The Hide My WP Plugin has been built for WordPress which is currently the best CMS. WordPress it is used worldwide and some of the world’s largest web sites are based on this great platform. It is free, flexible and reliable, and using the available plugins and themes you can create any web site you want. The Hide My WP Plugin works well to help in keeping your WordPress website secure.
However, popularity and prevalence have their downsides – there are many attacks on WordPress sites. Just like any other software. WordPress is susceptible to various types of attacks and threats too. Although WordPress developers pay a lot of attention to security, there is always the possibility of installing a theme or plugin that is not good enough and can be used by attackers to compromise your site.
In an attempt to raise the level of security on their sites WordPress administrators use various security plugins. There is no 100% protection against attacks, but if you use some quality tools you can make it much harder for attackers to attack or make them give up their evil intentions.
One of the great ways of securing your website is to actually hide the fact that it’s running on WordPress? If you didn’t know this was possible then keep reading. In this article we are reviewing the Hide My WP plugin which does exactly that. This plugin is designed to prevent letting any attacker know that your website is running on WordPress at all. Security through obscurity is still one of the effective ways of securing any website.
Since the Hide My WP is a great WordPress plugin at hiding that your website is even a WordPress website, it makes it much harder for hackers. If any hacker uses one of the many CMS detection services, it will not be possible for the attacker to detect that your site is powered by WordPress. Most of the work of this plugin is done by changing the permalinks and source code entries without changing the location of the WordPress files on your hosting server.
You don’t have to make any changes to the server configuration, you need to install, configure the plugin and your job is done. The plugin also makes it possible for you to undo any changes without additional configurations.
This fantastic plugin is able to rename the folders that contain your themes and plugins to make it harder for attackers. It is possible to change WP permalinks without configuring anything on the database and obviously without any data loss. If you want to hide wp-login, even this is possible. The administrator login link can be known only to you and your administrators.
Hide My WP plugin offers 3-way protection:
– Hide WordPress – hides the fact that your site is based on the WordPress CMS. Even the best WP theme and plugin detectors such as IsItWP and WPThemeDetector cannot detect that your site runs on WordPress. You can select 3 levels of privacy, hide login page using login query and login key. You can completely hide wp-admin, disable direct PHP access and rename theme folders.
– WordPress Firewall – integrated firewall that offers protection of your sites regardless of whether it is SQL injection, SCRF, XSS, Brute force attack. Any suspicious actions will be logged and you will receive a notification about the atacker`s username, IP, date and many more. Smart IDS will monitor and send notifications of potential attacks, and bad IP addresses will be blocked automatically. One of the best options is the ability to block access from certain countries you define.
– Trust Network – there is an already built trusted network that will automatically provide protection from previously known hackers and bots. A list of bad IP addresses is automatically created and all attacker data is stored.
Below we will show you how to install Hide My WP plugin and we will explain its options.
Once you have downloaded the plugin to your PC, open the WordPress admin dashboard and upload the plugin. After activation, the setup wizard will open automatically.
Choose the level of protection that meets your needs. There are three levels of protection, light, medium and high.
After that, a new window opens where you do the complete configuration.
The first tab is the “Start” tab. We will briefly explain the options that it contains.
– Purchase code: there is a field in which you enter the purchase code. You received this code in the e-mail after purchasing the plugin.
– Import options: There are some predefined settings. You can choose the level of security you want for your site.
– Export options: The ability to export the current configuration of the Hide My WP plugin.
– Debug report: If you ever have problems with the plugin, this option will generate a report with your plugin and server settings that will help the support team solve any issue you are reporting much faster.
– Undo settings: This option allows you to restore the settings to the previous options.
– Reset Settings to WP: If problems occur or you want to configure the plugin from the beginning then use this option. This will reset all settings as if you had just installed the plugin.
– Clean Uninstall: If you want to uninstall the plugin then using this option you will remove all saved settings.
The next tab is “Hiding.” This tab contains:
– Hide Login: Using this option you can hide /wp-login.php and disable access. Administrators will need a Login Query and Admin Login Key to access your wp-login.php. If a visitor tries to access your admin panel they will get a “404” page.
If you add Login Query and Admin Login key after wp-login.php access will be possible. The syntax is as follows:
– Hide Admin: This option allows you to deny access to the wp-admin folder.
