WP Hide & Security Enhancer


La manera fácil de ocultar completamente tu WordPress, archivos del nucleo, página de acceso, temas y rutas de los plugins de ser mostrados en el lado público. Esta es una gran mejora con respecto a la seguridad del sitio, nadie sabrá que realmente ejecutas WordPress. Proporciona una forma simple de limpiar el html eliminando todas las huellas dactilares de WordPress.

No cambia ningún archivo ni directorio
¡No se cambia ningún archivo ni directorio en ningún lado, todo se procesa virtualmente! El código del plugin utiliza técnicas de reescritura de URL y filtros de WordPress para aplicar todas las funciones y características internas. Todo se hace automáticamente, no requiere intervención del usuario.

Oculta realmente los archivos del núcleo y los plugins de WordPress
El plugin no solo permite cambiar las URL por defecto de tu WordPress, oculta/bloquea por defecto muchos códigos similares, solo cambia slugs, pero los valores por defecto siguen siendo accesibles, inconscientemente revelador WordPress como CMS.

Cambia las URL de acceso de WordPress por defecto, de wp-admin y wp-login.php a algo totalmente arbitrario. Nadie sabrá nunca dónde intentar el acceso y piratear tu sitio. ¡Totalmente invisible!

La documentación completa del plugin está disponible en WordPress Hide and Security Enhancer – Documentación

Al realizar pruebas con el tema de WordPress y los servicios/sitios de detección de plugins, es posible que cualquier cambio de configuración no se refleje de inmediato en sus informes, ya que utilizan caché. Así que es posible que desees volver a comprobarlo más tarde, o probar con otra url interna diferente, el uso de la url de la página de inicio no es obligatorio.

Being the best content management system, widely used, WordPress is susceptible to a large range of hacking attacks including brute-force, SQL injections, XSS, XSRF etc. Despite the fact the WordPress core is a very secure code maintained by a team of professional enthusiast, the additional plugins and themes makes the vulnerable spot of every website. In many cases, those are created by pseudo-developers who do not follow the best coding practices or simply do not own the experience to create a secure plugin.
Statistics reveal that every day new vulnerabilities are discovered, many affecting hundreds of thousands of WordPress websites.
Over 99,9% of hacked WordPress websites are target of automated malware scripts, who search for certain WordPress fingerprints. This plugin hide or replace those traces, making the hacking boots attacks useless.

Works fine with custom WordPress directory structures e.g. custom plugins, themes, uplaods folder.

Once configured, you need to clear server cache data and/or any cache plugins (e.g. W3 Cache), for a new html data to be created. If use CDN this should be cache clear as well.

Sample usage

Main plugin functionality:

  • Custom Admin Url
  • Block default admin Url
  • Block any direct folder access to completely hide the structure
  • Custom wp-login.php filename
  • Block default wp-login.php
  • Block default wp-signup.php
  • Block XML-RPC API
  • New XML-RPC path
  • Adjustable theme url
  • New child Theme url
  • Change theme style file name
  • Clean any headers for theme style file
  • Custom wp-include
  • Block default wp-include paths
  • Block defalt wp-content
  • Custom plugins urls
  • Individual plugin url change
  • Block default plugins paths
  • New upload url
  • Block default upload urls
  • Remove wordpress version
  • Meta Generator block
  • Disble the emoji and required javascript code
  • Remove pingback tag
  • Remove wlwmanifest Meta
  • Remove rsd_link Meta
  • Remove wpemoji
  • Minify Html, Css, JavaScript

and many more.

No other plugins functionality is being blocked or interfered in any way, everything will function the same

This plugin allow to change default Admin Url’s from wp-login.php and wp-admin to something else. All original links return default theme 404 Not Found page, like nothing exists there. Beside the huge security advantage, this save lots of server processing time by reducing php code and MySQL usage since brute-force attacks trigger wrong urls.

Important: Compared to all other similar plugins which mainly use redirects, this plugin return a default theme 404 error page for all block url functionality, so is not revealing at all the link existence.

Since version 1.2 Change individual plugin urls which make them unrecognizable, for example change default WooCommerce plugin urls and dependencies from domain.com/wp-content/plugins/woocommerce/ to domain.com/ecommerce/cdn/ or anything customized.

