WP隐藏& 安全增强器的作者是Nsp Code,目前有60,000+个有效安装。已经Tested with 5.4.1版本的wordpress。

The easy way to completely hide your WordPress core files, login page, theme and plugins paths from being show on front side. This is a huge improvement over Site Security, no one will know you actually run a WordPress. Provide a simple way to clean up html by removing all WordPress fingerprints.

No file and directory change!
No file and directory is being changed anywhere, everything is processed virtually! The plugin code use URL rewrite techniques and WordPress filters to apply all internal functionality and features. Everything is done automatically, there’s no user intervention require at all.

Real hide of WordPress core files and plugins
The plugin not only allow to change default urls of you WordPress, but it hide/block defaults! Other similar plugins, just change the slugs, but the default are still accessible, obviously revealing WordPress as CMS

Change the default WordPress login urls from wp-admin and wp-login.php to something totally arbitrary. No one will ever know where to try to guess a login and hack into your site. Totally invisible !!

Full plugin documentation available at WordPress Hide and Security Enhancer Documentation

When testing with WordPress theme and plugins detector services/sites, any setting change may not reflect right away on their reports, since they use cache. So you may want to check again later, or try a different inner url, homepage url usage is not mandatory.

Being the best content management system, widely used, WordPress is susceptible to a large range of hacking attacks including brute-force, SQL injections, XSS, XSRF etc. Despite the fact the WordPress core is a very secure code maintained by a team of professional enthusiast, the additional plugins and themes makes the vulnerable spot of every website. In many cases, those are created by pseudo-developers who do not follow the best coding practices or simply do not own the experience to create a secure plugin.
Statistics reveal that every day new vulnerabilities are discovered, many affecting hundreds of thousands of WordPress websites.
Over 99,9% of hacked WordPress websites are target of automated malware scripts, who search for certain WordPress fingerprints. This plugin hide or replace those traces, making the hacking boots attacks useless.

Works fine with custom WordPress directory structures e.g. custom plugins, themes, uplaods folder.

Once configured, you need to clear server cache data and/or any cache plugins (e.g. W3 Cache), for a new html data to be created. If use CDN this should be cache clear as well.

Sample usage

Main plugin functionality:

Custom Admin Url
Block default admin Url
Block any direct folder access to completely hide the structure
Custom wp-login.php filename
Block default wp-login.php
Block default wp-signup.php
New XML-RPC path
Adjustable theme url
New child Theme url
Change theme style file name
Clean any headers for theme style file
Custom wp-include
Block default wp-include paths
Block defalt wp-content
Custom plugins urls
Individual plugin url change
Block default plugins paths
New upload url
Block default upload urls
Remove wordpress version
Meta Generator block
Disble the emoji and required javascript code
Remove pingback tag
Remove wlwmanifest Meta
Remove rsd_link Meta
Remove wpemoji
Minify Html, Css, JavaScript

and many more.

No other plugins functionality is being blocked or interfered in any way, everything will function the same

This plugin allow to change default Admin Url’s from wp-login.php and wp-admin to something else. All original links return default theme 404 Not Found page, like nothing exists there. Beside the huge security advantage, this save lots of server processing time by reducing php code and MySQL usage since brute-force attacks trigger wrong urls.

Important: Compared to all other similar plugins which mainly use redirects, this plugin return a default theme 404 error page for all block url functionality, so is not revealing at all the link existence.

Since version 1.2 Change individual plugin urls which make them unrecognizable, for example change default WooCommerce plugin urls and dependencies from domain.com/wp-content/plugins/woocommerce/ to domain.com/ecommerce/cdn/ or anything customized.


