Search: firewall

… plugin interface displays in English. You can contribute a translation for your language through the WordPress.org translation platform. All security features work identically regardless of language.

Does the language setting affect security features?

No. Language settings only change the text displayed in the WP Ghost admin interface. Path security, firewall rules, brute force protection, 2FA, and all other security features work the same way in every language.

Does WP Ghost modify WordPress core files?

No. WP Ghost uses server rewrite rules and WordPress filters to change paths and block threats at runtime. No core files, theme files, or plugin …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes, WP Ghost is compatible with the AppMySite plugin. AppMySite communicates with your WordPress site through the REST API, so you need to keep the REST API path at its default and not disable REST API access. All other WP Ghost features, including path security, firewall, brute force protection, and 2FA, work alongside AppMySite without conflict.

What to Keep in Mind

AppMySite turns your WordPress site into a mobile app by pulling content, products, and user data …

… Add to .htaccess?

WP Ghost adds two types of rules to your file. The first is URL rewrite rules that map your custom paths (like a custom login URL or custom wp-content path) to the original WordPress file locations. The second is security filter rules from the 7G/8G firewall that block malicious requests at the server level before PHP even loads.

All WP Ghost rules are placed between clearly marked comments: and . This makes them easy to identify and ensures they don’t mix with WordPress core rules or rules from other plugins.

Does WP Ghost Change Any …

… paths, bots scanning for , , , , and get a 404 error. A 404 response uses minimal server resources compared to loading a full WordPress page. The bot cannot confirm the site runs WordPress, so it skips to the next target. This alone eliminates the majority of automated reconnaissance traffic.

The 7G/8G firewall blocks malicious request patterns. Bots that attempt SQL injection, XSS, file inclusion, or directory traversal attacks are blocked at the server level before WordPress even loads. These blocked requests consume almost no server resources because they are rejected before any PHP execution.

Brute force protection stops login bots. Bots …

… 404. To keep them working, use the redirect from old paths feature instead of hiding.

What About PDFs Embedded in Iframes?

PDF embeds work the same way as links. The URL in the iframe source is rewritten to use the new path. However, if you’ve enabled the X-Frame-Options: SAMEORIGIN security header in WP Ghost > Firewall > Header Security, iframes loading content from external domains may be blocked. This is a security feature that prevents clickjacking, not a bug. If you need to embed PDFs from external sources, adjust the X-Frame-Options setting. For details, see the …

… on one site, fine-tune all the paths, firewall rules, brute force settings, and security headers until everything is perfect. Create a backup. Then import that backup on every other site you manage. Instead of configuring each site from scratch, you apply a proven setup in seconds. This works across hosting providers and server types, although you should run a Security Check after restoring on a new server to confirm everything works correctly.

Save a known-good configuration before testing changes. Before experimenting with new path configurations, firewall rules, or security settings, create a backup of your current working setup.

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost is designed so you can go from zero protection to fully configured in under a minute. No coding skills required. You select a security level, the plugin fills in all the custom paths automatically, and you click Save. For users who want even faster setup, four one-click presets configure the entire security stack, including firewall, brute force, and 2FA, with a single button.

How Quickly Can I Set Up WP Ghost?

Most users …

… file integrity monitoring (alerts you when core files change), malware scanning (checks for known malicious code), security activity auditing (logs security-related events), blacklist monitoring (checks if your domain is flagged by Google or other blocklists), and post-hack cleanup tools. Sucuri Pro adds a cloud-based WAF (Web Application Firewall) that filters traffic before it reaches your server.

What Sucuri does not do is change your WordPress paths, hide your plugin and theme names, remove CMS fingerprints from your page source, or prevent bots from identifying your site as WordPress. It detects and responds to threats after they appear …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost (formerly Hide My WP Ghost) and the CodeCanyon “Hide My WP” plugin are two separate products by different developers. Despite the similar names, WP Ghost offers significantly more features, broader plugin and server compatibility, and is available directly from the WordPress plugin directory with a free version.