Plugin Sections

Rewrite > Theme

  • New Theme Path – Change default theme path
  • New Style File Path – Change default style file name and path
  • Remove description header from Style file – Replace any WordPress metadata informations (like theme name, version etc) from style file
  • Child – New Theme Path – Change default child theme path
  • Child – New Style File Path – Change child theme stylesheed file path and name
  • Child – Remove description header from Style file – Replace any WordPress metadata informations (like theme name, version etc) from style file

Rewrite > WP includes

  • New Includes Path – Change default wp-includes path / url
  • Block wp-includes URL – Block default wp-includes url

Rewrite > WP content

  • New Content Path – Change default wp-content path / url
  • Block wp-content URL – Block default content url

Rewrite > Plugins

  • New Plugins Path – Change default wp-content/plugins path / url
  • Block plugins URL – Block default wp-content/plugins url
  • New path / url for Every Active Plugin
  • Custom path and name for any active plugins

Rewrite > Uploads

  • New Uploads Path – Change default media files path / url
  • Block uploads URL – Block default media files url

Rewrite > Comments

  • New wp-comments-post.php Path
  • Block wp-comments-post.php

Reescribir > Autor

  • Nueva ruta de autor
  • Bloquear ruta por defecto

Reescribir > Buscar

  • Nueva ruta de búsqueda
  • Bloquear ruta por defecto

Rewrite > XML-RPC

  • New XML-RPC Path – Change default XML-RPC path / url
  • Block default xmlrpc.php – Block default XML-RPC url
  • Disable XML-RPC authentication – Filter whether XML-RPC methods requiring authentication
  • Remove pingback – Remove pingback link tag from theme

Rewrite > JSON REST

  • Disable JSON REST V1 service – Disable an API service for WordPress which is active by default.
  • Disable JSON REST V2 service – Disable an API service for WordPress which is active by default.
  • Block any JSON REST calls – Any call for JSON REST API service will be blocked.
  • Disable output the REST API link tag into page header
  • Disable JSON REST WP RSD endpoint from XML-RPC responses
  • Disable Sends a Link header for the REST API

Rewrite > Root Files

  • Block license.txt – Block access to license.txt root file
  • Block readme.html – Block access to readme.html root file
  • Block wp-activate.php – Block access to wp-activate.php file
  • Block wp-cron.php – Block access to wp-cron.php file
  • Block wp-signup.php – Block default wp-signup.php file
  • Block other wp-.php files – Block other wp-.php files within WordPress Root

Rewrite > URL Slash

  • URL’s add Slash – Add a slash to any links without. This disguise any existing for a file, folder or a wrong url, they all be all slashed.

General / Html > Meta

  • Remove WordPress Generator Meta
  • Remove Other Generator Meta
  • Remove Shortlink Meta
  • Remove DNS Prefetch
  • Remove Resource Hints
  • Remove wlwmanifest Meta
  • Remove feed_links Meta
  • Disable output the REST API link tag into page header
  • Remove rsd_link Meta
  • Remove adjacent_posts_rel Meta
  • Remove profile link
  • Remove canonical link

General / Html > barra de administración

  • Quitar la barra de administración de WordPress de perfiles de usuario especificados

General / Feed

  • Remove feed|rdf|rss|rss2|atom links

General / Robots.txt

  • Disable admin url within Robots.txt

General / Html > Emoji

  • Disable Emoji
  • Disable TinyMC Emoji

General / Html > Styles

  • Remove Version
  • Remove ID from link tags

General / Html > Scripts

  • Remove Version

General / Html > Oembed

  • Remove Oembed

General / Html > Headers

  • Remove X-Powered-By Header
  • Remove X-Pingback Header

General / Html > HTML

  • Remove HTML Comments
  • Minify Html, Css, JavaScript
  • Remove general classes from body tag
  • Remove ID from Menu items
  • Remove class from Menu items
  • Remove general classes from post
  • Remove general classes from images

Admin > wp-login.php

  • New wp-login.php – Map a new wp-login.php instead default
  • Block default wp-login.php – Block default wp-login.php file from being accesible

Admin > Admin URL

  • New Admin Url – Create a new admin url instead default /wp-admin. This also apply for admin-ajax.php calls
  • Block default Admin Url – Block default admin url and files from being accesible


  • CDN Url – Set-up CDN if apply, some providers replace site assets with custom urls.