Rewrite > Theme

New Theme Path – Change default theme path
New Style File Path – Change default style file name and path
Remove description header from Style file – Replace any WordPress metadata informations (like theme name, version etc) from style file
Child – New Theme Path – Change default child theme path
Child – New Style File Path – Change child theme stylesheed file path and name
Child – Remove description header from Style file – Replace any WordPress metadata informations (like theme name, version etc) from style file

Rewrite > WP includes

New Includes Path – Change default wp-includes path / url
Block wp-includes URL – Block default wp-includes url

Rewrite > WP content

New Content Path – Change default wp-content path / url
Block wp-content URL – Block default content url

Rewrite > Plugins

New Plugins Path – Change default wp-content/plugins path / url
Block plugins URL – Block default wp-content/plugins url
New path / url for Every Active Plugin
Custom path and name for any active plugins

Rewrite > Uploads

New Uploads Path – Change default media files path / url
Block uploads URL – Block default media files url

Rewrite > Comments

New wp-comments-post.php Path
Block wp-comments-post.php

Rewrite > Author

New Author Path
Block default path

Rewrite > Search

New Search Path
Block default path

Rewrite > XML-RPC

New XML-RPC Path – Change default XML-RPC path / url
Block default xmlrpc.php – Block default XML-RPC url
Disable XML-RPC authentication – Filter whether XML-RPC methods requiring authentication
Remove pingback – Remove pingback link tag from theme

Rewrite > JSON REST

Disable JSON REST V1 service – Disable an API service for WordPress which is active by default.
Disable JSON REST V2 service – Disable an API service for WordPress which is active by default.
Block any JSON REST calls – Any call for JSON REST API service will be blocked.
Disable output the REST API link tag into page header
Disable JSON REST WP RSD endpoint from XML-RPC responses
Disable Sends a Link header for the REST API

Rewrite > Root Files

Block license.txt – Block access to license.txt root file
Block readme.html – Block access to readme.html root file
Block wp-activate.php – Block access to wp-activate.php file
Block wp-cron.php – Block access to wp-cron.php file
Block wp-signup.php – Block default wp-signup.php file
Block other wp-.php files – Block other wp-.php files within WordPress Root

Rewrite > URL Slash

URL’s add Slash – Add a slash to any links without. This disguise any existing for a file, folder or a wrong url, they all be all slashed.

General / Html > Meta

Remove WordPress Generator Meta
Remove Other Generator Meta
Remove Shortlink Meta
Remove DNS Prefetch
Remove Resource Hints
Remove wlwmanifest Meta
Remove feed_links Meta
Disable output the REST API link tag into page header
Remove rsd_link Meta
Remove adjacent_posts_rel Meta
Remove profile link
Remove canonical link

General / Html > Admin Bar

Remove WordPress Admin Bar for specified urser roles

General / Feed

Remove feed|rdf|rss|rss2|atom links

General / Robots.txt

Disable admin url within Robots.txt

General / Html > Emoji

Disable Emoji
Disable TinyMC Emoji

General / Html > Styles

Remove Version
Remove ID from link tags

General / Html > Scripts

Remove Version

General / Html > Oembed

Remove Oembed

General / Html > Headers

Remove X-Powered-By Header
Remove X-Pingback Header

General / Html > HTML

Remove HTML Comments
Minify Html, Css, JavaScript
Remove general classes from body tag
Remove ID from Menu items
Remove class from Menu items
Remove general classes from post
Remove general classes from images

Admin > wp-login.php

New wp-login.php – Map a new wp-login.php instead default
Block default wp-login.php – Block default wp-login.php file from being accesible

Admin > Admin URL

New Admin Url – Create a new admin url instead default /wp-admin. This also apply for admin-ajax.php calls
Block default Admin Url – Block default admin url and files from being accesible


CDN Url – Set-up CDN if apply, some providers replace site assets with custom urls.

This free version works with Apache and IIS server types.

Something is wrong with this plugin on your site? Just use the forum or get in touch with us at Contact and we’ll check it out.

A website example can be found at http://demo.wp-hide.com/ or our website WP Hide and Security Enhancer

Plugin homepage at WordPress Hide and Security Enhancer

This plugin is developed by Nsp-Code


Please help and translate this plugin to your language at http://translate.wp101.net/projects/wp-plugins/wp-hide-security-enhancer

Please help by promoting this plugin with an article on your site or any other place. If you liked this code or helped with your project, consider to leave a 5 star review on this board.