preloader

Hide My WP Ghost plugin review and common issues

Hide My WP Ghost is used for hardening login, scanning files, and blocking common attacks. In most cases, it fits business sites better than a custom build done too early. A common issue is that firewall rules block valid users or admin actions. This usually happens when strict rules create false positives on custom sites. It can save time, but it still needs testing on a staging site before major changes go live. From experience, Hide My WP Ghost works best when you keep the setup focused and avoid overlapping plugins.

Hide My WP Ghost plugin review and common issues
Official Plugin Page ↗ Get Help With This Plugin

What is Hide My WP Ghost plugin?

Hide My WP Ghost (now also simply called WP Ghost) is a WordPress security plugin focused on one specific strategy: obfuscating WordPress’s default paths and file signatures to prevent automated bots from identifying your site as WordPress in the first place. Most WordPress attacks are automated — bots scan millions of sites per hour looking for default paths like /wp-admin, /wp-login.php, and /wp-content to confirm a site runs WordPress before attempting exploits. Hide My WP Ghost removes those fingerprints.

The plugin allows you to change the wp-admin URL, wp-login.php, wp-content and wp-includes paths, plugin and theme directory paths, and REST API endpoint paths to custom values. When a bot scans for /wp-login.php and receives a 404, it moves on — because the site no longer looks like a WordPress installation. This “through obscurity” approach is not a substitute for a firewall or malware scanner but is an effective layer for reducing automated attack exposure.

Beyond path obfuscation, WP Ghost includes 7G and 8G firewall filter sets (server-edge filtering for bad bots), brute force login protection, two-factor authentication, passkey authentication (passwordless login via Face ID, Touch ID, or Windows Hello), reCAPTCHA on login forms, and a security activity log.

The free version at WordPress.org covers core path changes and basic bot filtering. WP Ghost Premium (from $4.99/month) adds the full path obfuscation suite including plugin and theme anonymization, the 7G/8G firewall, advanced brute force protection, 2FA, passkeys, and multi-site support. It is not designed as an all-in-one security solution but works well alongside Wordfence, MalCare, or Patchstack to add the path obfuscation layer those plugins do not provide.

Need Help With Hide My WP Ghost Setup, Troubleshooting, or Customization?

Need help with Hide My WP Ghost? Whether you are dealing with errors, broken functionality, styling problems, plugin conflicts, or advanced customization, we can help you fix the issue and get the plugin working properly on your WordPress site.

Get Hide My WP Ghost Expert Help

Key Features

  • Change wp-admin URL to a custom path
  • Change wp-login.php to a custom URL
  • Obfuscate wp-content and wp-includes paths
  • Anonymize plugin and theme directory names in source code
  • Change REST API and XML-RPC paths

Pros & Cons

Pros

  • Unique path obfuscation approach not provided by Wordfence, MalCare, or Sucuri
  • Effectively reduces automated bot attack surface
  • Lightweight — minimal performance impact (avg 0.03s load time)

Cons

  • Obfuscation is not a substitute for firewall or malware detection
  • If plugin path changes are misconfigured, WordPress functionality can break

Free vs Premium

Free Lite version covers basic path security (changing login URL and some core paths). WP Ghost Premium ($4.99/month or annual plans) adds full path obfuscation, plugin/theme anonymization, 7G/8G firewall, 2FA, passkeys, brute force protection, and multi-site support.

Common Problems & Fixes

Why is the WordPress admin inaccessible after changing paths with WP Ghost?

If you cannot access the admin after changing the wp-admin path, the new URL may not be correctly resolving. Connect via FTP, navigate to wp-content/plugins/ and rename the hide-my-wp folder to disable the plugin temporarily. Log in via wp-admin normally (the original path is restored when the plugin is disabled), then re-enable and re-configure more carefully. Always test custom path changes on staging before applying to a live site.

Why are some WordPress features breaking after enabling plugin path obfuscation?

Plugin path obfuscation changes the visible paths in HTML source but does not move actual files. Occasionally, a plugin that hardcodes its own asset URLs (rather than using WordPress’s path functions) will produce broken links after obfuscation. Identify the affected plugin by disabling obfuscation temporarily and testing. For hardcoded path plugins, either exclude that plugin from obfuscation in WP Ghost settings or contact the plugin developer about using proper WordPress path functions.

Why is WP Ghost not working on my Nginx server?

WP Ghost’s path changes require server rewrite rules. On Apache, these are written to .htaccess automatically. On Nginx, rewrite rules must be added to the Nginx configuration file manually — .htaccess is not processed by Nginx. WP Ghost provides the required Nginx rules in its settings. Copy them to your server’s Nginx configuration and reload Nginx after applying.

Customization & Developer Notes

How do I set WP Ghost to "Ghost Mode" for maximum obfuscation?

Ghost Mode is the maximum obfuscation preset available in WP Ghost Premium. It changes all detectable WordPress paths — admin, login, content, includes, plugins, themes, REST API — to custom values in one click. After enabling Ghost Mode, use the built-in Front-end Test feature to verify your site loads correctly before confirming the changes. Ghost Mode requires Premium.

Can WP Ghost be used alongside Wordfence or another security plugin?

Yes. WP Ghost is specifically designed to be compatible with and complementary to other security plugins. Wordfence handles malware scanning, WAF, and login protection through its own system. WP Ghost adds path obfuscation that Wordfence does not provide. Both can run simultaneously. In WP Ghost settings, whitelist the Wordfence admin-level paths if any conflicts arise.

Frequently Asked Questions

Is "security through obscurity" effective?

Path obfuscation is one layer of defense, not a complete security strategy. It is highly effective against automated bot attacks that rely on fingerprinting WordPress sites — removing the fingerprint stops those bots from targeting your site. It is not effective against targeted manual attacks by adversaries who already know your site runs WordPress. As one layer alongside a proper firewall and malware scanner, it meaningfully reduces automated attack exposure.

Does WP Ghost slow down the WordPress site?

WP Ghost reports an average load time of 0.03 seconds per request, which is faster than 90% of WordPress plugins. The path rewriting happens at the server or PHP level and adds negligible overhead.

Is WP Ghost the same as the original "Hide My WP" plugin?

WP Ghost (formerly Hide My WP Ghost) is a separate product from Hide My WP Ghost. The current active plugin at WordPress.org is WP Ghost, developed and maintained by the Squirrly company. There are multiple similarly named plugins in this category — verify you are installing the correct one from its official WordPress.org listing.

Can WP Ghost break my WordPress site?

Misconfigured path obfuscation can make the WordPress admin temporarily inaccessible. The plugin includes a front-end test feature that lets you verify your site loads correctly before confirming changes, and Ghost Mode has a built-in verification step. Always back up and test on staging before applying significant path changes to a live site.

Need a Hide My WP Ghost Developer?

Find a vetted WordPress developer specializing in Hide My WP Ghost. From setup and configuration to custom Hide My WP Ghost development — get expert help on WPWizzy.
Get a Free Estimate

Ready to hire your WordPress developer?

WPWizzy connects you with vetted freelance WordPress developers from the Codeable network — the top 2% of WordPress experts worldwide, , you can get a free no-obligation project estimate before hiring. Every developer is carefully screened, backed by Codeable’s satisfaction guarantee, and rated by real clients based on completed WordPress projects.

Pick one option and we’ll take you to the right next step.

After submitting your request, up to three WordPress developers may review your project and ask a few questions to better understand the issue.
This step helps us define the scope of work and provide an accurate estimate. Most projects receive a response within 24 hours.
Providing a few key details about your website or the problem will help us respond faster. There is no obligation to proceed with the project.