Host PHP Applications as Tor Hidden Services

Set up Nginx with PHP-FPM to serve PHP applications exclusively through Tor. First, configure your hidden service in torrc, then set up the web stack:

# Install PHP-FPM
apt install -y php-fpm php-mysql php-curl php-gd php-mbstring php-xml

# Nginx server block for PHP over Tor
# /etc/nginx/sites-available/onion-php
server {
    listen 127.0.0.1:8080;
    root /var/www/onion;
    index index.php index.html;

    server_tokens off;
    access_log off;
    error_log /dev/null;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass unix:/run/php/php-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SERVER_NAME $host;
        fastcgi_hide_header X-Powered-By;
    }

    # Block access to sensitive files
    location ~ /\.(env|git|htaccess) { deny all; }
    location ~ /(composer\.json|composer\.lock) { deny all; }
}

The fastcgi_hide_header X-Powered-By directive prevents PHP from advertising its version. The deny rules block access to common sensitive files that should never be served publicly.

WordPress requires specific configuration to work correctly on a .onion address. After installing WordPress, update the site URL settings and configure the Tor-compatible environment:

# wp-config.php additions for Tor hosting
define('WP_HOME', 'http://your56charaddress.onion');
define('WP_SITEURL', 'http://your56charaddress.onion');

// Disable external HTTP requests that would bypass Tor
define('WP_HTTP_BLOCK_EXTERNAL', true);
define('WP_ACCESSIBLE_HOSTS', 'your56charaddress.onion');

// Disable automatic updates (handle manually)
define('AUTOMATIC_UPDATER_DISABLED', true);
define('WP_AUTO_UPDATE_CORE', false);

// Security hardening
define('DISALLOW_FILE_EDIT', true);
define('FORCE_SSL_ADMIN', false); // No SSL unless you have an onion cert

WP_HTTP_BLOCK_EXTERNAL is critical — without it, WordPress makes HTTP requests to api.wordpress.org and other external services that would go through your server's clearnet connection, potentially leaking your IP. Only allow requests to your own .onion address.

Harden your PHP configuration to prevent information disclosure and common attack vectors on your hidden service:

# /etc/php/8.2/fpm/php.ini — Security settings
expose_php = Off
display_errors = Off
log_errors = On
error_log = /dev/null

# Disable dangerous functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source

# Session security
session.cookie_httponly = 1
session.cookie_secure = 0
session.use_strict_mode = 1
session.name = SESS

# File upload limits
upload_max_filesize = 10M
post_max_size = 10M
max_execution_time = 30
memory_limit = 128M

# Disable URL fopen (prevent SSRF)
allow_url_fopen = Off
allow_url_include = Off

Setting allow_url_fopen = Off prevents PHP from making outbound HTTP requests via file_get_contents() and similar functions, which could leak your server's real IP address. If your application needs to make HTTP requests, route them explicitly through Tor using a SOCKS proxy configured in your application code.

AnubizHost VPS plans come with PHP-FPM, Nginx, and Tor pre-installed and configured for hosting PHP applications as hidden services. We support PHP 8.x with all common extensions, and our team handles security patching and Tor updates.

Host WordPress, Laravel, Drupal, or custom PHP applications on our offshore servers in Iceland, Romania, and Finland. Pay with Bitcoin, Monero, or other cryptocurrencies — no KYC, no identity verification required. Your PHP .onion site is live within minutes of provisioning, with security hardening applied by default.