Something is wrong with this plugin on your site? Just use the forum or get in touch with us at Contact and we’ll check it out.

A website example can be found at http://nsp-code.com/demo/wp-hide/ or our website WP Hide and Security Enhancer

Página de inicio del plugin WordPress Hide and Security Enhancer

Este plugin está desarrollado por Nsp-Code

Adaptación local

Please help and translate this plugin to your language at https://translate.wordpress.org/projects/wp-plugins/wp-hide-security-enhancer

Please help by promoting this plugin with an article on your site or any other place. If you liked this code or helped with your project, consider to leave a 5 star review on this board.


  • Admin Interface.
  • Sample front html code.


  1. Upload the plugin files to the /wp-content/plugins/wp-hide-security-enhancer directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the ‘Plugins’ screen in WordPress.
  3. Use the WP Hide menu screen to configure the plugin.

Preguntas frecuentes

Feel free to contact us at electronice_delphi@yahoo.com

Does the plugin change anything on my server

Absolute none! No file and directory is being changed anywhere, everything is processed virtually! The plugin code use URL rewrite techniques and WordPress filters to apply all internal functionality and features.

Can i still update WordPress, my plugins and themes?

Everything works as before, no functionality is being breaked. You can run updates at any time.

Something is wrong, what can i do? How can i recover my site?
  • First, stay calm. There will be no harm, guaranteed 🙂
  • Go to admin and change some of plugin options to see which one cause the problem. Then report it to forum or get in touch with us to fix it.
  • If you can’t login to admin, use the Recovery Link which has been sent to your e-mail. This will reset the login to default.
  • If none of above worked for you, or you can’t find the recovery link, delete the plugin from your wp-content/plugins directory. Then remove any lines in your .htaccess file between
    BEGIN WP Hide & Security Enhancer
    END WP Hide & Security Enhancer

  • At this point the site should run as before. If for some reason still not working, you missed something, please get in touch with us at electronice_delphi@yahoo.com and we’ll fix it for you in no time!

I have no PHP knowledge at all, is this plugin for me?

There’s no requirements on php knowledge. All plugin features and functionality are applied automatically, controlled through a descriptive admin interface.

I can’t find a functionality that i’am looking for

Please get in touch with us and we’ll do our best to include it for a next version.


Great Plugin

I've been using this plugin for 3 months now and I must say it's really easy to install and setup. Unlike others plugin, it offers all its core (and most important) features for free. I've also had the pleasure to contact the Plugin Developer for support and he fixed a compatibility issue quickly and professionally (even though I was using the free version). So, overall a great plugin with great support!

Clean Code And Good Plugin.

I like your plugin, is a good one, it helped me in hiding my site [https://www.ngospelmedia.net] information's on the web, no one can know that i am using wordpress and the plugins and themes i am using as well. Good Job.

Support is very good

add-on is very successful loginform-custom" id="loginform-custom" action="https://www.xxxxx.com/*****" method="post" site url appears on page source how can i hide it ?????

Worth it

If you want to improve your wordpress security, I recommend installing this plugin. It works good itself and in case of any problems you can expect quick reaction from the developers. Keep up the good work.
Leer todas las 124 reseñas

Colaboradores y desarrolladores

“WP Hide & Security Enhancer” es un software de código abierto. Las siguientes personas han colaborado con este plugin.


“WP Hide & Security Enhancer” ha sido traducido a 2 idiomas. Gracias a los traductores por sus contribuciones.

Traduce “WP Hide & Security Enhancer” a tu idioma.

¿Interesado en el desarrollo?

Revisa el código , echa un vistazo al repositorio SVN , o suscríbete al log de desarrollo por RSS .

