Free Speech 101: Creating a WordPress Blog in Whonix

7 minute read

Posted by: Politech

June 29, 2015

With this guide, I hope to enable anyone with access to a computer to set up their own place to speak freely on the internet. The ability to publish anonymously is sadly becoming an increasingly important one – the Guardian, for example, was pressured by the UK government into not revealing certain details from the Snowden documents; the persecution of WikiLeaks is ongoing with Julian Assange still trapped in the Ecuadorian embassy in London; and in Britain, Russia Today is currently being investigated for “bias” by OFCOM. The list of these cases in supposedly free countries could go on. But if journalism and other forms of expression crucial to functioning democracies occurs anonymously, it becomes harder to suppress as it is no longer simple for governments to find the right door to kick down.

Before we begin, I’ll give a disclaimer: if your quality of life depends on the security of your hidden service, you should seek a more advanced guide than this. This is a beginner-friendly guide. There are more secure options than WordPress, for instance Drupal or simply static HTML, but WordPress is a good choice for a beginner who wants to regularly update their site using a GUI.

Similarly, if you are reading this in the hope of setting up a criminal enterprise, know that the protection of Tor will only buy you time. Hidden services are not immune to investigation. Moreover, please do not give anonymity a bad name by abusing hidden services.

The following setup uses Whonix, a virtual operating system for use with Oracle VirtualBox. It comes in two parts: the Whonix Gateway and the Whonix Workstation. The sole purpose of the Whonix Gateway is controlling Tor and forcing all traffic over the Tor network. The Whonix Workstation is where most of our work will be done and all its traffic is transparently proxied through the Whonix Gateway. This is done to prevent leaks.

This means that if someone wants to de-anonymize your site, they would first have to compromise the Workstation with malware, and from there engineer a virtual machine escape, infecting your host operating system. The attacker could then connect to a server outside of Tor, revealing your real IP address. This is quite hard, but there is a reference to exploiting virtual machines in a Snowden document, so carefully gauge the sophistication of your adversary when deciding if this guide is appropriate for you.

Getting Started

VirtualBox is available for Windows, Mac OS X, Linux, Solaris and FreeBSD. I recommend avoiding Windows and Mac OS because *NIX-based OSes are more secure, but the choice is yours. Make sure to verify the Whonix images before installing them, to make sure they haven’t been corrupted or maliciously tampered with. Whonix has several guides on how to do that according to your chosen OS here.

It would also be wise to encrypt your hard drive and harden the security of your host OS. That is too much to go into here, but if you search “hardening <your OS>” you will find many guides. If you want extra protection against virtual machine escapes, you might consider configuring your firewall to connect solely through a non-logging VPN. This will make it harder for an attacker to find out your real IP address if you are compromised, but bear in mind that VPNs offer much weaker anonymity than Tor.

Once you have installed VirtualBox and are satisfied that your machine is sufficiently secure, you are ready to install Whonix. Simply click File>Import Appliance in VirtualBox and import both the Whonix Gateway and Workstation. When activated, the Whonix VMs will take you through a guided installation process. You can accept everything as is.

The default root and user password is “changeme” and you should do that immediately. Enter:


in the Konsole and type “changeme”. Now you are root, type:


and enter your new, strong UNIX password. Now enter:

passwd user</textarea></div>

and repeat. You have to do this in both the Gateway and Workstation.

You should also update Whonix as soon as possible by typing:

sudo apt-get update &amp;&amp; sudo apt-get dist-upgrade</textarea></div>

in both VMs. You may be warned that the packages can’t be verified. If that happens, see Whonix’s guide for updating the signing key. Do not update without verification as it is a needless security risk.

Now we are ready to install the site’s components.

Setting Up WordPress

From the Konsole, enter:

sudo apt-get install libapache2-mod-php5 php5 mysql-server</textarea></div>

. Once they’re installed, you should be prompted to choose a root password for MySQL. Pick something strong and remember it. Once done, enter:


to remove some of the vulnerabilities that come with a default MySQL installation. Enter your root password, and when asked if you want to change the root password enter “n” if you chose a good one. Choose “y” for the rest of the questions.

Now is a good time to make your web server accessible in the Whonix Gateway. Open “Tor Examples” on the desktop and find the hidden services section. Copy:

HiddenServiceDir /var/lib/tor/webserver

HiddenServicePort 80</textarea></div>

and paste it into the torrc. You can access the torrc by opening “Tor User Config” on the desktop. Restart Tor to enable the new settings. There are also instructions in “Tor Examples” on how to find out your new host name: simply enter:

sudo cat /var/lib/tor/webserver/hostname</textarea></div>

Try visiting it in Tor Browser – if you see the Apache “It works” message, congratulations! You’ll need your hostname for the next step: installing WordPress.

Simply type:

sudo apt-get install wordpress</textarea></div>

Since Whonix is based on Debian 7, any guide that works for Debian should also work for Whonix. The Debian wiki’s extensive guide to WordPress is very useful here.

We’ve already done the first step of the Debian wiki’s guide – we can skip to “Create a Site”. Follow the default instructions given, but when copying from boxes containing line numbers, make sure to remove them; they will break the config files if you don’t. You will also need to change some permissions using “chmod” for some steps of the guide to work. I’ll cover that here.

In order for:

sudo cat ~/wp.sql | mysql –defaults-extra-file=/etc/mysql/debian.cnf</textarea></div>

to work you will need to enter:

sudo chmod 755 /etc/mysql/debian.cnf</textarea></div>

beforehand, and then change it to:

sudo chmod 100 /etc/mysql/debian.cnf</textarea></div>

afterwards. Note that “wp.sql” contains your MySQL password – it is therefore a good idea to lock it down afterwards using

sudo chmod 100 ./wp.sql</textarea></div>

in case the virtual machine is compromised.

Now you have to copy the contents of /usr/share/wordpress to /var/www and delete the existing “index.html”. Again, you may have to change some permissions for it to work. This time enter:

sudo chmod 777 -R /var/www</textarea></div>

before copying and then change it to 755 afterwards.

Now navigate to your site’s homepage in Tor Browser once again. If all went to plan, you’ll see the WordPress installation page. This section is self-explanatory. Once it’s installed, you’ll have a working WordPress site, and you can log in at <your site>.onion/wp-login.php. However the work isn’t done yet.

Maintaining and Securing WordPress

By default, WordPress fetches content from the non-anonymous internet. This is a highly undesirable quality for a hidden service, so let’s disable it to make the site more secure and private. In the Whonix Workstation, go to the page for the WordPress plugin Disable Google Fonts. Download the latest version and extract it. Copy the resulting folder into /var/lib/wordpress/wp-content/plugins. Once again, you’ll probably have to change permissions:

sudo chmod 777 -R /var/lib/wordpress/wp-content/plugins</textarea></div>

and once you’re done:

sudo chmod 755 -R /var/lib/wordpress/wp-content/plugins</textarea></div>

Activate the plugin using the plugins page in the WordPress GUI.

In the WordPress admin Dashboard, go to Settings>Discussion and uncheck “Show avatars” as they are also pulled from the normal internet.

With this setup, you will not be able to update or install anything from inside your browser. That requires FTP which you can set up if you want to, but it will take extra effort to secure. If you have access to the computer your site is hosted on, you might as well administer it from there. This involves finding the web page for any out of date packages such as themes and plugins and re-extract them into the relevant directories in /var/lib/wordpress/wp-content. This will also require changing permissions with chmod, but it is exactly the same procedure as outlined for plugins, online changing the directory.

Enjoy your anonymous blog.

Updated: 2015-06-29