Hide My WP

Tutorial for the WordPress Premium Plugin Hidy My WP

WordPress is one of the most popular blog and content management systems on the net. More and more often, this system becomes the victim of attackers who look for weak points in the system in order to exploit them. If WordPress itself is now one of the most secure systems on the market, this does not necessarily apply to the numerous extensions, plugins and themes that are integrated into WordPress.

“Hide My WP” is a plugin that approaches this problem in an interesting way. It simply disguises the identity of the website. After all, a potential attacker must first know that the system he wants to attack is a WordPress system. WordPress, like other systems, does not necessarily hide its identity. There are many ways to find out if the system is a WordPress system, here are just a few examples:

Can I log into the system via
What happens if I enter
Are the images stored in a subdirectory of wp-content/?
Is there a theme?
Are the classic ones assigned in the body tag?

This information can be retrieved from any WordPress page to determine whether a system is WordPress. Once the potential attacker knows that a WordPress system is involved, he can search for potential vulnerabilities such as vulnerable plug-ins and the like. However, all this only makes sense once the attacker has determined the identity of the website.
What if he is prevented from doing so?

Hide my WP” now begins to modify treacherous file paths with numerous operations, especially on the .htaccess file of the WordPress system. In this tutorial I show you how you can make your site more secure with the help of Hide my WP.

After you have purchased the paid plugin from Codecanyon, you first install it like any other plugin. In the WordPress Dashboard and Settings you can now configure Hide My WP. First you should make sure that the .htaccess file can be described by WordPress. If you could change the permalink structure simply by pressing a button under Settings > Permalinks and did not have to upload a file yourself, this is the case.

If you click on Settings > Hide My WP, you will get to the start page of the plugin. There you should enter your purchase code, which you received with your order. If you have already used Hide My WP on another site and want to do essentially the same settings, you can easily import them. The export is also done on this page.

A small Fix Guide at the end of the start page helps with the usual problems that can occur with Hide My WP. And now you are more interested in the tab “General Settings”, in which the general settings can be done.

First you can define a new 404 error page. I always use the standard 404 page of WordPress, but you can also create a page and declare it 404. This makes sense especially if the standard 404 page of WordPress reveals the WordPress identity. In the next step, you can define which users are to be classified as trustworthy. This is of course first of all the administrator, but you can also include editors, authors, subscribers and other users of the site in the circle of trustworthy persons. In a later step, we will protect the /wp-admin/ directory from prying eyes. Even registered users cannot access this directory, unless they belong to the circle of trustworthy persons.

In the next step, the first action begins. By setting the checkbox “Hide wp-login.php” (which is set by default and should be set as well) you hide the login page from prying eyes. So if someone accesses the URL, he gets the 404 error page specified above.

But, how can I log in myself now?
In the next two steps you first define a login query and then an admin login key. These together form the URL for the WordPress login. Since you cannot log into WordPress without this URL after completing the configuration, you must make a note of it in a safe place. Let’s say you use “that’s the way” as query and “to login” as key, so you can access the login page via the following address:

In the next step you hide the /wp-admin/ directory by checking the box, which is also a necessary step.

After that you can specify if you want to be notified about “attacks”. “Spy Notify” may be a bit exaggerated here, because in fact you will be notified by email the moment someone accesses the 404 error page, which can have many reasons and is not necessarily due to an attack. Especially with highly frequented websites, this can lead to a high email volume. Nevertheless, this function is relatively useful. On the one hand you can see, if someone tries to access the wp-login.php and if necessary you can take further measures, like for example an IP block, whereby such measures cannot be realized with the help of “Hide My WP”. Another, though not necessarily intended, feature of “Spy Notify” may be to discover pages that many users go to, even though there is no content there. For example, if you change your permalink structure, many users may end up on 404 pages, or you may have moved a prominent blog entry, which may also result in many users not getting the content they want. If you realize with the help of the “Spy Notify” that you are losing a large number of users due to such an action, you can counter this by creating a redirect on the corresponding page or something similar (where for a redirect another plugin would have to be used). In any case you can try this option. You can turn it off at any time.

