Tor is an invaluable tool for protecting free-speech, privacy, and preventing surveillance but when abused it can protect the identity of malicious users and make tracking their activities more difficult. “Hackers” might use Tor to run security scans on your website or spam websites with comments and fake registrations.
The purpose of this plugin is to give you the power to block certain Tor activity from your WordPress site.
- Block Tor users from registering on your site
- Allow Tor registrations, but flag them for review
- Block logins from Tor (useful for preventing brute force attacks and securing your admin panel)
- Block Tor users from posting comments to your site
- Block spammy pingbacks & trackbacks from Tor IP addresses
- Block Tor users from your entire WordPress site
- Permit access after solving a CAPTCHA (requires hCaptcha for WordPress plugin)
- Real-time blocking using the Tor DNS exit list service
- Near real time blocking using a cached blocklist which can be updated every 10 minutes or more
- Custom blocklist support. Block IP addresses or host networks.
- Statistics to show how many Tor actions have been blocked by this plugin
This plugin is compatible with BuddyPress, the popular Login With Ajax plugin, and hCaptcha.
If there is a feature missing that you would like, request it!
If you opt to use the real-time blocking, each IP address looked up is cached for 5 minutes for efficiency.
The Tor IP lists that are downloaded only contain “exit node” IP addresses so it is relatively small and the list is searched using a binary search so the plugin is very fast!
This plugin also adds two shortcodes which can be used to display specific content to Tor or non-Tor users. Shortcode usage:
[tor_users]Hi, I see you're using Tor. I support privacy and free-speech too! Visitors not using Tor will not see this message.[/tor_users] [non_tor_users]Defend yourself against tracking and surveillance. Circumvent censorship. Visit torproject.org to learn more. Visitors already using Tor will not see this message.[/non_tor_users]
Support this plugin
The author of this plugin values Tor as well as the security of your website. Considerable effort went into the development of this plugin as well as the code and infrastructure that provides you with the up-to-date exit lists.
Installation is simple
- Download the plugin and extract contents to a folder named
- Activate the plugin through the ‘Plugins’ menu in WordPress
- Customize the settings from your WordPress administration panel
Or, from the WordPress admin screen:
- Navigate to
- Search for
How does this plugin work?
This plugin detects Tor users by using a pre-downloaded list of Tor IP addresses. One nice thing about the Tor network is that it is very easy to get lists of IP addresses that allow Tor users to access the internet.
When a user visits your site and tries to perform one of the restricted actions, their IP is checked against the list of known Tor exit IP addresses. If it’s a match, they won’t be allowed to do what they were trying to do.
Where do the exit lists come from?
Exit lists are served from these domains:
One of these lists is maintained by us. You can see the contents here. Please be kind if you choose to use it for purposes other than this plugin.
How often are the exit lists updated?
You can choose to update the exit lists every 10, 20, 30, 60, 120, or 360 minutes. Updating every 30 or 60 minutes is recommended.
How does the real time checking work?
The real-time checking is very fast since it uses the public Tor DNS exit list service run by the Tor project. A small DNS request is sent that contains the visitor’s IP address which is compared to a list of observed exit relays.
The DNS request will yield a positive response from the service if the criteria matches. Since DNS uses UDP and the packets are small, this is typically a fast and efficient way to perform the check.
How does the CAPTCHA protection work?
In order to use the optional CAPTCHA protection, first install the “hCaptcha for WordPress” plugin and enable the “Block Tor users from all of WordPress” configuration option in VigilanTor.
When a Tor user visits your site, they will be presented with a CAPTCHA challenge. After correctly solving the CAPTCHA, a session cookie will be set in the browser containing a secret token (stored in the WP database) that bypasses the Tor blocking. The cookie is saved in the database for 1 hour, and it’s value is changed on each visit to prevent the cookie from being used by multiple browsers.
What PHP version does VigilanTor require?
VigilanTor should work with PHP 5.6 or greater. It has been tested on PHP 5.6, 7.0 – 7.4, and 8.0. If you run into any problems, please report them here. This plugin is not compatible with any PHP 4 version!
- Update plugin compatibility to WordPress 5.9
- Update readme with hCaptcha info
- Update plugin compatibility to WordPress 5.6
- Tor’s bulk exit list is now integrated in blocklist; separate download no longer necessary
- Fix hCaptcha integration to work with latest hCaptcha version
- Ensure plugin compatibility with PHP 8.0
- Fix change that broke compatibility with PHP < 5.6
- Add support for hCaptcha on block page (see hCaptcha.com & wordpress.org/plugins/hcaptcha-for-forms-and-more/)
- Add option to enable Cloudflare support (recognize CF-Connecting-IP header)
- Fallback to other page templates when the current theme doesn’t have a “Page” template
- Update real-time lookup to use newer, simplified Tor DNSEL service (see https://blog.torproject.org/changes-tor-exit-list-service)
- Exit lists are now a combination of the Tor Project’s bulk exit list and our own maintained Tor exit list
- Update compatibility to WordPress 5.4.1
- No changes, released immediately after 1.3.4 where the update URLs were left commented out
- Update compatibility to WordPress 5.2.3
- Add backup update URL
- Fix issue with Ajax list update for when wp-cron is broken; may have used URL with WP_Http that resulted in a redirect and was not followed
- Add option to use a custom message when “Block Tor users from all of WordPress” is enabled
- When blocking from the entire site and not using custom block page, set page title to “Access Denied” instead of the default “WordPress Error”
- Add custom blocklist support
- Add option to hide comment form from blocked users
- Reduce download size of exit list and include all IPs from Tor network
- Add text domain to plugin so it can be translated
- Expand Tor IP list from relays with the Exit flag to all nodes (some relays without Exit flag in directory are providing exit services)
- Add optional CAPTCHA protection for Tor addresses
- Improve exit list update process when wp-cron isn’t working properly
- Add blocking statistics tracking
- Prevent race condition causing the exit list to download twice in a short time
- Remove some PHP 5.3 syntax to lower PHP version requirement
- Fix issue with Total Site Block option returning false positive
- Initial release!