Forum Software for Tor Hidden Services: Deployment Comparison

Discourse is a modern Ruby on Rails forum platform with excellent features: rich text editing, category organization, badges, trust levels, and strong moderation tools. Resource requirements: Discourse officially requires 2GB RAM minimum (4GB recommended) - more demanding than other options. Docker deployment: Discourse uses Docker for installation. Anonymity modifications needed: disable all external resource loading (CDN-hosted assets, Google APIs, external avatar services). The Discourse admin panel allows disabling external services: Admin > Settings > search for each external service and disable. Disable S3 for uploads (use local storage). Performance: with proper caching, Discourse can serve thousands of daily users on adequate hardware.

Flarum is a PHP-based forum with a clean modern UI, active development, and significantly lower resource requirements than Discourse. Requirements: PHP 8.0+, MySQL/MariaDB 5.6+, Composer. A 512MB-1GB RAM VPS can run Flarum. Installation: Composer-based. Anonymity configuration: disable the FoF (Friends of Flarum) external extensions that make API calls, self-host all assets, disable Gravatar (uses email hash to fetch avatars from clearnet), and disable any analytics. The Flarum community has hidden-service-compatible extension sets. Flarum's simpler architecture (PHP, not Ruby) is more manageable for operators without Ruby expertise.

NodeBB is built on Node.js and Redis for real-time features (live updates, notifications). Requirements: Node.js, Redis, MongoDB or PostgreSQL. Real-time capabilities make NodeBB suitable for active communities where live updates matter. Anonymity considerations: NodeBB plugins may make external API calls - audit all installed plugins. Self-host Socket.io (used for real-time, included in NodeBB) and all static assets. NodeBB's plugin architecture is extensible but requires security review of each plugin's external communications. Performance: Redis enables very fast real-time operations. NodeBB is suitable for medium to large communities with active concurrent usage.

For small communities or operators who want minimal complexity: phpBB is a mature, lightweight PHP forum with decades of history and extensive plugin ecosystem. MyBB is another lightweight PHP option. Simple Machines Forum (SMF) is established and resource-efficient. These older platforms have more conservative UI but very low resource requirements (shared hosting-level specs). Security consideration: older PHP forum software has more CVEs in its history - stay updated. For very small communities (under 50 users): consider simpler options like Discourse or custom solutions that reduce the attack surface vs feature-heavy legacy platforms.

Forum spam is a significant operational challenge. Google reCAPTCHA and most CAPTCHA services make clearnet API calls that would reveal user IPs - not usable on hidden services. Alternatives: hCaptcha (can be configured with a local verification key for hidden services, though still makes API calls to hCaptcha's servers - check their privacy policy), manual approval for new registrations (admin approves each new account - effective for small private forums), invite-only registration (only invited users can join - strong spam prevention), email verification (requires users to have email access but prevents bot registration), and Tor-specific CAPTCHA systems (Tor Project provides a CAPTCHA service for .onion sites called 'Tor Browser CAPTCHA' that works without clearnet API calls).