Right now, over 90,000 hacking attacks per minute are targeting WordPress websites around the world. Bots scan your site looking for your login page, your plugin paths, your theme names, and your WordPress core files — then exploit every vulnerability they find. Hide My WP Ghost Pro stops them cold.
The #1 Hack Prevention WordPress Security Plugin by Squirrly — trusted by over 200,000 secured websites — Hide My WP Ghost Pro works like an invisibility cloak for your WordPress installation. It hides and changes every common WordPress path that hackers look for, adds multiple layers of active security, and blocks millions of brute-force attacks, all without changing a single core file or directory on your server.
What Is Hide My WP Ghost Pro?
Hide My WP Ghost Pro is a premium WordPress security plugin that combines security through obscurity with active, multi-layer protection. On one side, it hides all the paths, file names, plugin names, theme names, and WordPress fingerprints that bots and hackers use to identify and target your site. On the other side, it runs a real-time firewall, brute-force protection, two-factor authentication, IP management, activity logging, and a 35-point security audit — giving you a comprehensive, always-on security solution that goes far beyond what any single-layer security plugin can offer.
With an average plugin loading time of just 0.03 seconds — faster than 90% of all WordPress plugins — Hide My WP Ghost Pro delivers maximum security with zero performance penalty to your website speed or SEO rankings.
Key Features
3 Security Levels — One-Click Setup
Choose your protection level instantly from three pre-configured security modes — Default (standard WordPress paths), Safe Mode (maximum compatibility with all themes and plugins), and Ghost Mode (the highest level of path obscurity, making your WordPress installation virtually undetectable). Switch between modes with one click and the plugin automatically configures over 60 security settings accordingly — no manual setup required.
Hide WordPress Common Paths
Change and hide all the default WordPress paths that hackers and bots use to identify your site as a WordPress installation. This includes your wp-admin URL, wp-login.php URL, wp-content path, wp-includes path, plugin paths, theme paths, and upload directory — all replaced with custom, randomized paths that only you know. Bots scanning for standard WordPress entry points find nothing — because those paths no longer exist at their expected locations.
Custom Login & Admin URL
Replace the default wp-login.php and wp-admin URLs with completely custom URLs of your choice. When hackers or bots try to access your login page at the standard WordPress address — they are redirected to a 404 page, a custom error page, or any URL you define. Set separate custom login and logout redirects per user role — so subscribers, customers, and editors are each redirected to the correct destination after logging in or out.
Hide WordPress Core Files
Prevent direct access to sensitive WordPress core files that reveal information about your installation. Hidden files include wp-config.php, wp-config-sample.php, wp-load.php, wp-settings.php, wp-blog-header.php, readme.html, install.php, license.txt, php.ini, error_log, debug.log, and more — all of which are commonly targeted by bots looking for version information, configuration details, and known vulnerabilities.
URL Mapping & Text Mapping
Even after changing all common WordPress paths, some plugins and themes may still expose their names in your page source code through CSS classes, HTML IDs, or script URLs. The URL Mapping feature lets you replace any remaining plugin or theme URLs in your source code with custom alternatives. The Text Mapping feature changes CSS class names and HTML IDs — like wp-block, wp-post, wp-custom — in your page source, removing all detectable WordPress fingerprints from your HTML output completely.
7G & 8G Firewall
The Pro version activates the advanced 7G and 8G firewalls — formidable rule-based shields designed to block a wide array of malicious requests targeting your WordPress site. These firewall layers intercept and block bad bots, malicious query strings, suspicious request patterns, known exploit attempts, and other attack vectors before they ever reach your WordPress application — adding a powerful server-level defense layer on top of the path obscurity features.
Brute Force Attack Protection
Brute force attacks — automated attempts to guess your WordPress login credentials through repeated trial combinations — are among the most common attack types targeting WordPress. Hide My WP Ghost Pro stops them with multiple overlapping defenses: custom login URL (so bots cannot even find the login page), login attempt limiting with configurable lockout duration, math CAPTCHA challenge on the login form, reCAPTCHA integration, and IP address blacklisting for repeat offenders.
