Tor is an invaluable tool for protecting free-speech, privacy, and preventing surveillance
but when abused it can protect the identity of malicious users and make tracking their activites more difficult. “Hackers”
might use Tor to run security scans on your website or spam websites with comments and fake registrations.

The purpose of this plugin is to give you the power to block certain Tor activity from your WordPress site.

Features include:

  • Block Tor users from registering on your site
  • Allow Tor registrations, but flag them for review
  • Block logins from Tor (useful for preventing brute force attacks and securing your admin panel)
  • Block Tor users from posting comments to your site
  • Block spammy pingbacks & trackbacks from Tor IP addresses
  • Block Tor users from your entire WordPress site
  • Optionally allow Tor access by solving a CAPTCHA (requires Securimage-WP plugin)
  • Real-time blocking using the Tor DNS exit list service
  • Near real time blocking using a cached blocklist which can be updated every 10 minutes or more
  • Custom blocklist support. Block IP addresses or host networks.
  • Statistics to show how many Tor actions have been blocked by this plugin

This plugin is compatible with BuddyPress, the popular Login With Ajax plugin, and Securimage-WP.

If there is a feature missing that you would like, request it!

If you opt to use the real-time blocking, each IP address looked up is cached for 5 minutes for efficiency.

The Tor IP lists that are downloaded only contain “exit node” IP addresses so it is farily small and the list is
searched using a binary search so the plugin is very fast!

This plugin also provides a shortcode which you can use anywhere on your WordPress site if you’d just like to
show a message to Tor users. (e.g. [tor_users]Hi, I see you're using Tor. I support privacy and free-speech too![/tor_users])

Support Tor

Tor is a great thing. If you agree, consider volunteering,
donating to the Tor project, or expand the Tor network by
sponsoring a Tor relay which will be maintained by the plugin author.

Support this plugin

The author of this plugin values Tor as well as the security of your website. Considerable effort went into the development of
this plugin as well as the code and infrastructure that provides you with the up-to-date exit lists.

You can support this plugin by installing it, rating it positively, donating to the
author, or sponsoring a Tor relay which will be operated by the plugin developer in your honor.


  • VigilanTor settings menu in WordPress admin screen
  • Flagged users who registered using Tor (compatible with BuddyPress)
  • Message shown when Tor users are blocked from logging in
  • Blocked login integrating with Ajax login plugins
  • Message shown when Tor users attempt to register (compatible with BuddyPress)
  • Blocking a comment from a Tor user
  • Total site block showing generic message to Tor users
  • Total site block showing a custom page to Tor users (works with most themes)
  • CAPTCHA protection for total site block when no block page is specified
  • CAPTCHA protection added to the block page


Installation is simple

  1. Download the plugin and extract contents to a folder named vigilantor in your /wp-content/plugins/ directory
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. Customize the settings from your WordPress administration panel

Or, from the WordPress admin screen:

  1. Navigate to Plugins >> Add new
  2. Search for VigilanTor and click Install Now!


How does this plugin work?

This plugin detects Tor users by using a pre-downloaded list of Tor IP addresses. One nice thing about the Tor
network is that it is very easy to get lists of IP addresses that allow Tor users to access the internet.

When a user visits your site and tries to perform one of the restricted actions, their IP is checked against
the list of known Tor exit IP addresses. If it’s a match, they won’t be allowed to do what they were trying
to do.

Where do the exit lists come from?

The exit lists are served by a service made just for this plugin. You can see the exit list
here. Please be kind if you choose to use it for purposes
other than this plugin.

How often are the exit lists updated?

You can choose to update the exit lists every 10, 20, 30, 60, 120, or 360 minutes. The more often exit lists
are updated, the more accurate the detection will be.

How does the real time checking work?

The real-time checking is very fast since it uses the public Tor DNS exit list service
run by the Tor project. A small DNS request is sent that contains the visitor’s IP address, your server IP, and server port
which are then compared to active exit nodes to see if a Tor node with that IP address permits traffic to your address.

The DNS request will yield a postive response from the service if the criteria matches. Since DNS uses UDP and the
packets are small, this is typically a fast and efficient way to perform the check.

How does the CAPTCHA protection work?

In order to use the optional CAPTCHA protection, first install the Securimage-WP plugin and enable the “Block Tor users from all of WordPress”
configuration option in VigilanTor.

When a Tor user visits your site, they will be presented with a CAPTCHA image. After correctly solving the CAPTCHA, a session cookie will be
set in the browser containing a secret token (stored in the WP database) that bypasses the Tor blocking. The cookie is saved in the database
for 1 hour, and it’s value is changed on each visit to prevent the cookie from being used by multiple browsers.

What PHP version does VigilanTor require?

VigilanTor should work with PHP 5.1 or greater. If you run into any problems, please report them here.
This plugin is not compatible with any PHP 4 version!



February 21, 2019
J'aimerais pouvoir être capable de faire ça !!!!
October 9, 2017
Working great. I have blocked user visit from tor. Because an idiot copying my website all content using tor browser. However, I want to ask a question. Do it slow down my server if i setup frequency checking 10 minutes? Or this plugin doesn't have any relation to slowing down my server?
September 7, 2017
First of all, thanks to the Drew Phillips for making this great plugin. Secondly, all WordPress users should use this as a large number of vulnerability probes occur through TOR Network.
Read all 8 reviews

Contributors & Developers

“VigilanTor” is open source software. The following people have contributed to this plugin.


Translate “VigilanTor” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • Add option to use a custom message when “Block Tor users from all of WordPress” is enabled
  • When blocking from the entire site and not using custom block page, set page title to “Access Denied” instead of the default “WordPress Error”


  • Add custom blocklist support
  • Add option to hide comment form from blocked users
  • Reduce download size of exit list and include all IPs from Tor network
  • Add text domain to plugin so it can be translated


  • Expand Tor IP list from relays with the Exit flag to all nodes (some relays without Exit flag in directory are providing exit services)


  • Add optional CAPTCHA protection for Tor addresses
  • Improve exit list update process when wp-cron isn’t working properly


  • Add blocking statistics tracking
  • Prevent race condition causing the exit list to download twice in a short time
  • Remove some PHP 5.3 syntax to lower PHP version requirement


  • Fix issue with Total Site Block option returning false positive


  • Initial release!