– Spy Notify: This is an option you should use with caution if you have a website that generates huge traffic. If this option is activated then the website administrator will receive an email notification whenever someone gets the 404 page. This email will contain a link to the 404 page and basic user information.
– Anti-Spam: This is a very useful option that will block SPAM in your comments. If you are using another anti-spam plugin then it would be best to keep this option off to avoid conflicts between the two plugins.
– Full Hide: If you have used a CMS detector and WordPress has been successfully detected, then you need an even higher level of security. This option will further secure your site and ensure that CMS detectors cannot find out which CMS you are using.
– Hide Other Files: Included in the WordPress installation there are some files such as license information, various logs and more. These files are generally not important or even required for the proper functioning of a WordPress website. Such files can however be a giveaway to an attacker that your website is using WordPress and even tell the attacker which WP version it’s on.This option allows such files to be hidden and no one can access them.
– Directory list: This option is used to disable directory listing on your site
– Canonical redirect: This is an option you will only use if you enable permalink structure. This way you will use query URLs.
– Hide Admin Bar: One of the best options, it will hide the admin bar from the user roles you choose.
– 404 page template: On this option you choose which page you want to be displayed when the user accesses hidden or non-existent content. By default, a WordPress 404 page will be displayed, but you can create your own 404 page and set it to show in the case of non-existent or hidden content.
– Trusted user roles: This option allows you to set which user roles can access the WordPress admin dashboard. Administrators are already trusted, but if you want to add another group of users you will can so here.
– Replace mode: Since the Hide My WP plugin replaces old URLs by adding new URLs but this could sometimes slow down your site if you don’t use a caching plugin. You can choose from two options, partial mode and full page mode. The first option will only change addresses as needed, and the second option will scan complete output. A very useful option to speed up your site if you are not using a caching plugin.
– Customized htaccess: If you want this plugin not to add new values
– CDN path: If you use a CDN network to serve content to your users then you will enter your CDN URL within this option
– Email sender address: Within this option you enter the e-mail address and name that will appear to your users when they receive your e-mail
– Hide PHP files: This is a great option that provides extra security to your site but you must use it with caution. Direct access to .php files will be disabled. However, many themes and plugins need direct access to certain PHP files to work properly. You must add the files required for their proper operation to the “Excluded files” list.
Next on the list is “Permalinks” tab. The options contained within this tab are:
– New theme path: Using this option you can set a new theme path. The complete path to the themes folder can be renamed in just one word. Automatically all theme paths will be renamed in the source code. There is support for using nested folders as well.
– New style name: This option is useful if you want to change style.css to another name. However this option depends on the new theme path. If you have set “mythemes” for the new theme path then the new style name will be “//mythemes/newstylename.css.” Very important to remember, a new theme path must be entered in order this to work.
– Style Expiry Header: Here you can tune the expiry header in days for the newly created style name.
– Auto Configuration: This is a great option that will hide popular plugins if you have installed any.
– New wp-includes path: If you want to change the name of /wp-includes then you will do so within this option.
– New plugin path: This option will allow you to change the path to plugins folder to any name you want. The complete path can be changed in just one word and everything will work perfectly.
– Rename plugins: This is a great option that will change the name of the plugin within the new plugin path so that no one will know which plugin it is.
– New upload path: This option is used to rename /wp-content/uploads/ to any other name and thus further increase the level of security on your website.
– Post comment: wp_comments_post.php file is used to add comments on your WordPress posts and pages. You can rename it using this option. This can be another great way to combat Spam on your website.
– AJAX URL: Within this option you change the path to admin_ajax.php file that manages all AJAX actions on your site.
– New wp-content path: As the name suggests, this option will change the path to /wp-content to any value that you specify.
– Change login URL: This is a great option to change the URL to /wp-login.php file and disable the attempt to forcibly log in to your site
– New wp-admin path: This option allows you to change the /wp-admin path to something else. You have to be very careful when using this option because you have to update the wp-config.php file.
– API options: If the REST API is enabled then this option allows you to rename the API Base and API Query.
– Author options: If author`s links are enabled then you can use this option to set new names for Author Base and Author Query.
– Feeds options: If you have feeds enabled, you can set new names for Feed Base and Feed Query within this option.
– Post options: this is a great option that allows you to change the WordPress permalink structure.
– Page options: If you have ever wanted to enable or disable pages URL then you can do so using this option.
– Paginate options: If you have a WordPress website which has a lot of content and a lot of posts then they must be paginated. Using this option you can change the pagination URL.
