[dropcap]W[/dropcap]ith Hide My WP nobody can know you use WordPress! This not only greatly increases your security against hackers, bad written plugins, robots, spammers, etc. but it also allows you to have more beautiful URLs and better control over WordPress.
Hide My WP Ghost is a WordPress Security plugin. It’s one of the best security through obscurity WordPress plugins.It has over 50.000 secured websites, over 1,400,000 brute force attempts protection and over 5.000 login email alerts.The plugin adds filters and security layers to prevent Scripts and SQL Injections, Brute Force attacks, XML-RPC attacks and more.
It changes and hides the common paths, plugins and themes paths offering the best protection against hacker bots attacks.Note! No file or directory is physically changed. All the changes are made by redirects. All the actions are done automatically by the plugin.
After the common paths are changed, all the common paths are hidden from hackers to protect all the plugins and themes.
WP version: 3.4+
Tested up to: 4.0
PHP Version: 5.0+
Recommended: .htaccess file with writable permission (need mod_rewrite module for Apache) or Nginx with access to configuration file.
B. File Structure
If you extract downloaded ZIP file you should have this file structure. Main folder includes four subfolders and a PHP file.
- CSS folder includes one stylesheet (admin.css). It used for backend appearance.
- Documentation contains this document and its related files.
- img folder contains three icons with different sizes. These icons don’t be used currently.
- lang folder will store language files. MO files with appropriate name (e.g. hide_my_wp-en_US.mo) should be located here.
- lib contains PHP files and a folder called ‘mute-sceamer’ used for IDS (since v4).
- class.helper.php is a set of helper functions used in other PHP files.
- class.settings-api help us to create our settings page base on WordPress settings API.
- class.HTML-minify.php We use it for safe HTML compress.
- class.CSS-minify used for safe CSS compress.
- hide_my_wp.php contains main plugin class. Almost everything will be done here.
- admin-settings.php used for admin panel settings.
C. Installation and Upgrade
Automatic installation is the easiest option as WordPress handles the file transfers itself and you don’t even need to leave your web browser. To do an automatic install of Hide My WP, log in to your WordPress admin panel, navigate to the Plugins menu and click Add New. Click Upload and choose plugin zip file from your computer then click Install Now and enjoy.
The manual installation method involves downloading our plugin and uploading it to your webserver via your favorite FTP application.
- Download the plugin file to your computer and unzip it
- Using an FTP program, or your hosting control panel, upload the unzipped plugin folder to your WordPress installation’s wp-content/plugins/ directory.
- Activate the plugin from the Plugins menu within the WordPress admin.
Writable Permission for htaccess and Permalink Structure
To use all of Hide My WP features you need to have a writable htaccess file and enable permalink structure. In most cases you have passed this level before but if your post URLs ends with ?p= or you have problem with changing theme or plugins URL continue reading.
To make htaccess writable use your favorite FTP application (like Filezilla, CuteFTP, etc.) or an online file manager from your host control panel. In case of FTP:
- Go to WordPress path in your FTP program (WP usually is in public_html, htdocs or www folder)
- You see .htaccess in your WordPress root directory. If you don’t, make sure your FTP program can display hidden files
- Right click on the file. Choose Permission or Properties and change permission to 777
- After configuring Hide My WP you may return htaccess permission back to 655
To enable Permalink Structure go to admin panel and choose Permalink from Settings menu then choose one of pre-defined options and save your changes.
Nginx is an open source web server (like Apache). If you can’t find any htaccess file in your server or there is a /index.php/ before your WP permalinks this (usually) means your server uses Nginx. As there is no htaccess or automatic configuration for Nginx you need to configure it manually. To do that you need root access and basic SSH knowledge.
In plugin page (Start tab) you should see Nginx Configuration button. If you don’t see this button and you are sure that this is an Nginx server add &nginx_config=1 to HMW settings page to see Nginx rewrite rules. For example:
If you use sub-directory for WP server block you should add that directory before all of rules. Stick in your mind this does not mean any sub-directory wordpress installation need this change only if your server block in Nginx is based on sub-directory. Assume our sub-directory is ‘mywp’. Here is some example:
rewrite ^/mywp/template/lib/(.*) /mywp/wp-includes/$1 last; rewrite ^/mywp/storage/(.*) /mywp/wp-content/uploads/$1 last; rewrite ^/mywp/ext/aa405a34/(.*) /mywp/wp-content/plugins/akismet/$1 last; rewrite ^/mywp/ajax /mywp/wp-admin/admin-ajax.php last; rewrite ^/mywp/(readme\.html|wp-includes/$) /mywp/nothing_404_404 last; rewrite ^/mywp/(index\.php|wp-content/repair\.php|index\.php|wp-admin/)(.*) /mywp/$1$2 last; rewrite ^/mywp/(.*).php$ /mywp/nothing_404_404 last;
Now you need to add those lines to your Nginx configuration file. It usually located in /etc/nginx/nginx.conf or /etc/nginx/conf/nginx.conf. Don’t simply add rules to the beggining or the end of file. Make sure they are in server block.
Note: Base on your settings you may need to update Nginx config file frequently. (For example if you use rename plugin feature or new theme path)
Hide My WP is compatible with network enabled WordPress. This means only site admin can change settings but those settings will apply for entire network.
To make HMW work with your multi-site installation you need to edit your htaccess file manually. To do that go to plugin page (Network admin panel -> Settings) and click on multi-site configuration button in start tab to see htaccess rewrite rules.
Now use a FTP program or your host file manager and add those lines to your htaccess file (after RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ […])
Note: For performance reasons HMW does not hide theme names in WPMU. Instead you can easily rename themes in wp-content/themes directory (e.g. wp-content/themes/01/ , wp-content/themes/02/). The final result will be something like:
Note: Base on your settings you may need to update htaccess file frequently. (For example if you activate a plugin)