CMS Platforms for Tor Hidden Services

WordPress is the world's most popular CMS and can be deployed as a Tor hidden service. Key configuration changes: set siteurl and home in wp-config.php (or via the admin panel) to the .onion HTTP URL. Disable automatic updates that attempt outbound HTTP connections to WordPress.org - manage updates manually from the server. Disable all plugins that make external API calls (Akismet, Jetpack, Google Analytics) as these reveal the server IP to external services. Use the W3 Total Cache or WP Super Cache plugin for performance optimization through caching. Configure the Nginx or Apache web server to listen only on 127.0.0.1 and be accessible only through the Tor hidden service.

Ghost is a modern publishing platform focused on newsletters and content monetization. For .onion deployment, configure Ghost's URL in config.production.json: {url: 'http://youronionaddress.onion'}. Ghost uses Node.js and can be run with ghost start after configuration. Ghost's email subscription features require an SMTP relay - configure this to route through Tor or disable email subscriptions for purely anonymous publishing. Ghost Pro (managed hosting) is not suitable for .onion deployment - use Ghost self-hosted. The Ghost admin interface is accessible at /ghost on the .onion address, requiring a strong admin password.

Static site generators (Hugo, Jekyll, Eleventy, Next.js static export) generate HTML files that require no server-side processing, providing the simplest and most secure .onion deployment. Generate the site locally and rsync or SCP the output to the server through a Tor-routed SSH connection. Serve with Nginx on 127.0.0.1 through the Tor hidden service. Static sites have no dynamic code execution on the server, eliminating server-side code vulnerabilities. The only security consideration is the Nginx configuration itself and the Tor hidden service setup. Updates require regenerating and pushing new static files, which is operationally simpler than maintaining a dynamic CMS.

Drupal is appropriate for complex .onion applications requiring advanced content management, multi-user workflows, and extensive customization. Configure Drupal's trusted_host_patterns in settings.php to include the .onion address. Disable all Drupal modules that make external HTTP requests (Google Analytics, Google Maps API, CDN modules). Drupal's built-in caching (Drupal page cache, Drupal Dynamic Page Cache) significantly improves performance for authenticated and anonymous users. Run Drupal's cron via command-line (drush cron) rather than web-based cron requests to avoid outbound connections during cron execution.

Standard SEO tactics (Google Search Console, Google Analytics, backlinks from clearnet) do not apply to .onion services. Discoverability in the .onion ecosystem relies on: submission to Tor-specific search engines (Ahmia.fi accepts .onion submissions), listing in relevant .onion directories, links from other .onion sites, and word-of-mouth distribution through encrypted messaging channels. Generate and serve a sitemap.xml from your CMS for Tor search engine crawlers. Submit the .onion URL to Ahmia's site index. Maintain active social media or messaging group presence (via Tor) to distribute new content to existing readers.