Search: 2fa

… force limits and reCAPTCHA, adding security headers (HSTS, CSP, X-Frame-Options), providing 2FA including passkeys for phishing-resistant authentication, and disabling attack endpoints like XML-RPC and REST API for unauthenticated users.

How Do the Two Layers Work Together?

Think of it as two checkpoints. Your server firewall is the outer perimeter. It stops known bad IPs, absorbs DDoS traffic, and blocks general network-level threats. WP Ghost is the inner checkpoint. It stops application-level attacks that pass through the server firewall because they look like normal HTTP requests, just targeted at WordPress-specific paths.

A bot …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost includes 115+ free features and 150+ premium features covering path security, 7G/8G firewall, brute force protection, 2FA with passkeys, security headers, and country blocking. For most WordPress sites, especially those on managed hosting with server-level backups and malware scanning, WP Ghost alone provides sufficient protection. If your hosting does not include malware scanning or file integrity monitoring, pairing WP Ghost with a scanning plugin gives you the most complete security setup.

When …

… freelancer and developer activity across client sites. Multi-author blogs can monitor who publishes, edits, and deletes content. WooCommerce stores can track admin actions like product changes and order modifications. Any site that gives dashboard access to more than one person benefits from the accountability and auditability the Events Log provides.

Frequently Asked Questions

Is this a free or Premium feature?

The User Events Log is a WP Ghost Premium feature. The free version includes path security, firewall, brute force protection, and 2FA, but not event logging. The free version does include the last 20 entries in the Security Threats

… that makes scanners report Drupal or Joomla instead of WordPress, security headers (HSTS, CSP, X-Frame-Options) that protect the browser layer, 2FA with passkeys (Face ID, Touch ID, Windows Hello) which most security plugins do not offer, and country blocking for geographic access control (Premium).

How to Use Both Without Conflicts

WP Ghost overlaps with other security plugins on a few features: brute force protection, login path changes, and 2FA. The rule is simple. Enable each overlapping feature in only one plugin. Let WP Ghost handle path security (its core strength) and brute force protection (since it pairs …

… WP Ghost for security (by activating Safe Mode or Ghost Mode and changing your WordPress paths), you automatically hide from theme detectors as a side effect. The path changes that prevent bots from finding your plugins and themes also prevent detection tools from identifying them. The firewall, brute force protection, 2FA, and security headers add further protection layers. You do not need to choose between security and privacy. The security configuration gives you both.

For the complete security setup, see the WP Ghost Tutorial. For the recommended configuration, see the Best Practice guide.

Frequently Asked Questions

Are most attacks really …

Yes. Hiding the WordPress login page is one of the most effective single steps you can take against automated brute force attacks. Bots target /wp-login.php and /wp-admin on every WordPress site because these paths are identical on every default installation. When WP Ghost changes the login path to a custom URL, bots scanning for the default path get a 404 error and move on. But hiding the login is only one layer. For real security, you need path changes for all WordPress paths, a firewall, brute force protection, and 2FA working together.

Why Hiding the Login Path …

… and time-consuming. WP Ghost makes it maintainable.

Frequently Asked Questions

Is hiding WordPress the same as “security through obscurity”?

No. WP Ghost provides path security, not obscurity. It doesn’t just hide one signal and hope for the best. It changes paths at the server level, blocks injection attempts with the 7G/8G firewall, protects logins with 2FA and brute force limits, and enforces security headers. Hiding paths removes the attack surface that bots rely on. The firewall catches anything that gets through. It’s layered defense, not a single trick.

Will this affect my SEO?

No. WP Ghost

… It also includes a 7G/8G firewall, brute force protection with reCAPTCHA, 2FA with passkeys, security headers, and country blocking (Premium). Together, these features provide comprehensive hack prevention. For sites that also need malware scanning, pair WP Ghost with a scanning plugin or managed hosting. See the compatible plugins list.

Does WP Ghost modify WordPress core files?

No. All changes are applied through server rewrite rules and WordPress filters at runtime. No files are renamed, moved, or modified. Deactivating WP Ghost restores every default path and fingerprint instantly.

… thousands of times per hour, trying common username and password combinations. When that URL doesn’t exist, bots can’t find the login form and move on to the next target.

Changing the login path eliminates the highest-volume attack vector on your site. Combined with brute force protection and 2FA, your login page becomes virtually impenetrable to automated attacks.

Frequently Asked Questions

What if I forget my custom login URL?

Bookmark it immediately after saving. If you do forget it, you can use the emergency disable method (rename the plugin folder via FTP) to restore the default path. You …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost can hide and customize the wp-admin path on Nginx servers. The full path-hiding features (Safe Mode and Ghost Mode) require shell access to add one include line to your Nginx configuration and reload the service. If you don’t have shell access, WP Ghost still provides custom login paths, brute force protection, firewall, 2FA, and other features that work without config changes.

How Does WP Ghost Work on Nginx for wp-admin …

… path.

This is useful for membership sites, WooCommerce stores, and multi-author blogs where subscribers and customers should not see the admin backend. Those users can still access their profile pages and any frontend-facing dashboards provided by your theme or plugins. For the full admin path configuration, see the Change wp-admin Path tutorial.

Additional Layers for Admin Security

The hidden admin path is one layer. For complete admin security, WP Ghost provides several additional protections that work together. Change the login path so bots cannot find the authentication form. Enable brute force protection with reCAPTCHA to limit …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost fully supports hiding and customizing the wp-admin path on Nginx servers. After saving your custom paths in WP Ghost, add the generated include line to your Nginx server block and reload the service. Shell access is required. For managed Nginx hosting without shell access, use the Minimal preset for login, firewall, and 2FA features that work without config changes.

For the complete setup guide, see how to configure WP Ghost for Nginx servers …

… WordPress dashboard. Select “Post Name” (the option that shows ). Click Save Changes. WordPress generates the necessary rewrite rules automatically.

Important: If your site already has indexed pages with the old URLs, WordPress handles the redirects automatically. Old URLs will redirect to the new pretty URLs. If you have an established site with external links pointing to the old format, consider setting up a redirect plugin to ensure all old URLs resolve correctly.

After changing your permalink structure, go to WP Ghost > Change Paths and click Save to regenerate WP Ghost’s rewrite rules for the new URL structure. Then …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost fully supports WordPress Multisite. It works with both subdomain and subdirectory configurations. You install and configure WP Ghost once at the network level through Network > Plugins, and the security settings apply across all subsites. A Multisite network counts as one site for licensing purposes.

How Does WP Ghost Work on Multisite?

WP Ghost is network-activated through Network > Plugins. Once activated, you configure it from the Network Admin dashboard. All security settings (path changes …