Running WordPress as a Tor Hidden Service - Configuration and Security Guide

The default WordPress installation makes the following clearnet connections that must be eliminated for hidden service operation:

Automatic updates: WordPress checks api.wordpress.org for core, plugin, and theme updates. On a hidden service, this check fails or, worse, could succeed if there is a configuration error that allows clearnet connections. Disable auto-updates in wp-config.php:

define('AUTOMATIC_UPDATER_DISABLED', true);
define('WP_AUTO_UPDATE_CORE', false);

Gravatar images: User avatars load from gravatar.com, an external clearnet service. Disable Gravatar in the Settings > Discussion panel, or use a self-hosted avatar plugin that stores avatars locally. Every Gravatar request leaks the server IP to Automattic's CDN.

Google Fonts: Many WordPress themes load Google Fonts from fonts.googleapis.com. Audit your theme's functions.php for wp_enqueue_style calls referencing googleapis.com and replace with locally-served fonts. The Google Fonts Helper tool (itself a clearnet service accessed separately) can generate self-hosted font packages.

WordPress stores its site URL in the database and uses it for generating all internal links. Set the site URL to your onion address in wp-config.php:

define('WP_HOME', 'http://YOUR_ONION_ADDRESS');
define('WP_SITEURL', 'http://YOUR_ONION_ADDRESS');

After setting these constants, update all database references using WP-CLI: wp search-replace 'https://clearnet.site.com' 'http://YOUR_ONION_ADDRESS' --all-tables. This replaces all stored URLs including media attachments, internal links in post content, and widget settings.

Disable the WordPress REST API's CORS headers that might expose the server to clearnet probing: add_filter('rest_allowed_origins', '__return_empty_array'); This prevents the REST API from responding to cross-origin requests that could come from clearnet JavaScript exploring the API endpoint.

Evaluate every plugin for clearnet connections before installation. Plugins that load external resources, send usage analytics to plugin developers, or check for updates by contacting external APIs are all problematic for hidden service operation.

Safe plugin categories for hidden services: static file caching plugins (W3 Total Cache in disk mode, WP Super Cache), local SEO plugins that generate XML sitemaps without external calls, form plugins that store submissions locally without third-party email delivery, and security plugins that perform local file integrity checking without sending reports externally.

Unsafe without modification: WooCommerce (loads external payment gateways), Jetpack (sends data to WordPress.com), analytics plugins that connect to external services, social sharing plugins (load external JavaScript from social networks), and comment system plugins like Disqus (entirely external service).

Test each plugin by monitoring outbound connections with: tcpdump -i lo port 80 -n while performing plugin activation and configuration. Any connection to an external host indicates clearnet leakage that needs remediation before the plugin is safe to use.

WordPress on Tor inherits all of the latency challenges of any hidden service. The additional WordPress PHP processing and database queries add to the inherent Tor circuit latency. Page caching is mandatory, not optional, for acceptable performance on a WordPress hidden service.

Configure W3 Total Cache or WP Super Cache to serve pre-generated static HTML files for all public pages. When a cached version exists, PHP and the database are not involved at all: nginx serves the static file directly to the Tor client. This reduces per-request server processing from 100 to 500 milliseconds to near zero, with the dominant remaining latency being Tor circuit routing.

Database optimization: run the WP-Optimize plugin monthly to clean up post revisions, transients, and spam comments that accumulate in the database over time. A clean database with proper indexes responds to queries significantly faster than an unoptimized one. Enable PHP opcode caching with opcache for additional PHP execution performance.