XML-RPC Protection
XML-RPC is a remote access system built into WordPress that attackers frequently abuse for brute force login attempts — using a single XML-RPC call to test hundreds of username and password combinations simultaneously, bypassing standard login attempt limits. Hide My WP Ghost Pro lets you completely disable XML-RPC access or block specific XML-RPC methods — cutting off this attack vector entirely without affecting any legitimate services that require XML-RPC functionality.
Two-Factor Authentication (2FA)
Add a critical second layer of authentication to your WordPress login process with the built-in Two-Factor Authenticator. Even if a hacker somehow obtains your password — through a data breach, phishing, or brute force — they cannot log in without the time-based one-time code generated by your authenticator app. 2FA is one of the single most effective security measures available and Hide My WP Ghost Pro makes it straightforward to implement for any WordPress user.
Security Check — 35+ Automated Security Audits
Run a comprehensive automated security audit of your entire WordPress installation with a single click. The Security Check examines over 35 security parameters — covering path exposure, file permissions, login protection, database security, user security, and server configuration — and produces a complete, prioritized list of all detected vulnerabilities with clear, actionable guidance on how to fix each one. Know exactly where your site is exposed and fix it before hackers find it first.
Users Activity Log
Know exactly what is happening on your WordPress site at all times with the built-in Users Activity Log. Every important action performed by logged-in users is recorded — logins, logouts, failed login attempts, profile updates, settings changes, plugin activations, and more — and stored for the last 30 days. Instantly spot suspicious behavior, unauthorized access attempts, or unexpected changes made by users or compromised accounts. Set up instant email alerts for specific security events so you are notified immediately when something requires attention.
Temporary Logins
Need to give a developer, support agent, or client temporary access to your WordPress admin area? Temporary Logins lets you create time-limited admin access links that expire automatically after a defined period — without sharing your actual admin credentials. Grant access for an hour, a day, a week, or any custom duration — then the access disappears automatically. Your permanent admin credentials are never exposed.
IP Whitelist & Blacklist
Take full control of who can and cannot access your WordPress login page and admin area. The IP Whitelist restricts login page access exclusively to your trusted IP addresses or IP ranges — making it physically impossible for anyone outside your whitelist to even reach the login form. The IP Blacklist permanently blocks known malicious IP addresses, suspicious user agents, and specific referral sources from accessing any part of your website — stopping attacks before they reach WordPress.
Security Headers
Add HTTP security headers to every page response from your WordPress site — providing an extra layer of protection against common web attack types including Cross-Site Scripting (XSS), clickjacking, MIME type sniffing, and data injection attacks. Security headers are a free, zero-impact way to significantly improve your site’s security posture and are increasingly checked by security scanners and browser security tools used by your visitors.
Hide Admin Toolbar by User Role
Prevent specific WordPress user roles from seeing the admin toolbar on the frontend of your website. This reduces information leakage about your WordPress structure for logged-in users who should not have admin-level access, and keeps your frontend clean and professional for subscribers, customers, and members who have no need for admin functionality.
Speed Optimized — 0.03s Average Load Time
Security should never come at the cost of speed. Hide My WP Ghost Pro is engineered for performance with an average plugin loading time of just 0.03 seconds — making it faster than 90% of all WordPress plugins. Your Core Web Vitals, PageSpeed scores, and overall site performance are completely unaffected by the plugin’s security operations — maintaining the fast, responsive experience your visitors and search engine rankings depend on.
WordPress Multisite Compatible
Hide My WP Ghost Pro works seamlessly on WordPress Multisite installations — on both sub-directory and sub-domain network configurations. Configure security settings once at the network level and the protection applies across every site in your network. Compatible with Apache, LiteSpeed, Nginx, and Windows IIS server environments.
Compatible with 1,000+ Themes & Plugins
Hide My WP Ghost Pro has been tested with over 1,000 WordPress themes and plugins — including all major cache plugins, security plugins, CDN plugins, page builders, SEO plugins, and eCommerce solutions. Confirmed compatible with WooCommerce, WPML, W3 Total Cache, WP Rocket, LiteSpeed Cache, Elementor, Divi, Yoast SEO, Rank Math, Wordfence, Sucuri, Really Simple SSL, and many more.
Who Is This Plugin For?
