[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Wordpress in a TOR Hidden Service

Of course I know installing wordpress in a hidden service will be difficult, and I have even read that both php and MySQL are going to introduce security holes left and right that nearly invalidate using a TOR Hidden Service site…

But Wordpress has a lot of functionality that I want on an .onion site! I need about 10 different WP plugins out there to run on my WP site that aren’t coded in any other format… Duplicating that on a custom site would cost multiple times my budget.

This site would all be hosted on a nice cloudhost like Digital Ocean or Chunkhost, and those guys all have Wheezy images and even one with Zpanel too if that helps. (I don’t see a whonix image though… Might want to work on that guys!)

An addional security step I would like to take is to make the entire www folder (or wherever hidden services hold the web files) completely password-protected by the server folder PW or a php password script… Even before they see the wordpress site at all, and of course before they see the wordpress login. Will that help much?

1.) So perhaps I should ask first: Can it be done in Whonix?

  1. ) Assuming it can, will the pw-protected folder around everything help plug the holes that I’m making with wordpress? (Also the .onion domain will be invite-only, not posted on any directories/onion listings!)

3.) Finally, does anyone know how to do this? I’m quite happy to tip bitcoin for helpful answers… I’m kind of a newb to linux though so please explain to someone who has used windows all his life and is just getting started in linuxland!

Thanks in advance, everyone!

Not hosted on your server under your physical control = no physical security.

An addional security step I would like to take is to make the entire www folder (or wherever hidden services hold the web files) completely password-protected by the server folder PW or a php password script... Even before they see the wordpress site at all, and of course before they see the wordpress login. Will that help much?

1.) So perhaps I should ask first: Can it be done in Whonix?


Generally, unrelated from Whonix, no physical security = no disk encryption software can help you, because for disk encryption software to be useful, you first need physical security. That may or may not change in future (privatecore like attempts), but for now, that’s it.
2. ) Assuming it can, will the pw-protected folder around everything help plug the holes that I'm making with wordpress?
Even if it could be effectively pw-protected, disk encryption protects from adversaries with physical access when power is off. For example if you're on a journey with a notebook and then be victim to theft or robbery while power is off, then disk encryption is really useful and works. Encryption however can't help with a big attack surface / exploitation / vulnerabilities, hardening helps here [but it's not easy].

Thanks for your reply, Patrick!

I’ve been reading a lot about my options lately and I’d already decided not to go with disk encryption nor a local box. Since what I’m doing isn’t illegal, nor handles any cash, I need the functionality of wordpress far more than I need to encrypt my disk or worry about physical security.

I plan to keep the blog online 24/7/365, as well. Of course I plan to keep a local backup of my keypairs, and even make wordpress backups regularly.

Right now what I really need is a set of setup instructions for Whonix->Hidden Services that don’t assume I’m installing on a local PC. For instance, I’m still in Command-Line-land and it’s time for me to install Whonix, which I just painstakingly downloaded from the site mirrors and then uploaded from home through TOR over SFTP to my host! There went a whole day… But no instructions seem to exist to tell me otherwise, such as an apt-get install command to grab it from the whonix source directly. Nor which folder on my server I should put it in… I just made a guess and uploaded them to /home.

And then how will I get into the virtualbox GUI from putty?

Thanks again for your help.

This will be difficult. Even more for someone new to Linux. I can only tell you what to learn in which order.

Whonix is not yet distribute over apt. I’d download Whonix when being logged into remote using wget. But that’s something you can do much later… See below.

And then how will I get into the virtualbox GUI from putty?
See: https://www.whonix.org/wiki/About#Based_on_Debian

Rephrase your questions…

  1. Can I run VMs on the remote computers at all?
  2. How to get into debian/linux in virtualbox from command line? Learn this on your local computer.
  3. How to get into Whonix in virtualbox from command line? Learn this on your local computer.
  4. How to get into debian/linux in virtualbox from putty? Learn this on your local computer.
  5. How to get into Whonix in virtualbox from putty? Learn this on your local computer.
  6. How to get into debian/linux in virtualbox from putty? Try also on a remote computer.
  7. How to get into Whonix from putty? Try also on a remote computer.

You’re currently asking question 7 before even having learned how to answer question 1, 2… Most questions are not Whonix related and I advice to leverage on the much bigger general Linux community.

The Whonix specific bits for later:


[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]