Hide My WP Ghost is a security plugin that can make your WordPress website look like a non-WP website by hiding the traces of WP in the HTML code. The rating of Ghost is 4.5, and the number of people using it is over 200k. Can this extension hide your WP from the users? Let’s find it out!
Hide My WP Ghost runs a check when you activate it to ensure that you address important issues first. Once the check is complete, it rates your website’s security on a 180 degrees/half pie chart. Below the chart, the extension boasts a list of actions. The actions are nothing but options of the plugin you must activate. Below the list of actions, you will field a button to run a full security check.
Hide My WP Ghost settings are available on the following pages:
The “change paths” page has the following tabs:
Level of Security
This module of Hide My WP Ghost lets users hide the important links of a WordPress website so that they won’t be available to any other user or bots, excluding you or the user with whom you’ve shared the URL. The extension supports three levels of WP Path security – deactivated, lite mode, and ghost mode.
The lite mode will change the paths of these pages to predefined URLs –
wp-comments-post.php. HMG won’t touch or modify any file on the server. The Ghost mode supports these WordPress paths/URLs –
wp-admin/admin-ajax.php in addition to the paths supported by the Lite mode.
Hide My WP Ghost can hide the wp-admin URL from all visitors and non-admin users. In this section of the plugin, there’s a textbox to enter a custom name for the wp-admin URL.
Firewall and headers
From this section of HMWG, you can enable the following headers for the HTTP responses of your website:
- X-content-Type-Options, X-XSS-Protection.
- Content-Security-Policy, and Strict-Transport-Policy.
Hide My WP Ghost also allows users to enable the “remove unsafe headers” option. If you enable this function, it will remove the server signature, server info, and PHP version from the HTTP response.
An internet user can easily find out what theme a WordPress website is using by simply viewing the source of the page. WordPress themes may have security issues. If hackers learn that a theme you’re using has a major security issue, they may target your website. To prevent this, you can hide the details of the WordPress theme.
To hide the theme details, open the “Themes security” section, enter the custom stylesheet file name and click the save button. In the “Themes Security” section, there’s a textbox prefilled with this path – “
core/views“. The extension will replace the
core/views. You can change the custom path if you want.
If you don’t want anyone to find out the extensions you’re using on your WordPress website, enable the “hide plugin names” option on the “Plugin Security” page. What does this function do? It replaces the extension names with random words.
Hide My WP Ghost lets users hide the “language switcher” option on the WP login page of their website from the “Login security” section. It also lets users set a custom “lost password” path and change the login URL of the website.
From the Tweaks page of HMWG, you can make the plugin redirect users to the dashboard/log page after signing into your website or logging out. You can also change the RSS feed paths, test the changes to the sitemap file, and update the Robots.txt file with the new paths.
Hide My WP Ghost can hide the admin toolbar and strip version ID from images/CSS/JS files, IDs from meta tags, generator meta tags, HTML comments, embed scripts, WLW manifest scripts, etc on the page’s HTML code. It can disable right clicks, copy/paste & drag/drop actions on your website page. It can also prevent users from viewing the source code of your website. The option to activate/deactivate the above-mentioned features are on the “Tweaks” page of the plugin.
The Mapping section of Hide My WP Ghost lets users replace the CSS IDs, CSS classes, and JS variables used on their website with another one. It also enables users to map one URL to another one.
As in Wordfence or Jetpack, you can activate brute force protection for your WordPress website in the Hide My WP Ghost. HMWG supports reCAPTCHA-based brute force protection. You must enter the Google reCAPTCHA V2/V3 secret and site keys to enable the Brute Force protection module for your website. HMWG can block users automatically for N seconds if they fail to solve the captcha challenge after N attempts (N is user-defined seconds/attempts).
The Event Log is a Pro feature of Hide My WP Ghost. If this module is active, HMWG will track various events, including the user activities on your website, and make you aware of the same.
Security Check is another useful page of Hide My WP Ghost. It detects and highlights software, configuration, and settings-related issues. This page has a table with these four columns – name, value, valid, and action. In the name section, the page boasts the name of the setting or software.
If the software is up to date or the configuration is valid, or the setting is enabled, you’ll find a green color check mark icon in the “valid” section else the page will show a red check mark icon. For example, if you’re using an older version of PHP or MySQL, the plugin will show a red color cross icon in the “valid column”.
If you’re migrating your WordPress website to a new host, you may want to export the plugin’s settings on the older host. You can do so from this page of Hide My WP Ghost.
- Features are complex, but the plugin is easy to configure.
- The brute force function is highly reliable.
If you change the path and later reset the settings or remove the plugin, you’ll see plenty of 404 errors in the error log file.
Some features aren’t required: If brute force protection is active, what’s the need to change the path of the WordPress login page?
Should you use Hide My WP Ghost? Yes! As the extension has many useful settings, it is worth using.