Hide WP

What you need: Simply Static Pro

Simply Static can rename WordPress's default paths and strip out the little fingerprints that reveal a site is built on WordPress. You'll find it all under Simply Static > Hide WP, organized into three sections: Replace, Hide, and Disable.

One honest note up front: these options mostly make your static output look cleaner and remove the obvious "this is WordPress" signals. They are not a security measure on their own.

Replace

Rename the default WordPress directories and URLs in your static output.

  • WP-content directory: the folder that holds your plugins, themes, and uploads. Rename it to something like content . If you leave it empty, Simply Static falls back to wp-content .
  • WP-includes directory: a WordPress core folder. You could rename it to something like core  on your static site.
  • Uploads directory: the wp-content/uploads  folder, which is one of the most common giveaways that a site runs WordPress. A popular replacement is media .
  • Plugins directory: the wp-content/plugins  folder, for example addons .
  • Themes directory: the wp-content/themes  folder, for example templates .

The uploads, plugins, and themes fields are relative to wp-content , which is why that part of the path is fixed, and you only set the final folder name. These three also work independently of the WP-content rename above, so the wp-content/  prefix stays even if you renamed the WP-content directory itself.

  • Theme Style Name: every WordPress theme has a style.css , which is another WordPress tell. Rename it to something like index.css , and Simply Static updates the references in your HTML automatically.
  • Author URL: replace the slug WordPress uses for author archive URLs (author  by default).

A common full configuration is content , core , media , addons , templates , and index.css , which together hide the WordPress origin of the static site.

Hide

Remove WordPress-specific tags and headers from your HTML output. Each toggle strips one fingerprint.

  • Hide WordPress Version: removes the WordPress version from the HTML.
  • Hide WordPress Generator Meta: removes the generator meta tag that references WordPress. This leaves SEO meta tags like title and description untouched.
  • Hide DNS Prefetch WordPress link: removes WordPress's DNS-prefetch hint, which isn't much use on a static site.
  • Hide RSD Header: removes the Really Simple Discovery header. RSD was an old protocol for comments and pingbacks, and today it's mostly a target for spam.

Disable

Where the Hide section strips things from the HTML output, the Disable section switches WordPress features off at the PHP level. These are features a static site simply doesn't need.

  • Disable XML-RPC: the legacy remote API that predates the REST API and is no longer used in modern WordPress.
  • Disable Embed Scripts: the scripts that auto-embed services like YouTube and Twitter/X. Check your pages for embeds before turning this on.
  • Disable DB Debug in Frontend: stops database debug messages from ever appearing on the front end.
  • Disable WLW Manifest Scripts: removes the Windows Live Writer manifest, which is no longer supported.
  • Disable Emojis: removes WordPress's emoji support script.

As a rule of thumb, it's safe to enable all of the Disable options, with one exception: only turn on Disable Embed Scripts after you've confirmed you don't rely on embeds like YouTube.

Applying your settings

These replacements and removals happen during a push. Click Save Settings, then Push, and the changes are applied on the fly as your static site is built.