What WP Ghost Does and Does Not Do – Limitations and Scope

WP Ghost (formerly Hide My WP Ghost) is a hack prevention plugin that reduces your WordPress attack surface. It is not a malware scanner, backup tool, or firewall replacement. Understanding what WP Ghost does and does not do helps you build a complete security stack.

What WP Ghost Does

WP Ghost prevents attacks before they happen. It changes and hides WordPress paths so bots cannot find vulnerable plugin files, theme directories, login pages, or admin endpoints. It adds 7G/8G firewall rules to block SQL injection and script injection at the server level. It enforces security headers, enables 2FA, blocks brute force attacks, and provides security monitoring. All of this happens through URL rewrite rules and WordPress filters. No core files are modified.

What WP Ghost Does Not Do

There are specific things WP Ghost intentionally does not do, either to protect site functionality, maintain performance, or because they fall outside the scope of hack prevention.

Does not automatically hide all plugin CSS classes in the source code

WordPress plugins inject their own CSS class names into the HTML source (e.g., elementor-widget, woocommerce-product, wpforms-container). WP Ghost does not automatically strip or rename these classes because doing so would break layouts, JavaScript interactions, and plugin functionality across thousands of different plugin combinations.

You can manually rename specific classes using WP Ghost > Mapping > Text Mapping. This gives you precise control over which class names to change without risking site-wide breakage. Test each mapping carefully, as changing a class name in HTML without changing it in the corresponding CSS will break styling.

Does not hide admin paths when you are logged in as Administrator

When you are logged in as an administrator, WP Ghost shows the real /wp-admin/ path in the dashboard. This is intentional. If WP Ghost renamed paths while you are logged in and then was deactivated (due to an update, conflict, or error), you would be locked out of your own dashboard. By keeping the real paths visible for administrators, WP Ghost ensures you always have access to your site. The custom paths apply to the front-end and to non-logged-in visitors where bots operate.

If you want path changes applied even in the admin area, you can enable this using the HMW_ALWAYS_CHANGE_PATHS constant in wp-config.php. See the Advanced Settings tutorial for details.

Does not scan for or remove malware

WP Ghost is a prevention tool, not a detection tool. It stops attacks before they reach your site. It does not scan your files for existing malware, viruses, or backdoors. If your site is already infected, you need a dedicated malware scanner like Anti-Malware Security (GOTMLS), Wordfence, or Sucuri to clean the infection first, then activate WP Ghost to prevent reinfection.

Does not create backups

WP Ghost does not back up your files or database. Always maintain regular backups through your hosting provider or a dedicated backup plugin (UpdraftPlus, BlogVault, etc.) before making security changes.

Does not block browser-based theme detector extensions

Browser extensions like Wappalyzer or WhatRuns run on the visitor’s computer inside their browser. Your website cannot block an extension that runs locally. WP Ghost reduces what these extensions can detect by removing WordPress fingerprints from the HTML source, but if any WordPress clue remains visible (a class name, a path fragment), the extension may still identify WordPress. The goal is to minimize detectable signals, not to guarantee invisibility against local analysis tools.

Does not modify, move, or rename any WordPress files

WP Ghost uses URL rewrite rules to create virtual paths. Your actual WordPress files (wp-admin, wp-includes, wp-content, plugins, themes) stay exactly where WordPress installed them. The FTP directory structure is unchanged. Deactivating WP Ghost restores every default path instantly.

What WP Ghost Does (And Does Well)

Despite these intentional limitations, WP Ghost provides comprehensive hack prevention. It protects all vulnerable plugins and themes by changing and hiding their paths, preventing access to vulnerable files. The 7G/8G firewall blocks script injections, SQL injections, and malicious file uploads at the server level. Brute force protection with reCAPTCHA and login limits stops password-guessing attacks. 2FA with passkeys, codes, and email adds a second authentication layer. Security headers prevent XSS, clickjacking, and MIME type attacks. All of this works together to block bots before they can execute attacks against your site.

WP Ghost is designed to work alongside other security tools. Use it with a malware scanner for detection, a backup plugin for recovery, and your hosting firewall for DDoS protection. Together, these tools create a layered defense that covers prevention, detection, and recovery.

Frequently Asked Questions

If WP Ghost does not scan for malware, why do I need it?

Because prevention is more effective than cleanup. A malware scanner finds infections after they happen. WP Ghost prevents the attack from succeeding in the first place. The vast majority of WordPress attacks are automated bots targeting predictable paths. When those paths do not exist, the attack fails before any malware can be installed.

Can I use WP Ghost alongside Wordfence, Solid Security, or Sucuri?

Yes. WP Ghost is designed to work alongside other security plugins. WP Ghost handles hack prevention at the path level. Wordfence handles malware scanning and its own firewall rules. Solid Security handles lockouts and site hardening. Sucuri handles cloud-based monitoring. They address different layers with minimal overlap. See the Compatibility Plugins List for specific integration notes.

Will WP Ghost make my website invisible to all theme detectors?

It makes your site extremely difficult to detect, but not impossible for every tool. Online scanners like WhatCMS.org and BuiltWith can be fully defeated because they only see what your server sends. Browser extensions like Wappalyzer analyze the page locally and may detect residual WordPress patterns in CSS class names or JavaScript variables. Use Text Mapping to rename specific class names for maximum hiding.

Does WP Ghost affect my FTP directory structure?

No. WP Ghost uses path rewrite rules to customize URLs without physically changing them. Your FTP directory structure remains exactly as WordPress installed it. All changes are virtual, applied at the URL level only.

Is path security the same as “security through obscurity”?

WP Ghost goes far beyond obscurity. Changing paths is one layer. The plugin also includes a 7G/8G firewall that blocks SQL injection and script injection at the server level, brute force protection with reCAPTCHA, two-factor authentication, security headers against XSS and clickjacking, and geo-blocking. Path changes remove the attack surface. The firewall blocks the attack payload. Together, they provide layered prevention, not just hiding.

Does WP Ghost slow down my website?

No. WP Ghost uses server-level rewrite rules (in .htaccess for Apache, nginx.conf for Nginx) which execute before PHP even loads. This means path changes add zero processing overhead to your page load. In many cases, WP Ghost actually reduces server load by blocking malicious bot traffic before it reaches WordPress.

Related Tutorials

Text Mapping and URL Mapping – manually rename plugin class names and remaining URLs in source code.

WP Ghost with Anti-Malware Security – pair WP Ghost with a malware scanner for prevention + detection.

Hide from WordPress Theme Detectors – maximize CMS hiding against online scanners and browser extensions.

Customize All WordPress Paths – the complete path-changing guide.

Compatibility Plugins List – confirmed compatible security plugins, cache plugins, and page builders.