Does WP Ghost modify WordPress core files?

No. WP Ghost uses rewrite …

… to , all plugin and theme directory names revert to their originals, the REST API responds at again, and every CSS, JS, and image file loads from its original WordPress path. The firewall rules are removed from .htaccess (on Apache) or stop being applied (on Nginx). Security headers, brute force protection, 2FA, and all other features stop functioning.

This is because WP Ghost never modifies any WordPress core files, plugin files, or theme files. It applies all changes at runtime through rewrite rules, WordPress hooks, and output buffering. There are no file renames, no database schema changes, and no permanent modifications …

… One Layer

Security headers protect against browser-level attacks like clickjacking. WP Ghost’s hack-prevention approach covers multiple attack vectors beyond this: path security prevents bots from finding your WordPress structure, the 7G/8G firewall blocks injection attacks at the server level, brute force protection limits login attempts, and 2FA secures authentication. Clickjacking protection is one piece of a complete defense strategy. For the full feature overview, see What is WP Ghost.

Frequently Asked Questions

Will X-Frame-Options break my page builder?

Some page builders use iframes for their preview or editor mode. The SAMEORIGIN setting allows framing …

… WP Ghost.

Can I use the full path-hiding features on Nginx shared hosting?

Only if you or your host can add the include to the Nginx configuration. Without that, you’re limited to features that work through WordPress hooks (custom login paths, brute force, firewall, 2FA, security headers). These still provide strong protection against the most common attack vectors.

Does this work with WooCommerce on shared hosting?

Yes. WP Ghost is fully compatible with WooCommerce on all server types. Cart, checkout, product pages, and customer accounts work normally on Apache, LiteSpeed, and Nginx shared hosting alike.

Does WP …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost is fully compatible with SiteGround hosting. WP Ghost includes a dedicated SiteGround server profile that auto-configures the correct rewrite rules for SiteGround’s Nginx and Apache combination. No manual server configuration is needed. Path security, firewall, brute force protection, 2FA, and all other features work out of the box.

How WP Ghost Works on SiteGround

SiteGround uses Nginx as a reverse proxy in front of Apache. WP Ghost detects this setup and writes …

… You can contribute a translation for your language through the WordPress.org translation platform. All security features work identically regardless of language.

Does the language setting affect security features?

No. Language settings only change the text displayed in the WP Ghost admin interface. Path security, firewall rules, brute force protection, 2FA, and all other security features work the same way in every language.

Does WP Ghost modify WordPress core files?

No. WP Ghost uses server rewrite rules and WordPress filters to change paths and block threats at runtime. No core files, theme files, or plugin files are modified. Language changes …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes, WP Ghost is compatible with the AppMySite plugin. AppMySite communicates with your WordPress site through the REST API, so you need to keep the REST API path at its default and not disable REST API access. All other WP Ghost features, including path security, firewall, brute force protection, and 2FA, work alongside AppMySite without conflict.

What to Keep in Mind

AppMySite turns your WordPress site into a mobile app by pulling content, products, and user data …

… changes. The backup file contains only WP Ghost configuration data, not WordPress content or database tables. This is a free feature.

How It Works

Go to WP Ghost > Backup/Restore. Click Backup to download a file containing all your current WP Ghost settings: path configurations, firewall rules, brute force settings, 2FA configuration, security headers, text mapping rules, and every other option in the plugin. The file saves to your computer as a JSON export.

To restore, go to the same page, click Restore, select the backup file, and confirm. WP Ghost overwrites all current settings with the ones from the …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost is designed so you can go from zero protection to fully configured in under a minute. No coding skills required. You select a security level, the plugin fills in all the custom paths automatically, and you click Save. For users who want even faster setup, four one-click presets configure the entire security stack, including firewall, brute force, and 2FA, with a single button.

How Quickly Can I Set Up WP Ghost?

Most users …

… server level, brute force protection with reCAPTCHA, two-factor authentication with passkeys, security headers (HSTS, CSP, X-Frame-Options), and country blocking (Premium). These are independent features that work alongside Sucuri without conflict.

How to Use Both Together

The two plugins complement each other when you avoid enabling the same feature in both. Let WP Ghost handle path security, the 7G/8G firewall, brute force protection, 2FA, and security headers. Let Sucuri handle file integrity monitoring, malware scanning, and activity auditing. If you use Sucuri Pro’s cloud WAF, it works in front of WP Ghost’s server-level …

… use WP Ghost only for its additional features, that also works. Disable all path security in WP Ghost (custom login, admin, wp-content, plugins, themes, uploads, REST API) and let WP Hide handle the path changes. Enable only WP Ghost features that WP Hide does not have: firewall, brute force, 2FA, security headers, country blocking, and activity logs. Do not enable path security in both plugins at the same time.

For the full configuration guide with a feature-by-feature comparison table, see the WP Ghost and WP Hide Security Enhancer compatibility tutorial.

