Search: firewall

… bookmark your new login URL so you don’t lose access.

Step 3 – Hide Old Paths and Enable the Firewall

Changing paths creates new URLs, but the old ones might still respond. Enable Hide WordPress Common Paths to return a 404 on the original paths. Then go to WP Ghost > Firewall and activate the 8G Firewall to block SQL injection, script injection, and other common attacks at the server level.

You can also enable Block Theme Detectors Crawlers and Block AI Crawler Bots from the Firewall page to stop detection services and AI scraping bots from accessing your site entirely …

… different CMS. You can select Drupal or Joomla from the built-in presets or add a custom generator name using a filter. See the CMS Simulator tutorial for details.

Additional protection layers. Cloaking is WP Ghost’s foundation, but the plugin goes well beyond it. It includes 7G and 8G firewall rules, brute force protection with reCAPTCHA, two-factor authentication (code, email, and passkeys), security headers, country blocking (Premium), and IP block automation. These layers handle anything that gets past the cloaking, like targeted manual attacks or zero-day exploits.

How to Set Up WordPress Cloaking with WP Ghost

Install …

… IP address (see the whitelisting section below) for an even tighter lockdown.

How Do I Restrict Access to Specific IP Addresses Only?

If you and your team work from fixed IP addresses, you can whitelist only those IPs and block everyone else. WP Ghost includes IP whitelisting under WP Ghost > Firewall > Whitelist. Add your IP address (and your team’s IPs) to ensure only authorized users can access the site. Combined with brute force protection and the firewall, this creates a tight development environment.

Keep in mind that IP whitelisting only works reliably if you have a static IP. If …

… Ghost can block the crawlers used by CMS detection services before they even reach your site. Go to WP Ghost > Firewall > Header Security and switch on Block Theme Detectors Crawlers. This blocks crawlers from WPThemeDetector, BuiltWith, IsItWP, Wappalyzer, WhatCMS, WP Detector, Scan WP, and others.

Blocking the crawlers means they can’t gather new data about your site. Combined with path changes and fingerprint removal, this gives you the strongest possible protection against CMS identification. For full firewall configuration details, see the firewall tutorial.

Frequently Asked Questions

How long do I need to wait for cached detectors to update …

… IPs and user agents at the firewall level before they can scan your site. For an additional layer, activate the CMS Simulator from WP Ghost > Change Paths to make detectors report Drupal or Joomla instead of WordPress. See the Hide from WordPress Theme Detectors tutorial for the complete checklist.

Add firewall and security headers. Path security handles the hiding, but a complete setup also includes the 7G/8G firewall (blocks SQL injection, XSS, and malicious payloads), security headers (HSTS, CSP, X-Frame-Options), and brute force protection. These layers protect against attacks that go beyond CMS detection. See the Firewall …

… LiteSpeed Cache, Breeze, W3 Total Cache, etc.), the first page load gets cached with the new paths already applied. Every subsequent visitor receives the cached version, which means zero additional processing from WP Ghost.

Can WP Ghost Actually Make My Site Faster?

Yes, in two ways. First, WP Ghost’s firewall and path security block malicious bots before they reach your PHP files. Bots that can’t find your login page, admin path, or wp-content directory get a 404 and move on. Your server doesn’t waste resources processing thousands of junk requests from automated scanners. On sites that …

… things: the site runs WordPress, and the site is likely vulnerable to known exploits. If they can’t find the door, they can’t break it.

What Are the Four Layers of WordPress Security?

Layer 1 – Secure Hosting

Your hosting provider is the foundation. A secure host provides server-level firewalls, malware scanning, automatic security patches, SSL certificates, and process isolation between accounts. WordPress-dedicated hosting companies like WP Engine, InMotion, and Cloudways offer managed security with automatic updates and daily backups included. Always choose a host with daily backups. If your site is ever compromised, a recent backup is …

… php does not affect its connection.

Does WP Umbrella need XML-RPC enabled?

No. WP Umbrella uses the REST API for communication, not XML-RPC. You can safely disable XML-RPC in WP Ghost without affecting WP Umbrella. See the Disable XML-RPC tutorial for details.

Will WP Ghost’s firewall block WP Umbrella?

