Search: error

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Go to WP Ghost > Change Paths > API Security, switch on Disable XML-RPC Access, and click Save. That is it. The xmlrpc.php file will return a 404 error for all requests, blocking brute force amplification attacks, pingback DDoS abuse, and username enumeration through this endpoint.

Why You Should Disable XML-RPC

XML-RPC is WordPress’s legacy remote communication protocol. It was built before the REST API existed and is rarely needed on modern sites. The …

… way PHP files or JavaScript files do. Hiding them is not necessary to increase your WordPress protection. The main reason WP Ghost excludes images from the Hide File Extensions list by default is SEO: if Google has already indexed your images under the old paths, hiding them returns a 404 error. Anyone landing on your site through Google Images would see a broken page.

Even without hiding images, Google will eventually re-index all your media with the new custom paths over time. If you want to speed that process up, resubmit your sitemap in Google Search Console after changing …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

This happens because the “Hide the New Admin Path” option is enabled in WP Ghost. When this option is active, your custom admin path is treated as a hidden path, so visitors who are not logged in get redirected to the front page (or a 404 error) instead of the login form. To fix it, go to WP Ghost > Change Paths > Admin Security and switch off “Hide the New Admin Path.”

Why This Redirect Happens

WP Ghost …

… security headers. Your site immediately becomes visible to bots scanning for default WordPress paths. If you bookmarked or shared your custom login URL, that URL will stop working since the path reverts to . Make sure you know the default login URL before deactivating.

If you are deactivating temporarily for troubleshooting, consider using the emergency disable method or adding to wp-config.php instead. This disables WP Ghost at runtime without fully deactivating it, making it easier to re-enable once the issue is resolved.

Frequently Asked Questions

Will deactivating WP Ghost cause 404 errors on my site?

Not on …

… working normally. The WP Ghost plugin stays installed on their site, but it displays an activation prompt telling the client they need to reconnect. They won’t be able to use WP Ghost features until they enter a valid activation token.

The custom paths will change back to WordPress default paths once the client accesses the WP Ghost plugin settings on their site. This prevents any errors that might appear from running custom paths without an active license.

What Happens to the Client’s Settings and Configuration?

When you disconnect a website from the WP Ghost Dashboard, the plugin’s

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost significantly reduces bot traffic by eliminating the WordPress fingerprints that bots look for. When bots probe standard paths like /wp-admin, /wp-login.php, or /wp-content/plugins/ and receive a 404 error instead of a valid response, they move on to the next target. The result is a measurable drop in malicious bot requests, reduced server load, and lower resource consumption, which directly helps with inode quota and bandwidth issues caused by bot …

… quickly, include the following in your message: the name and version of the conflicting plugin or theme, which WP Ghost security level you are using (Safe Mode or Ghost Mode), which specific WP Ghost settings you have changed from the defaults, what happens when the conflict occurs (error message, broken functionality, white screen, etc.), and whether the issue stops when you deactivate WP Ghost temporarily.

Premium subscribers receive priority support with typical response times of 24-48 hours during business days. Free users can report issues through the WordPress.org support forum.

Frequently Asked Questions

Will the WP Ghost …

… automatically. If the bot finds nothing recognizable, it skips your site entirely.

WP Ghost fills that gap by making your site invisible to the reconnaissance step. It changes all default paths, removes CMS fingerprints from the page source, and blocks access to common WordPress files. Bots scanning for standard WordPress structure get 404 errors and move on.

What WP Ghost Adds to Your Existing Stack

No matter what security tools you already use, WP Ghost adds these layers that the others typically do not provide.

Attack surface reduction. WP Ghost changes over 30 WordPress paths including admin, login, plugins (with

… security headers, or simulate a different CMS. Your site’s WordPress structure remains fully visible to bots and scanners even with Wordfence active.

What WP Ghost Adds

WP Ghost fills the prevention layer that Wordfence leaves open. It changes over 30 default WordPress paths, hides individual plugin and theme names with random codes, strips CMS fingerprints from the HTML source, blocks access to common WordPress files, and can simulate a different CMS like Drupal or Joomla. When a bot scans for or , it gets a 404 error. The bot cannot confirm WordPress and cannot load its exploit toolkit. The attack

… privilege escalation attacks if a plugin has a vulnerability that lets a subscriber account gain admin access.