The next option “Customized htaccess” prevents the plugin from describing the htaccess. If you have changed your htaccess individually, you can prevent the plugin from overwriting these changes here. Instead, the plugin will give you the htaccess instructions you need to set up the .htaccess accordingly. Just click on the “Click here” link and switch to the Start tab. There you will see the corresponding instructions. But first all settings have to be done.

In the next section you can clean up the HTML header of WordPress, because even classic entries in the area betray WordPress. This includes first of all the automatically generated feed entries, which you can remove, meta tags like Shortlink and similar. For the WordPress users, who can log in (which is not necessarily only done via wp-login.php), but you still don’t trust them, you can also hide the admin bar. Stylesheets and Javascripts are output by WordPress with a version number by default. So instead of it says for example, which is quite treacherous, because the WordPress version is also announced with it. Here you can disable this versioning, which can also have an effect on the Google Pagespeed, because the script is cached and not called every time.

You can also hide other files like the license.txt in the root directory and other treacherous documents from unauthorized access.

Another group of settings takes care of classic CSS class names, which can be changed. These include body classes, but also post and menu classes. WordPress always uses the same class names (depending on the theme you use). Here you can prohibit the use of these classes. But not without reason these options are provided with an Asterix (*). These are CSS classes, which are often needed to display the layout of the page correctly.

The function “Compress Page” is interesting. This compresses the page and removes comments (text between ). Especially the removal of comments is an important function, because many plugins leave a comment in the HTML code like ““. For an attacker of course an excellent information. However, the compression of the HTML code will cause the page to slow down considerably. The plugin author therefore recommends to use this function only together with a cache plugin. Cache plugins such as W3 Total are excellent tools to speed up your website. However, especially in the case of online shops and other websites that work strongly with dynamic elements, such plug-ins can be dysfunctional, as they then partially output outdated information. If you are running a very complex WordPress site that also displays user information such as name or other things (say, users can log in to your site, possibly beyond the WordPress user system), cache plugins can even become a security risk. In such a case, you should carefully check the functionality of your site when using the cache plugin and, if necessary, use professional help.

But back to Hide My WP.
If you still find treacherous text fragments on your website despite the compression function (e.g. many themes provide the footer with a nice hint like “proudly presented by Themeauthor” or something similar), you can remove this in the text field “Replace in HTML” as well as in the next then treacherous URLs. However, before you make the effort, you should first make all the settings to see what’s left.

Now we turn to the last tab: “Permalinks & URLs”.
Here the default path information of WordPress will be changed. Normally you have path information like This URL immediately shows that the system is a WordPress system. First you can change the link to the theme and to the theme style. The style.css is not only treacherous because of its name, but also because it contains information like theme name and the like. With the help of the Minify Style you can now prevent such information. Also here you can change classic WP classes like wp-caption and others. Also other directories and PHP files like /wp-includes/, /wp-content/uploads/, /wp-content/plugins/ and so on can be given a new path and name.

Also treacherous are standard permalinks like /category/ or /author/, which are quite typical for WordPress. Here you can either deactivate the corresponding pages, or – which is more likely the case – if you want to keep these pages, change their permalinks.

The search field can also be treacherous. If you use the standard WordPress search, you will always get to[search term]. Hide My WP makes it possible to also rewrite this URL in order to hide the identity of the content management system.

Once all these settings have been made, it is almost impossible for an outsider to recognize that this website rests on a WordPress system. This is already a big step towards more security. Let’s say you have installed a popular plugin on your website and now an attacker finds that this plugin has a vulnerability that he wants to exploit. So he wanders through different websites to find out if it is a WordPress system and in the second step if the plugin is installed there. Now you are attackable in principle via the plugin, but the attacker will find it more difficult to determine this at all. However, this does not mean 100% security, because there is still a security gap with this plugin. Hide My WP significantly increases your protection, but cannot offer 100% security either. Even after the installation of this software it will be necessary to use security updates and other measures in order to offer attackers as little attack surface as possible.

The price of 20 dollars is well invested money. Have a look at the plugin at themeforest.