– Category/tag/search options: This option will allow you to rename category/tag/ search URLs.
– Search base redirect: This option will rename the default search base which means that the user will be redirected to “search base/keyword” when searching for something.
– Disable archive: This option allows you to disable archive pages without affecting the categories, tags and taxonomies.
– Disable other WP: This is the option you will probably use the least, and it serves to disable things like attachments, post types and comment pages. It may be helpful for some users.
The next tab is “Protection” and inside it you will adjust the basic security settings for your site.
This tab contains the following options:
– Enable IDS: Intrusion detection system serves to monitor incoming requests, and if any of them are malicious they will be automatically blocked.
– Alert Email: If IDS is enabled here you will enter the administrator e-mail to which IDS-related messages will be sent
– Logs: In this option you can view IDS logs. If you don’t need them, you can always delete them.
– Log threshold: In this option you define the minimum total impact value to eliminate requests. If you want to disable logging then type 0.
– Block threshold: In this option the minimum total impact value is adjusted to block the request to a 404 page.
– Notify threshold: In this option you tweak after how many malicious attempts to send an email to the administrator. If you want to disable this option then enter 0 in the field.
– Exception fields: In this option you can enter fields or request names that will be excluded from the intrusion detection system.
– Trust network: This option allows you to connect to a trust network.
– Scan my WP Whitelist: If you use the Scan My WP plugin then this option will whitelist its API to scan your site.
– Blocked IPs: In this field you can enter the IP addresses you want to disable access to your site.
– Blocked message: If a visitor from a blocked IP address visits your site, the message you entered in this option will be displayed.
– Blocked Countries Code: If you want to deny access to your site from certain countries then enter country codes in this field. If there are more country codes then separate them by comma and use ISO-2 code list.
– Allowed Countries Code: Only visitors from this list will be able to access your website.
“Cleanup” tab contains the following options:
– Minify HTML: In WordPress code there may be some HTML code that will reveal that you are using a WordPress CMS. This option can eliminate HTML comments and compress your page to make it faster to load.
– Minify style: If you have defined New style name then you can minify its content. This option will delete all information about the author of the theme or plugin, and will also delete all other CSS comments and allow your pages to load much faster.
– Replace \ / URLs: This is a great option that allows you to rename default WordPress paths such as plugins, themes and wp-content.
– Remove Feed/Other Meta: If someone is looking at the source code of your WordPress site then they may notice additional meta headers generated by WordPress. This option allows you to remove feed and other meta content.
– Remove body/post/menu class: There are many CSS classes that WordPress has added within some elements in the code. Using this option you can delete them all.
– Default tagline: This option is used to hide the default site tagline
– Remove version: A great option that will remove version from style and scripts URLs.
– Clean style: This option will replace the default WordPress gallery and images classes with their new names
– Change nonce: If you enable this option then _wpnonce will be replaced with _nonce.
– Internal CSS/JS: If you have custom CSS/JS code then you can type it within this option and overwrite it over some existing CSS code
The last tab in the configuration of this plugin is “Replace.”
Available options are:
– Replace in HTML: If you have some text or comments inside the page source and want to replace it then this is an option to help you finish the job
– Replace URLs: This option will only be used to replace URLs
Having described all the options of this great plugin, it’s time to show how it works in practice.
In the image below you can see the normal access to our wp-login.php file:
As you can see, everyone can access login page. However, when we activate the plugin and define the login query and admin login key, no one can log in anymore because the structure of the login link is different. See the URL in the image below.
In this case (demonstration purposes) for login query we set “templatic” and the admin key is “12345.”
You can see the correct login page link in the image below. As you can see the page opens normally.
Same situation is with source code. If we look at our source code before activating the plugin we can see which plugins and themes are in use.
After activating the plugin all information about our themes, plugins and css are hidden.
As we have already mentioned there are thousands of attacks on WordPress sites every day. If you make an effort to secure your site you will be pretty safe as attackers usually choose sites that are poorly protected or not protected at all. If you hide from the attacker the fact that you are using WordPress, they will probably give up their intentions because finding bugs in an unknown CMS is a long and tedious job. In this article we have described the Hide My WP plugin which is one of the best security plugins available on the market. In addition to hiding the fact that your site uses WordPress, with a set of additional tools this plugin offers your site will be safer from any type of cyber attack. This is great security plugin that every serious WordPress site owner or administrator should have in his/her collection.