How Does Changing the Registration Path Stop Spam Bots?

WP Ghost replaces the default URL with a custom path that only you know. Bots that try the default registration URL get a 404 error. They can’t find where to sign up, so they can’t create fake accounts. This single change eliminates the vast majority of automated spam registrations because bots follow scripts and those scripts target the default path.

To change the registration path, go to WP Ghost > Change Paths > Login …

… blocking thresholds: how many attacks trigger a block, the time window, and the block duration. Add custom blacklists and whitelists for IPs, user agents, and referrers.

Brute force protection. Select the reCAPTCHA type (Math, Google V2, Google V3, or Enterprise). Set the maximum number of failed login attempts, the lockout duration, and custom error messages. Enable or disable protection individually on login, lost password, registration, comment, and WooCommerce login forms.

Two-factor authentication. Choose a single 2FA method (authenticator app, email, or passkey) or enable User Choice so each person selects their own. Configure max failed 2FA attempts and …

… locations.

The firewall runs early and exits fast. The 7G/8G firewall filters malicious requests at the WordPress init level. Blocked requests are rejected immediately with minimal processing. Legitimate requests pass through with negligible overhead, just a few string comparisons against known attack patterns.

No file scanning on every page load. WP Ghost does not scan your file system, check file hashes, or run database queries on every visitor request. The Security Check feature runs on-demand when you trigger it, not continuously in the background.

Bot traffic reduction frees up resources. By returning 404 errors to bots scanning for

… Change Paths > WP Core Security and include media files in the configuration. When enabled, old media URLs are automatically redirected to the new paths. This ensures search engines and visitors are seamlessly redirected without encountering errors.

For most sites, leaving existing media on their original paths is the recommended approach. The redirect option is available for users who want maximum path consistency and are willing to wait for search engines to reindex the new URLs. For details on redirecting image paths, see the Redirect Images from Old Paths to New Paths tutorial.

Frequently Asked Questions

Will my Google Image …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

No. WP Ghost does not affect your SEO rankings. It doesn’t change your public-facing page URLs, post slugs, or any content that search engines use for indexing. JSON-LD, schema markup, Open Graph tags, Twitter Cards, meta titles, meta descriptions, and all structured data remain untouched. WP Ghost only changes internal WordPress infrastructure paths (wp-content, wp-includes, plugins, themes), which have no influence on rankings.

What Does WP Ghost Change and What Does It …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost blocks automated comment spam bots and reduces spam from bots that target your site based on its CMS identity, but it does not filter contact form submissions. For automated WordPress comment spam, WP Ghost is effective. For contact form spam, you need a dedicated anti-spam plugin alongside WP Ghost.

What WP Ghost Does Against Spam

WP Ghost addresses spam at the bot level in several ways.

Blocks automated comment spam bots. WP Ghost changes …

… or config files on Nginx) and WordPress hooks. When WP Ghost is deactivated, the rewrite rules are removed and the hooks stop running. There is nothing to “undo” because nothing was permanently changed. The reversibility is a direct result of the architecture: runtime changes, not file modifications.

If You Cannot Access the Dashboard

If a setting causes a conflict and you cannot reach the WordPress admin to reverse it, WP Ghost provides multiple emergency recovery methods. Use the Safe URL parameter to bypass all protections for a single request. Use the Pause 5 Minutes button on the Plugins page …

… everything.

When Should I Use This Technique with WP Ghost?

This is useful when you suspect a plugin conflict after activating WP Ghost’s Safe Mode or Ghost Mode. If your site layout breaks, pages return 404 errors, or specific functionality stops working, deactivating all plugins helps you determine whether WP Ghost or another plugin is causing the issue.

However, WP Ghost also provides easier recovery methods that don’t require FTP access. You can use the Safe URL parameter to temporarily bypass WP Ghost for a single request, or the Pause 5 Minutes button in the Plugins list …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Both, but for different reasons. Hiding from hacker bots is the security priority: it prevents automated attacks by removing the WordPress fingerprints bots use to identify targets and load exploits. Hiding from theme detectors is a branding and privacy choice: it prevents competitors, scrapers, and visitors from seeing your technology stack. WP Ghost handles both, and the security setup also covers the detector-hiding as a side effect.

Hiding From Hacker Bots: The Security Priority

The vast …