Frequently Asked Questions

Will WP Ghost and …

… individual plugin name randomization), themes, uploads, wp-includes, REST API, and author paths. Vulnerability scanners like WPScan report zero detected plugins. Theme detectors like BuiltWith and Wappalyzer cannot identify your CMS.

Zero-day protection through path security. When a popular plugin has a newly discovered vulnerability, attackers scan for sites running that plugin by checking its known path. If WP Ghost has changed your plugin paths and hidden the plugin names, the scan fails even if you haven’t patched the vulnerability yet. Your site is protected during the window between disclosure and patch, which is when most attacks …

… vulnerabilities. If those paths don’t exist, the attack has nothing to target, regardless of whether a WAF is in front of your server.

Can I Use WP Ghost Together with CloudFilt?

Yes. They work at different layers and don’t conflict. CloudFilt handles network-level traffic filtering. WP Ghost handles WordPress-level path security, firewall rules, login protection, and identity hiding. Using both gives you layered defense: CloudFilt stops threats at the network edge, and WP Ghost stops threats that reach your WordPress application.

WP Ghost is also designed to work alongside other security tools like Wordfence, Solid …

WP Ghost and Clearfy serve different purposes. Clearfy is a WordPress optimization and cleanup plugin that includes some basic security features. WP Ghost is a dedicated hack-prevention plugin focused on attack surface reduction. While they share a few overlapping features like hiding the login page and removing WordPress fingerprints, WP Ghost provides significantly deeper security coverage including full path security for 30+ paths, 7G/8G firewall, brute force protection, 2FA with passkeys, security headers, and country blocking.

Different Tools for Different Jobs

Clearfy is primarily a WordPress optimization plugin. Its main focus is cleaning up WordPress output: removing unnecessary …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost focuses on hack prevention – hiding paths and blocking attacks before they reach your site. To complement it, pair WP Ghost with a security plugin that handles detection and response: malware scanning, file integrity monitoring, and post-breach cleanup. The best pairing depends on what your hosting already provides and what level of monitoring you need.

Why Does WP Ghost Recommend Using Another Security Plugin?

WP Ghost is a prevention tool. It reduces your attack surface …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost complements other security tools. It does not replace them. WP Ghost handles hack prevention through attack surface reduction, which is a layer that Wordfence, Sucuri, VirusDie, and similar tools do not provide. Those tools focus on detection, blocking, and cleanup after threats arrive. WP Ghost prevents bots from discovering your WordPress structure in the first place. Together, they create defense in depth: WP Ghost stops the reconnaissance, and your other plugin catches anything that gets …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost and Wordfence are compatible and work well together. They approach WordPress security from different angles: Wordfence is a reactive security plugin focused on threat detection, firewall rules, and malware scanning. WP Ghost is a proactive hack-prevention plugin focused on attack surface reduction. Wordfence blocks known threats as they arrive. WP Ghost prevents bots from discovering what to attack in the first place. Running both gives you defense in depth.

What Wordfence Provides

Wordfence is …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost is fully customizable. Every feature can be turned on or off individually, every path can be set to a custom value or left at default, and security presets let you load a complete configuration with one click and adjust from there. You control exactly which protections are active and how aggressive they are, from a single hidden login path to full Ghost Mode with firewall, 2FA, and country blocking.

Start Simple, Customize as You Go …

… default WordPress paths, WP Ghost eliminates a significant volume of server requests that would otherwise trigger full WordPress page loads. On sites with heavy bot traffic, this can measurably reduce CPU and memory usage, which improves response times for real visitors.

Settings That Can Affect Performance

A small number of WP Ghost features involve additional processing that could have a minor impact on load times. These are not active by default and WP Ghost displays a warning when you enable them.

Text Mapping in CSS and JS files. When you use WP Ghost > Mapping > Text Mapping and enable text …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost is fully compatible with Solid Security (formerly iThemes Security). The two plugins complement each other: Solid Security focuses on WordPress hardening, password policies, and file monitoring. WP Ghost focuses on attack surface reduction by changing WordPress paths and adding firewall rules. Running both gives you defense in depth, as long as you avoid enabling the same feature in both plugins.

What Solid Security Provides

Solid Security (renamed from iThemes Security in November 2023 as …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

No. WP Ghost is not designed to replace Solid Security (formerly iThemes Security). They serve different purposes and work best together. WP Ghost handles hack prevention by hiding paths and blocking bots at the server level. Solid Security handles WordPress hardening, password policies, file change detection, and malware scanning. Using both gives you defense in depth: WP Ghost stops attacks at the door, Solid Security monitors what happens inside.

What Does Each Plugin Handle?

WP Ghost focuses …

… leave the Events Log and cloud storage off. With those features disabled, WP Ghost doesn’t record, store, or transmit any personal data about your visitors. You still get all path security features, the full firewall, security headers, 2FA, all hiding and mapping features, and every disable option. The vast majority of WP Ghost’s 115+ free features work without collecting any data.

What Happens to Data That Is Collected?

When data-collecting features are enabled:

Local storage: Events Log data is stored in a dedicated WordPress database table () on your own server. Retention period is configurable. If you …