Registro de cambios

  • Compatibility module for ShortPixel Adaptive Image plugin
  • Add support for texarea fields within plugin options interface
  • Fixed urls for minified files when using WP Rocket cache plugin

  • Filter remove fix

  • Corregida la página de inicio de sesión cuando se utiliza la caché de Wp Rocket

  • Corregida sustitución del escritorio de administración cuando se usa la caché de Wp Rocket

  • Corregida la caché de Wp Rocket cuando usas minimizar y concatenación
  • Nueva funcionalidad – Quitar la barra de administración de perfiles específicos
  • El módulo de estructura de bloques se extiende para ser compatible con ‘callback_arguments’ para pasar a través de datos adicionales a la función de procesamiento
  • Redirigir la url de búsqueda por defecto de una url no amigable a una personalizada


  • Nuevo componente: Reescribir autor
  • Nuevo componente: Reescribir buscar
  • Muestra el enlace de recuperación en la parte superior de la página para asegurarse de que todos puedan guardar el enlace para usarlo si algo sale mal.
  • Enviar código de recuperación al correo electrónico del administrador del sitio
  • Ajustes menores del código
  • Envía la nueva url de acceso al correo electrónico del administrador del sitio, para garantizar que el usuario pueda recuperar el acceso al panel de control si olvida el nuevo slug
  • Se eliminaron los métodos no utilizados dentro del componente WPH_module_rewrite_new_include_path

  • Corrección: Método no definido para el módulo de compatibilidad de WooCommerce

  • Allow rewrite for images within admin, as being reversed to default when saving the post


  • Reestructuración de la compatibilidad, uso de un módulo general.
  • Corregida compatibilidad con Shield Security wp-simple-firewall
  • Se elimina el filtro upload_dir ya que produce algunos problemas en un entorno específico, las posibles incompatibilidades se procesarán posteriormente en el módulo de compatibilidad General
  • Filtra el contenido de la publicación en la acción save_post, para revocar cualquier slug personalizada como URLs de medios, para conservar la compatibilidad con versiones anteriores, en caso de que se desactive el plugin
  • Asegúrate de que wp-simple-firewall se ejecuta una vez cuando se llama desde múltiples componentes
  • Actualización para el componente Rewrite Slash, usa una reescritura condicional para asegurarte de que el código no se active para el método POST

  • Fix JSON encoded urls when using SSL


  • Remove _relative_domain_url_replacements_ssl_sq and _relative_domain_url_replacements_ssl_dq replacements for buffer as being integrated to other variables
  • Relocated upload_dir() to general functions.php to catch new content and uploads slugs.
  • Use full domain url for new wp-admin slug, instead relative to avoid wrong replacements for 3rd urls
  • Use full domain url for new wp-login.php, instead relative to avoid wrong replacements for 3rd urls
  • Typos fix for CDN texts
  • Additional description for “Block any JSON REST calls” option to prevent Gutenberg block
  • Updated rewrite for URL Slash to include a second conditional, to not trigger on POST calls

  • Add trailingslashit to plugins slug to be used for replacements to avoid wrong (partial) slug changes

  • Fixed upload rewrite by using default_variables[‘upload_url’]
  • Verificación de compatibilidad con WordPress 5.0


  • Se ha actualizado los archivos de idiomas po
  • CDN support when using custom urls
  • Moved the action replacement for wp_redirect_admin_locations at _init_admin_url()
  • Trigger the action replacement for wp_redirect_admin_locations only if new admin slug exists
  • Preserve absolute paths when doing relative replacements
  • Populate upload_dir() data with new url if apply
  • When doing reset, empty all options before fill in existing with default to ensure deprecated data is not being held anymore

  • Do not redirect to new admin url unless rewrite_rules_applied()
  • Generate no rewrite rules if there’s no options / reset
  • Se ha eliminado cualquier variable pasada al llamar a la acción do_action(‘wph/settings_changed’) ya que la función no puede aceptar ningún argumento.
  • Re-generate a new write_check_string on settings change to ensure if no .htacccess / web.config file is writable, it trigger correct error and flag the disable_filters variable.
  • Use inline JS code confirmation for Reset Settings, in case the separate JavaScript file is not loaded caused by an rewrite issue.
  • Reset confirmation message update to better inform the admin upon the procedure to follow.
  • WPEngine environment check, as they do not support Apache rewrite out of the box
  • Strip off protocol and any www prefix for site_url and home_url to ensure accurate comparing
  • Fixed redirect url when saving the options and WordPress deployed in subfolder
  • Fixed redirect url when reset all options and WordPress deployed in subfolder
  • Improved compatibility for WordPress subfolder install
  • Fixed some rewrite lines when WordPress installed in a path and subfolder
  • Replaced the internal variable permalinks_not_applied to more intuitive custom_permalinks_applied
  • Restart the buffering if flushed out, mainly used for footer when updating plugins and themes
  • Add textdomain for multiple untranslated texts
  • Updated PO language file
  • Fixed textdomain for couple texts
  • Add text to textdomain

