Add a layer of security to your WordPress site with the ability to block Tor users from commenting, registering, logging in and more.
Tor is an invaluable tool for protecting free-speech, privacy, and preventing surveillance but when abused it can protect the identity of malicious users and make tracking their activities more difficult. “Hackers” might use Tor to run security scans on your website or spam websites with comments and fake registrations.
The purpose of this plugin is to give you the power to block certain Tor activity from your WordPress site.
Features include:
This plugin is compatible with BuddyPress, the popular Login With Ajax plugin, and hCaptcha.
If there is a feature missing that you would like, request it!
If you opt to use the real-time blocking, each IP address looked up is cached for 5 minutes for efficiency.
The Tor IP lists that are downloaded only contain “exit node” IP addresses so it is relatively small and the list is searched using a binary search so the plugin is very fast!
This plugin also adds two shortcodes which can be used to display specific content to Tor or non-Tor users. Shortcode usage:
[tor_users]Hi, I see you're using Tor. I support privacy and free-speech too! Visitors not using Tor will not see this message.[/tor_users] [non_tor_users]Defend yourself against tracking and surveillance. Circumvent censorship. Visit torproject.org to learn more. Visitors already using Tor will not see this message.[/non_tor_users]
Support Tor
Tor is a great thing. If you agree, consider volunteering, donating to the Tor project, or expand the Tor network by sponsoring a Tor relay which will be maintained by the plugin author.
Support this plugin
The author of this plugin values Tor as well as the security of your website. Considerable effort went into the development of this plugin as well as the code and infrastructure that provides you with the up-to-date exit lists.
You can support this plugin by installing it, rating it positively, donating to the author, or sponsoring a Tor relay which will be operated by the plugin developer in your honor.
Installation is simple
vigilantor
in your /wp-content/plugins/
directoryOr, from the WordPress admin screen:
Plugins
>> Add new
VigilanTor
and click Install Now
!VigilanTor settings menu in WordPress admin screen
Flagged users who registered using Tor (compatible with BuddyPress)
Message shown when Tor users are blocked from logging in
Blocked login integrating with Ajax login plugins
Message shown when Tor users attempt to register (compatible with BuddyPress)
Blocking a comment from a Tor user
Total site block showing generic message to Tor users
Total site block showing a custom page to Tor users (works with most themes)
CAPTCHA protection for total site block when no block page is specified
CAPTCHA protection added to the block page
This plugin detects Tor users by using a pre-downloaded list of Tor IP addresses. One nice thing about the Tor network is that it is very easy to get lists of IP addresses that allow Tor users to access the internet.
When a user visits your site and tries to perform one of the restricted actions, their IP is checked against the list of known Tor exit IP addresses. If it’s a match, they won’t be allowed to do what they were trying to do.
Exit lists are served from these domains:
One of these lists is maintained by us. You can see the contents here. Please be kind if you choose to use it for purposes other than this plugin.
You can choose to update the exit lists every 10, 20, 30, 60, 120, or 360 minutes. Updating every 30 or 60 minutes is recommended.
The real-time checking is very fast since it uses the public Tor DNS exit list service run by the Tor project. A small DNS request is sent that contains the visitor’s IP address which is compared to a list of observed exit relays.
The DNS request will yield a positive response from the service if the criteria matches. Since DNS uses UDP and the packets are small, this is typically a fast and efficient way to perform the check.
In order to use the optional CAPTCHA protection, first install the “hCaptcha for WordPress” plugin and enable the “Block Tor users from all of WordPress” configuration option in VigilanTor.
When a Tor user visits your site, they will be presented with a CAPTCHA challenge. After correctly solving the CAPTCHA, a session cookie will be set in the browser containing a secret token (stored in the WP database) that bypasses the Tor blocking. The cookie is saved in the database for 1 hour, and it’s value is changed on each visit to prevent the cookie from being used by multiple browsers.
VigilanTor should work with PHP 5.6 or greater. It has been tested on PHP 5.6, 7.0 – 7.4, and 8.0. If you run into any problems, please report them here. This plugin is not compatible with any PHP 4 version!
non_tor_users
shortcode