WP Ghost includes 150+ premium features covering path security, 7G/8G firewall, brute force protection, two-factor authentication (including passkeys with Face ID and Touch ID), security headers …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost is a superset of WP Hide and Security Enhancer. Every feature WP Hide offers (path security and HTML cleanup) is included in WP Ghost, plus WP Ghost adds a 7G/8G firewall, brute force protection, two-factor authentication with passkeys, security headers, country blocking (Premium), IP blacklist/whitelist, text and URL mapping, activity logs, and email alerts. If you already have WP Hide, WP Ghost replaces it entirely. If you use both, disable path security …

… a breach, WP Ghost reduces your attack surface so bots cannot find your WordPress structure in the first place. This is the missing layer in most security stacks: stopping the reconnaissance step that precedes every automated attack.

The Gap in Most Security Stacks

A typical WordPress security setup includes a firewall (Wordfence, Sucuri, or your hosting provider’s WAF), malware scanning, login protection, and regular backups. These are all reactive layers: they detect threats after they arrive, block known attack patterns, and help you recover when something gets through. What they do not do is prevent bots from discovering your …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost and CloudFilt serve different purposes. CloudFilt is a cloud-based web application firewall (WAF) that filters traffic at the network level before it reaches your server. WP Ghost is a hack-prevention plugin that works at the WordPress application level, hiding paths, blocking bots, and hardening your site’s configuration. They can work together as complementary layers, and WP Ghost offers significantly more WordPress-specific security features.

What Does CloudFilt Do?

CloudFilt is a cloud …

WP Ghost and Clearfy serve different purposes. Clearfy is a WordPress optimization and cleanup plugin that includes some basic security features. WP Ghost is a dedicated hack-prevention plugin focused on attack surface reduction. While they share a few overlapping features like hiding the login page and removing WordPress fingerprints, WP Ghost provides significantly deeper security coverage including full path security for 30+ paths, 7G/8G firewall, brute force protection, 2FA with passkeys, security headers, and country blocking.

Different Tools for Different Jobs

Clearfy is primarily a WordPress optimization plugin. Its main focus is cleaning up WordPress output: removing unnecessary …

… and response. Together, they cover the full security lifecycle.

Which Security Plugins Work Best Alongside WP Ghost?

WP Ghost has been tested with all the major security plugins. Here are the recommended pairings, each with a dedicated compatibility guide:

Wordfence is the most popular choice. It provides an application-level firewall, malware scanner, live traffic monitoring, and threat intelligence updates. WP Ghost handles path security and server-level firewall. Wordfence handles malware scanning and application-level monitoring. They work at different layers without conflict when configured to avoid feature duplication.

Solid Security (formerly iThemes Security) is strong on WordPress hardening …

… feature overlap. WP Ghost includes its own 7G/8G firewall, brute force protection, and 2FA. Wordfence and Sucuri also include firewalls and login protection. When running both, disable the overlapping feature in one plugin. For example, let WP Ghost handle brute force protection (since it pairs with the hidden login path) and let Wordfence handle its application-level firewall and malware scanning. The key rule is: never enable the same feature in two plugins simultaneously.

Replaces: WP Ghost can work as a standalone security plugin. With 115+ free features including path security, 7G/8G firewall, brute force protection, 2FA with

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost provides three layers of monitoring: the Security Threats Log tracks blocked external attacks, the User Events Log tracks internal user activity, and email alerts notify you in real time when critical events happen. Together, they give you full visibility into both who’s attacking your site and what your users are doing inside it.

What Does WP Ghost Monitor for External Threats?

The Security Threats Log records every malicious request that WP Ghost’s firewall …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost and Wordfence are compatible and work well together. They approach WordPress security from different angles: Wordfence is a reactive security plugin focused on threat detection, firewall rules, and malware scanning. WP Ghost is a proactive hack-prevention plugin focused on attack surface reduction. Wordfence blocks known threats as they arrive. WP Ghost prevents bots from discovering what to attack in the first place. Running both gives you defense in depth.

What Wordfence Provides

Wordfence is …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost is fully customizable. Every feature can be turned on or off individually, every path can be set to a custom value or left at default, and security presets let you load a complete configuration with one click and adjust from there. You control exactly which protections are active and how aggressive they are, from a single hidden login path to full Ghost Mode with firewall, 2FA, and country blocking.

