Hardened WordPress as Tor Hidden Service: Security Guide

WordPress makes several types of requests that can leak clearnet information: automatic update checks to WordPress.org APIs, plugin update checks, external font loading (Google Fonts by default in many themes), Gravatar image loading (from gravatar.com) for user avatars, pingbacks and trackbacks (outbound HTTP requests to other sites), and xmlrpc.php (WordPress XML-RPC interface that triggers outbound requests). Prevent these for a .onion-only site: disable automatic updates (update manually), disable external fonts (use locally hosted fonts), disable Gravatar (or host your own Gravatar alternative), disable pingbacks and trackbacks in settings, and block xmlrpc.php via Nginx.

Configure WordPress to use the .onion address. In wp-config.php: define('WP_HOME', 'http://youronionaddress.onion'); define('WP_SITEURL', 'http://youronionaddress.onion'); These settings ensure all internal WordPress URLs use the .onion address. Without this, WordPress may generate absolute URLs using the server's hostname or IP, creating links that don't resolve through Tor. After changing these settings, flush WordPress caches (W3 Total Cache, WP Super Cache, or built-in object cache). Test by inspecting page source for any external URL references.

Many WordPress plugins make external API requests that break .onion isolation. Avoid: contact form plugins that send data to external services, SEO plugins with external crawl monitoring, social sharing plugins loading external scripts, analytics plugins (Google Analytics, etc.), comment systems relying on external APIs (Disqus), and CDN plugins (require external configuration). Use: locally-hosted contact form plugins (Contact Form 7 with SMTP to local mail server), local SEO (Yoast SEO with features requiring external APIs disabled), Akismet (spam filtering, makes external API requests - disable or run Akismet check through Tor), and security plugins that operate locally (Wordfence with update checks disabled).

Hidden services do not reduce the need for application security. WordPress security hardening: remove version information from HTTP headers (WordPress and PHP version) to prevent targeted exploits, use strong authentication (admin account with long random password + 2FA via TOTP), restrict wp-admin access to authenticated users only (HTTP basic auth on /wp-admin/ via Nginx as additional layer), disable PHP execution in wp-content/uploads to prevent code execution from uploaded files, use secure salts (generate new ones via WordPress secret key generator), and keep WordPress core, themes, and plugins updated.

WordPress's PHP processing adds latency on top of Tor's circuit latency. Performance optimization: enable PHP OPcache (dramatically reduces PHP execution time), use a caching plugin (W3 Total Cache, WP Super Cache) to serve cached HTML instead of executing PHP for each request, configure Redis or Memcached for object caching, optimize images at upload time (Smush or similar), minify HTML/CSS/JS output, enable Nginx fastcgi caching for additional full-page cache. A well-optimized WordPress hidden service can achieve 100-200ms server response times (before Tor circuit overhead), comparable to dynamic site performance.