- Business Owners & Entrepreneurs — Protect your revenue-generating website from hackers, bots, and data theft
- Bloggers & Content Creators — Secure your content and reputation without needing technical security expertise
- eCommerce Stores — Protect customer data, payment information, and WooCommerce stores from attacks
- Agencies & Developers — Apply enterprise-grade security to all client websites with white-label-friendly settings
- Membership & LMS Sites — Protect sensitive user data and subscription content from unauthorized access
- High-Traffic WordPress Sites — Block millions of bot requests and brute-force attempts before they impact server performance
Free vs Pro Comparison
| Feature | Pro Version | Free Version |
|---|---|---|
| 3 Security Levels (Safe Mode & Ghost Mode) | ✅ All 3 Levels | ⚠️ Limited |
| Hide WordPress Paths | ✅ Full Control | ✅ Basic |
| Custom Login & Admin URL | ✅ Yes | ✅ Yes |
| URL Mapping & Text Mapping | ✅ Advanced | ⚠️ Limited |
| 7G & 8G Firewall | ✅ Yes | ❌ No |
| Two-Factor Authentication (2FA) | ✅ Yes | ❌ No |
| Security Check (35+ Audits) | ✅ Full Report | ⚠️ Basic |
| Users Activity Log | ✅ 30-Day History + Alerts | ❌ No |
| Temporary Logins | ✅ Yes | ❌ No |
| IP Whitelist & Blacklist | ✅ Full Control | ⚠️ Limited |
| Security Headers | ✅ Yes | ✅ Yes |
| XML-RPC Protection | ✅ Full Disable + Block | ✅ Basic |
| Brute Force Protection | ✅ Advanced (Math CAPTCHA, reCAPTCHA) | ✅ Basic |
| WordPress Multisite Support | ✅ Yes | ✅ Yes |
How to Install
- Click the Download button below to get the
.zipfile - Go to WordPress Dashboard → Plugins → Add New → Upload Plugin
- Upload the
.zipfile and click Install Now - Activate the plugin
- Navigate to WP Ghost in your WordPress sidebar
- Choose your security level — start with Safe Mode for maximum compatibility, or Ghost Mode for the highest protection
- Run the Security Check to identify any remaining vulnerabilities on your site
- Configure 2FA, IP whitelist, activity logging, and firewall settings from the Pro features panel
Frequently Asked Questions
Is this plugin free to download?
Yes, you can download Hide My WP Ghost Pro for free from this page. It is redistributed under the GPL license.
Will it change my actual WordPress files or directories?
No. Hide My WP Ghost Pro works entirely without changing any actual core files or directories on your server. It uses WordPress rewrite rules to redirect requests — your files stay exactly where they are, but hackers and bots cannot find them at their expected paths.
Does it slow down my website?
No. Hide My WP Ghost Pro has an average loading time of 0.03 seconds — faster than 90% of all WordPress plugins. Your website speed, PageSpeed scores, and Core Web Vitals are completely unaffected.
Does it work with Elementor, Divi, and other page builders?
Yes. Hide My WP Ghost Pro has been tested with over 1,000 themes and plugins including Elementor, Divi, WPBakery, and all other major WordPress page builders. Use Safe Mode for maximum compatibility with all themes and plugins.
Does it work on WordPress Multisite?
Yes. The plugin works on WordPress Multisite on both sub-directory and sub-domain configurations and is compatible with Apache, LiteSpeed, Nginx, and Windows IIS servers.
Is it compatible with WooCommerce?
Yes. Hide My WP Ghost Pro is fully compatible with WooCommerce — your shop, checkout, and account pages continue to function perfectly after enabling the plugin’s security features.
Download Hide My WP Ghost Pro — Free
Every day your WordPress site runs without proper security is another day hackers have to find their way in. Hide My WP Ghost Pro removes the footprints, closes the doors, fires up the firewall, and monitors every action — silently protecting your site 24 hours a day, 7 days a week, with zero performance penalty. Over 200,000 websites are already protected. Download it today and make yours invisible to hackers.
⚠️ Disclaimer: This plugin/theme is for personal use and practice only. Run a malware scan before use. For commercial use, purchase a license from the official website.
