- part1: how to start an anonymous website anonymously
- OPSEC (again... always...)
- Server Setup & Maintainance
- Anonymous Online Content
We assume that if you’ve gone through all the effort to set up your own anonymous website anonymously, you’ll want to stay anonymous while running it, too.
This post is not meant to be a definitive guide. Instead, it’s here to outline some of the key challenges you’ll face if you want to maintain anonymity after setup. It includes a few practical tips and best practices—nothing exhaustive, but hopefully helpful.
That said, we need to repeat an important point:
You proceed at your own risk.
We can only offer suggestions based on our own experience.
And honestly—how do you know you can trust us?
You don’t. And that’s exactly the point.
You should always:
- Inform yourself
- Cross-check what you learn
- Explore other sources
- And verify any advice before you act on it
Anonymity isn’t something you achieve once. It’s something you maintain.
And that takes awareness, discipline, and the willingness to keep learning.
OPSEC (again... always...)
Revisit the point about Operational Security in the first part of this guide: https://term7.info/how-to-start-an-anonymous-website-anonymously/#OPSEC.
Read The Hitchhiker's Guide to Online Anonymity: http://thgtoallkcxrdv37u6knsc3pumk6cq6lqmcqlw3j5vkmyahkxive4jyd.onion/guide.html
Server Setup & Maintainance
If you’ve chosen to self-host and rent your own VPS, the most important step right from the beginning is to secure your server—before you even think about launching your site.
Start by hardening SSH, the main way you'll log into your server:
- Change the default SSH port to something less predictable
- Create your own user account and disable root login entirely
- Use SSH keys instead of passwords—and if possible, use a hardware key like a Nitrokey or YubiKey for cryptographic login
- Set up a firewall (such as ufw or iptables) to allow only the services you actually use
- Close all unnecessary ports
- Install fail2ban to help block brute-force login attempts
- Monitor your logs regularly
- And most importantly, keep your system and all installed applications up to date
There are plenty of good VPS security tutorials out there, take your time, read them carefully, and make sure you understand what each change does before you implement it.
Once your server is secured, you'll probably want to install a LAMP (Linux, Apache, MySQL, PHP) or LEMP (Linux, NGINX, MySQL/MariaDB, PHP) stack to host your website.
Both Apache2 and NGINX are powerful and can be configured for better security. The same goes for WordPress, if you plan to use it—there are many guides to hardening WordPress installations, and you should follow them carefully.
Also consider installing Tor on your server and making your anonymous site available as a Tor v3 Onion Service. This allows you to manage and access your site entirely within the Tor network, adding another layer of protection and reducing exposure to the clearnet.
A few final tips:
- Keep your attack surface minimal—don’t install anything you don’t absolutely need
- Simplicity is security: the more complex your stack, the more likely you are to overlook a misconfiguration or create a new vulnerability
- Avoid commercial, closed-source software
- Stick with FOSS (Free and Open Source Software)
- It's transparent, auditable, and community-driven
- Proprietary software is a black box—you can’t verify what it does or what it leaks
Running your own server gives you control—but also full responsibility.
So go slow, be deliberate, and make privacy-conscious choices at every step.
Anonymous Online Content
If you run an anonymous blog and want to post images, make sure to strip all metadata before uploading anything. Metadata can include sensitive details like:
- Geographic coordinates
- Timestamps
- Camera or phone model
- Author or device name
- Software used to edit the file
Even a harmless-looking image might accidentally expose something—like an iconic landmark in the background, or even your own reflection in a window. Always weigh the risks of what a picture could reveal about you, both in metadata and in content.
A simple and reliable FOSS tool to remove metadata is ExifCleaner. It works on Linux, macOS, and Windows, and has an easy drag-and-drop interface. Make it a habit to run every image through ExifCleaner (or a similar tool) before publishing it.
Text content can be just as revealing as images.
Every person has a unique way of writing. This is known as stylometry—and it can be used to identify you.
Stylometric analysis, used in linguistic forensics, involves algorithms that compare your:
- Word choices (linguistic features)
- Sentence structure, hyphenation, punctuation (syntactic features)
- Use of acronyms and content-specific vocabulary
- Grammatical quirks or repeated spelling mistakes (idiosyncratic features)
These patterns can be matched with texts you’ve posted elsewhere—on Twitter, Reddit, forums, or blogs—sometimes even pointing to your approximate age, gender, or personality.
To counteract forensic linguistic analysis, you should:
- Be aware of your writing style
- Identify patterns in how you write—and intentionally break them
- Use a spell checker to eliminate consistent spelling errors
- Consider using translation tools to further obscure your voice:
- Translate your text through several languages and then back into your target language
- This will help strip away personal nuances and create a more neutral tone
For deeper insights, we recommend reading How to Counteract Forensic Linguistics.
Maintaining anonymity isn’t just about what tools you use—it’s also about how you write, what you post, and the small traces you leave behind without even realizing it. Stay mindful.
Please keep in mind that technologies change and so do the means to track and to fingerprint users online. It is important to stay comitted...