Start Simple, Customize as You Go …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

No. WP Ghost is designed to be lightweight and has no measurable impact on page load times. It uses server-level rewrite rules and WordPress filters instead of heavy file scanning or database checks on every request. The path changes and firewall rules run at the rewrite layer before WordPress fully loads, so your visitors experience no delay. Many users actually see a slight speed improvement because WP Ghost blocks bot traffic that would otherwise consume server …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Because 2FA only protects the login form. It does not protect the rest of your WordPress attack surface. Bots target far more than your login page: they probe plugin paths for known vulnerabilities, scan theme files for exploits, abuse XML-RPC for brute force amplification, and access the REST API to enumerate usernames. A 2FA plugin does nothing against any of these attack vectors. WP Ghost covers them all.

What 2FA Protects (and What It Doesn’t …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

WP Ghost is a security plugin, not a performance plugin. But several of its features have a direct positive impact on site speed. Disabling unnecessary WordPress scripts removes render-blocking resources from every page. The firewall rejects malicious requests at the server level before PHP loads. And hiding WordPress paths eliminates bot traffic that wastes server resources. Here are the specific features that improve performance.

How Does Disabling Unnecessary Scripts Improve Speed?

WordPress loads several scripts and …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost is fully compatible with Solid Security (formerly iThemes Security). The two plugins complement each other: Solid Security focuses on WordPress hardening, password policies, and file monitoring. WP Ghost focuses on attack surface reduction by changing WordPress paths and adding firewall rules. Running both gives you defense in depth, as long as you avoid enabling the same feature in both plugins.

What Solid Security Provides

Solid Security (renamed from iThemes Security in November 2023 as …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

No. WP Ghost is not designed to replace Solid Security (formerly iThemes Security). They serve different purposes and work best together. WP Ghost handles hack prevention by hiding paths and blocking bots at the server level. Solid Security handles WordPress hardening, password policies, file change detection, and malware scanning. Using both gives you defense in depth: WP Ghost stops attacks at the door, Solid Security monitors what happens inside.

What Does Each Plugin Handle?

WP Ghost focuses …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost works with Cloudflare without issues. WP Ghost includes CDN URL Mapping that ensures your custom paths are correctly reflected in CDN-served files. After changing paths in WP Ghost, purge the Cloudflare cache so the new URLs are served from the CDN. No special Cloudflare configuration is required beyond a standard cache purge.

How WP Ghost Works With Cloudflare

Cloudflare sits between your server and your visitors as a reverse proxy and CDN. It …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost’s core security features (path changes, firewall, security headers, version hiding) don’t collect or store any personal data. The features that do collect data (brute force protection, Events Log, cloud storage) are all optional and configurable, and WP Ghost provides clear controls over what data is collected, where it’s stored, and when it’s deleted. Here’s the full breakdown.

Which WP Ghost Features Collect Personal Data?

Most of WP Ghost’s …

… transition, see the redirect images from old paths guide.

Does WP Ghost Affect Sitemaps, Feeds, or Robots.txt?

WP Ghost can optionally update image paths in your sitemap and RSS feed to match your custom paths. This actually helps SEO by ensuring the URLs in your sitemap match the URLs visitors see on your site, eliminating potential duplicate content signals. Your sitemap structure, page URLs, and all SEO metadata remain controlled by your SEO plugin (Yoast, Rank Math, All in One SEO, etc.).

For robots.txt, WP Ghost can remove the default line that identifies every WordPress site. This …

Yes. Server-side protection and WP Ghost operate at different layers and protect against different threats. Your hosting firewall handles network-level attacks like DDoS and server exploits. WP Ghost handles application-level attacks that target WordPress specifically: bot reconnaissance, path-based exploitation, script injection, brute force login attempts, and plugin vulnerability probing. One doesn’t replace the other. Together they form a complete security stack.

What Does Server-Side Protection Cover?

Server-side protection (from your hosting provider, Cloudflare, or a network firewall) handles DDoS mitigation, server-level access controls, SSL/TLS enforcement, IP reputation filtering, and general network …

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost includes 115+ free features and 150+ premium features covering path security, 7G/8G firewall, brute force protection, 2FA with passkeys, security headers, and country blocking. For most WordPress sites, especially those on managed hosting with server-level backups and malware scanning, WP Ghost alone provides sufficient protection. If your hosting does not include malware scanning or file integrity monitoring, pairing WP Ghost with a scanning plugin gives you the most complete security setup.

When …