  • Updated MU Loader, if there’s no plugin active avoid to receive any notice.
  • Allow new wp-login.php
  • Disponible versión PRO
  • Check if there’s a ‘message’ key for arguments set through wp_mail filter
  • Se ha actualizado los archivos de idiomas po

  • WPML compatibility when use different domains for each language
  • Se ha sustituido google social ya que produce algunos errores de JavaScript.
  • Do not apply the admin/login replacements if permalinks where not applied.
  • Language Po file update
  • Minify replaces ‘Remove new line carriage’
  • Minify Html, Css, JavaScript
  • Opciones para que Minify comprima los diferentes componentes
  • Arreglado el conflicto con Shield Security

  • PHP 7.2 compatibility
  • Replaced trilingslashit from the end of template url to improve compatibility with urls (e.g. JavaScript variables) which does not include an ending slash.

  • WooCommerce downloadables fix when using custom slug for uploads
  • Include support for admin_url() along with admin-ajax.php
  • Fixed redirect link after user register.
  • Use get_rewrite_base and get_rewrite_to_base for all modules to apply correct site path and any WordPress subdirectory install
  • WordPress subdirectory install compatibility fix
  • Improved router file processor for WordPress subdirectory installs


  • Rewrite changes for many components
  • Rewrite update for admin and login url
  • Typos fix
  • Compatibility for diferent environments, when WordPress deployed in a domain root, a subdirectory, or it’s own folder https://codex.wordpress.org/Giving_WordPress_Its_Own_Directory

  • Fixed rewrite ens slashes for wp-login.php and wp-admin components

  • Fixed hardcoded wp-register.php within rewrite – root files component
  • Updated components to rewrite_base / rewrite_to system
  • Improved components: Rewrite – WP Includes, Rewrite – WP Content, Rewrite – Plugins, Rewrite – Uploads, Rewrite – Comments, Rewrite – Root Files, Admin – wp-login.php, Admin – Admin Url
  • Typo fix environemnt to environment
  • New Component – Remove Shortlink Meta
  • New Component – Remove new line carriage
  • Apply relative paths change on styles only if main theme / child theme rewrite slug is not empty
  • Improved interface errors and warnings transient structure
  • Use ABSPATH and Environemnt data to create file path for file processing, instead just ABSPATH, for better compatibility

  • Prevent the wp-register.php redirect to new login page when using block
  • Prepare plugin for Composer package
  • URL Slash description update
  • xml_rpc_path add php_extension_required validation
  • File processor use ABSPATH instead DOCUMENT_ROOT environment variable to avoid different paths on certain systems
  • Allow path structure to be used for New Theme Path and Child – New Theme Path

  • Media Galery src images fix
  • Use separate variables for holding replacements to avoid key overwrite


  • Add replacements for urls which does not contain explicit protocol e.g. http: or https:
  • Avada cache URLs replacements support
  • Fix processing_order for specific root files
  • Ignore wp-register.php when blocking other wp-* files
  • Fixed wp-register.php block
  • Check for replacements on url encoded links
  • Show message notices on General/HTML -> Html for options which may interfere with themes.
  • sanitize_file_path_name fix when slug include a file type extension
  • Prevent redirect to new url when accessing links through www
  • New component Feeds
  • Windows – Global file process rewrite rules update

  • If no server type identification possible, try to check for .htaccess file
  • Improved .htaccess search mod, Use preg_grep for identify the begin and end of WordPress rules
  • Output notice when no supported server was found
  • Use separate block of rules for .htaccess file, outside of WordPress lines
  • Improved server htaccess support check
  • Moved WPH_CACHE_PATH constant declaration from mu loader to wph class
  • Use shutdown hock instead wp_loaded when plugin inline updated
  • Use FS_CHMOD_FILE for $wp_filesystem->put_contents

