Which forum software is better for a .onion hidden service: phpBB or Discourse?

phpBB is simpler to deploy, requires fewer resources, and has a longer track record in .onion environments. Discourse is feature-richer with better mobile support but requires more RAM (2GB+) and more complex Docker configuration. For a new anonymous community with uncertain user count, start with phpBB and migrate to Discourse if the community grows significantly.

How do I prevent the same person from creating multiple accounts to evade bans?

In anonymous environments, this is inherently difficult since IP banning is ineffective. Effective approaches: require time investment before posting (read-only new accounts for 24 hours), use cookie-based device fingerprinting (with privacy caveats), and rely on behavioral moderation - patterns of harassment or disruption are often detectable even across different accounts.

Can forum members use PGP to verify their identity across sessions?

Yes. Implement PGP identity pinning: members publish their PGP public key in their forum profile. To prove identity continuity across account names, they sign a message with their private key. This allows community trust to carry across username changes without revealing real-world identity.

Is it safe for moderators to access the admin panel over Tor?

Yes, and recommended. Configure the admin panel to only accept connections from Tor, using the .onion address for admin access. Never access the admin panel from a clearnet connection - this would expose the server's management IP even if the user-facing .onion is secure.

How do I handle legal requests for user data from a .onion forum?

The operator's location is protected by Tor. Any legal request would need to identify and reach the operator. Minimize data collection so there is little data to provide. Consult legal counsel in your jurisdiction. Many privacy-focused forum operators explicitly publish a warrant canary that they update regularly.

Anonymous Forums on Tor: phpBB and Discourse Hidden Service Deployment

Online forums enable persistent community discussion, knowledge accumulation, and social coordination in ways that ephemeral chat does not. Deploying forum software as a Tor hidden service creates censorship-resistant communities where members participate without revealing their real identities or locations. Forum discussions about sensitive topics - political organizing in restrictive jurisdictions, security research, privacy advocacy, and whistleblowing - can proceed without the chilling effects that identity exposure creates. Both phpBB (a traditional PHP forum) and Discourse (a modern Ruby on Rails forum) can be deployed as .onion hidden services with modifications for anonymous use: disabling email requirements for registration, configuring anti-spam without clearnet CAPTCHA services, and setting up moderation systems appropriate for pseudonymous communities.

Need this done for your project?

We implement, you ship. Async, documented, done in days.

Start a Brief

phpBB for Lightweight .onion Forums

phpBB is a lightweight PHP forum requiring LAMP stack: PHP 8.0+, MySQL/MariaDB, and Apache or Nginx. Install phpBB by downloading from phpbb.com, extracting to /var/www/phpbb, and running the web-based installer through Tor Browser at your .onion address. During installation, configure the Board URL to http://youronion.onion. Disable email confirmation for registration by setting: in ACP > Board Settings, set Email (user email) to No under Registration settings. Set Board URL correctly or registration confirmation links will fail. phpBB's GDPR compliance features can be repurposed for privacy: disable user IP logging in ACP > System > Server Settings by enabling anonymize IP addresses or reducing logging retention. Configure board to not require email for posting, allowing completely pseudonymous participation with username/password only.

Discourse for Feature-Rich .onion Communities

Discourse is a modern forum platform offering better mobile support, real-time notifications, and richer formatting. It requires significantly more resources: 2GB RAM minimum, Docker for deployment. Install with the official Discourse Docker installer. Edit containers/app.yml to set DISCOURSE_HOSTNAME to youronion.onion and DISCOURSE_SMTP_ADDRESS to localhost (you may run a local nullmailer or disable email entirely). Disable email confirmation in Admin > Settings > required > email requirements: set email_domains_blacklist, allow_anonymous_posting = true, and skip_email_verification = true. Discourse's trust level system works well for anonymous communities: new users (trust level 0) have limited posting capabilities, earning access to more features by demonstrating constructive participation. This organic trust progression reduces spam without requiring identity verification.

Anti-Spam Configuration for Anonymous Tor Forums

Tor forums attract spam because the anonymity that protects legitimate users also protects spammers. Effective anti-spam approaches that don't require clearnet CAPTCHA services: (1) Honeypot fields in registration forms - bots fill hidden fields, humans do not. phpBB has built-in anti-spam honeypot in the Registration section of ACP. (2) Rate limiting new user posts to 1 post per hour for accounts less than 24 hours old. (3) Keyword blacklists blocking commercial spam phrases. (4) Question-based registration challenges using forum-specific knowledge questions. (5) Manual approval for new accounts - works for small communities. (6) IP reputation that still differentiates between Tor exit nodes (all legitimate users appear from exits) and direct connection abuse. (7) For Discourse: use the Akismet plugin with your own API key - content-based spam detection without IP-based fingerprinting.

Moderation Tools for Pseudonymous Communities

Anonymous and pseudonymous communities require active moderation to remain valuable. Both phpBB and Discourse provide: thread locking, post removal, user banning by username (not IP), and moderation queues for flagged content. For .onion forums, IP banning is ineffective since all Tor users share exit node IPs. Instead, rely on: username bans, pattern-based post filtering, and community flagging systems where multiple user reports trigger moderation review. Establish and publish clear community rules at registration. Designate moderators from trusted community members rather than trying to moderate all content as the administrator. phpBB's moderator permissions are granular - moderators can be restricted to specific boards. Discourse's flagging system allows community members to flag posts for moderator review, effective for distributed moderation.

Data Privacy and Operational Security for Forum Operators

Forum operators hold sensitive information about community members: usernames, post history, private messages, and any data collected at registration. Configure both phpBB and Discourse to minimize data collection. Disable user session logging or reduce retention to 24 hours. Disable private message storage (or auto-delete after 30 days). Disable image hotlinking to prevent members from inadvertently loading clearnet images that log their Tor exit IP. For phpBB, disable board index statistics that reveal member counts and activity patterns. Use full-disk encryption on the server. Back up only essential data (user accounts, post content) and delete logs aggressively. The forum's .onion private key is the critical asset - back it up to offline encrypted storage. If the forum must close, issue advance notice and provide a data export mechanism for members to retain their posting history.

Related Services

Offshore VPS from $17.90/mo Dedicated Servers DevOps Services

Why Anubiz Host

100% async — no calls, no meetings

Delivered in days, not weeks

Full documentation included

Production-grade from day one

Security-first approach

Post-delivery support included

Bulletproof Hosting Providers

DMCA-Ignored Servers

Offshore VPS Hosting

Anonymous Hosting Solutions

Ready to get started?

Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.

Start a Brief Iceland VPS I