Not by default. The 7G/8G firewall rules target malicious request patterns, not legitimate API traffic. If you experience issues, check whether you have IP-based restrictions or overly strict security headers enabled. You can whitelist WP Umbrella’s IP addresses in WP Ghost > Firewall > Whitelist …

Yes, WP Ghost works with Elementor Pro’s custom icons feature. Custom icon sets upload and display correctly with all WP Ghost security options active. The icon fonts load through your uploads directory, and WP Ghost’s rewrite rules serve them through the new paths without any issues.

How Elementor Custom Icons Work with WP Ghost

Elementor Pro lets you upload custom icon font packages (ZIP files containing font files and CSS) and use them in your designs. When you upload an icon set, Elementor stores the font files in your directory. WP Ghost changes the uploads path along with …

… server. Only the host can add rules to the Nginx config and restart the Nginx service.

Step 4 – Backup and Deactivate While Waiting

Before Kinsta applies the changes, back up your WP Ghost settings from WP Ghost > Backup/Restore and deactivate the plugin. This prevents any path conflicts while the rewrite rules aren’t yet loaded on the server. Keep the plugin deactivated until Kinsta confirms the rules are in place.

Step 5 – Activate and Restore

Once Kinsta confirms the rules have been added, activate WP Ghost again and restore your saved settings from WP Ghost > Backup/Restore. Then …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost is compatible with the BuddyBoss platform including the BuddyBoss Theme. Social networking features, community tools, groups, forums, and membership functionality all work normally with WP Ghost’s path security active. One important note: leave the REST API path unchanged and do not disable REST API access if you use the BuddyBoss App or any BuddyBoss feature that relies on remote API access.

What Works

WP Ghost has been tested with the BuddyBoss website platform …

… priority support become unavailable. The new owner would need to reactivate the plugin with their own license or continue using the free version with its 115+ features.

Frequently Asked Questions

Can I move my license from one site to another?

Yes. Go to your WP Ghost Dashboard, delete the connected website you want to remove, and then activate the license on the new site using your activation token. The license slot becomes available immediately after deletion. See the Activate on a New Website guide for step-by-step instructions.

Will the new owner get support?

Support is provided to …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

No. All WP Ghost settings are fully reversible. When you deactivate the plugin, every path change, firewall rule, security header, and configuration option reverts to WordPress defaults instantly. When you delete the plugin, it is as if WP Ghost was never installed. Your site returns to its exact state before WP Ghost was added.

What Happens When You Deactivate WP Ghost

The moment you deactivate WP Ghost from the Plugins page, all changes are reversed automatically. Your …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

No. WP Ghost does not write code into any PHP files. It never modifies, edits, or injects anything into WordPress core files, theme files, or plugin files. All path changes and security features work through server rewrite rules and WordPress runtime filters. Deactivating WP Ghost rolls back everything instantly.

How Does WP Ghost Change Paths Without Modifying PHP Files?

WP Ghost uses two mechanisms to change your WordPress paths, and neither one touches your PHP files.

The …

… (same as SAMEORIGIN). This directive is supported by all modern browsers and provides more granular control.

How to Enable Clickjacking Protection

Go to WP Ghost > Firewall > Header Security. Switch on Add Security Headers for XSS and Code Injection Attacks. Click Save. This enables all seven security headers at once, including X-Frame-Options set to SAMEORIGIN. You can verify the header is active by visiting SecurityHeaders.com and entering your domain. For the full header configuration guide, see the Security Headers tutorial.

If you use iframes on your own site (some page builders and admin panels require them), keep …

… you don’t have Nginx config access (common on managed and shared Nginx hosting): Contact your host’s support team and ask them to add the include for you. Alternatively, use WP Ghost’s features that work without server config changes. Custom login paths, brute force protection, the 8G firewall, two-factor authentication, security headers, and version hiding all run through WordPress hooks and work on any server without config access.

WP Ghost includes a Minimal (No Config Rewrites) preset for exactly this situation. For the complete guide, see using WP Ghost on Nginx without config changes.

How Do …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost is fully compatible with SiteGround hosting. WP Ghost includes a dedicated SiteGround server profile that auto-configures the correct rewrite rules for SiteGround’s Nginx and Apache combination. No manual server configuration is needed. Path security, firewall, brute force protection, 2FA, and all other features work out of the box.

How WP Ghost Works on SiteGround

SiteGround uses Nginx as a reverse proxy in front of Apache. WP Ghost detects this setup and writes …