  • Fixed default wp-content block
  • Updated compatibility with WP Fastest Cache
  • Fixed wp-content replacement

  • Replace the file-process file remove update


  • New component : Robots.txt to control the outputed data
  • Check if any environment variable has changed before Update static environment file
  • Improved Default constants map
  • File-processing check WordPress wp-load.php down the path, for custom install directory.
  • Templates style clean
  • Use cache for cleaned styles files
  • Set HTTP_MOD_REWRITE environment variable through mod_rewrite
  • Separate rewrite rules from WordPress and use distinct block with specific marker
  • Add relative .htaccess file manipulation to avoid accessing permissions when WordPress installed within a subfolder.
  • Updated .po language file


  • Tags update


  • Replaced “Remove description header from Style file” and “Child – Remove description header from Style file” functionality


  • Security improvments


  • Fix: Allow only css files to be processed through the router to prevent other types from being displayed arbitrary.
  • Mu-loader updated version
  • Environment allowed path to limit css files processing
  • Include _get_plugin_data_markup_translate ratter WordPress method
  • Fix: replacement_exists returned wrong response since not using priority keys
  • Fix: Add media replacement, use correct replacement_exists function call
  • Router check for client HTTP_ACCEPT_ENCODING type to start ob_start using ob_gzhandler or not.
  • Update urls dynamically within stylesheets files e.g. include ‘../theme-name’
  • Use trailingslashit for theme / child new urls to make sure it match full url instead partial theme name (e.g. main-theme and main-theme-child)
  • Block wp-register.php
  • get_home_path rely on DIRECTORY_SEPARATOR for better compatibility
  • Check if plugin slug actually exists within all plugins list on re_plugin_path component

  • Fix: Use of undefined constant WPH_VERSION

  • Fix: Child theme settings not showing up
  • Use register_theme_directory if empty $wp_theme_directories
  • Plugin Options validation improvements for unique slug


  • General / Html > Meta -> new option Remove DNS Prefetch
  • New component – Comments
  • Fix: Updated admin urls on plugin / theme / core update page
  • fix: WP Rocket url replacements for non cached pages
  • Regex patterns updates for better performance and compatibility
  • Fix: WP Rocket – support HTML Optimization, including Inline CSS and Inline JS

  • Fix – Create mu-plugins folder if not exists


  • WP Rocket plugin compatibility module
  • Plugin loader component through mu-plugins for earlier processing and environment manage
  • Fix: Plugins Update iframe styles src
  • Fix: WordPress Core Update redirect url
  • WP Fastest Cache plug in compatibility improvements


  • Sanitize Admin Url for not using extension (e.g. .php) as it confuse the server upon the headers to sent
  • Fix: replacements links when using custom directory for WordPress core files
  • Fix: child theme path fix when changing style filename
  • New Theme Path – help resource link fix
  • Changed from DOMDocument to preg_replace for better compatibility with themes and plugins
  • Improved execution speed

  • Fixed PHP Notice: Undefined variable: dom

  • W3 Total Cache – Page Cache compatibility fix
  • Canonical tag replacement improvements
  • Pingback tag replacement improvements
  • Fix custom Background Images for body on themes which support that feature


  • Post-process on options interface save for unique slugs on any text inputs to prevent conflicts.
  • Processing Order change for new_theme_child_path to occur before new_theme_path
  • New COmponent General -> Oembed
  • Remove Oembed tags from header
  • Remove Remove Resource Hints tags from header
  • rewrite rules update to match only non base, from (.*) to (.+)
  • wph-throw-404 improvements
  • BuddyPress conflict handle for uploaded gravatars
  • Admin Style changes
  • BuddyPress Conflict Class handler
  • Separate WordPress meta Generator and Other Meta Generator
  • Process Location value within sent Headers list if exists
  • Replacements for https and http urls relative to domain
  • Add replacements for relative paths to cover WordPress installs within a folder.
  • Use untralingslashit when creating theme and child theme url replacements
  • Fix for Call to a member function is_404() on a non-object within wp_redirect

See full list of changelogs at http://www.wp-hide.com/plugin-changelogs/