Tor is an invaluable tool for protecting free-speech, privacy, and preventing surveillance but when abused it can protect the identity of malicious users and make tracking their activities more difficult. «Hackers» might use Tor to run security scans on your website or spam websites with comments and fake registrations.

The purpose of this plugin is to give you the power to block certain Tor activity from your WordPress site.

Features include:

  • Запретить Tor-пользователям регистрироваться на вашем сайте
  • Разрешить регистрации через Tor, но помечать их для последующего рассмотрения
  • Block logins from Tor (useful for preventing brute force attacks and securing your admin panel)
  • Запретить Tor-пользователям оставлять комментарии
  • Блокировать спам через пингбэк & тракбэк с Tor IP-адресов
  • Полностью запретить Tor-пользователям доступ к сайту
  • Permit access after solving a CAPTCHA (requires hCaptcha for WordPress plugin)
  • Real-time blocking using the Tor DNS exit list service
  • Near real time blocking using a cached blocklist which can be updated every 10 minutes or more
  • Custom blocklist support. Block IP addresses or host networks.
  • Statistics to show how many Tor actions have been blocked by this plugin

This plugin is compatible with BuddyPress, the popular Login With Ajax plugin, and hCaptcha.

If there is a feature missing that you would like, request it!

If you opt to use the real-time blocking, each IP address looked up is cached for 5 minutes for efficiency.

The Tor IP lists that are downloaded only contain «exit node» IP addresses so it is relatively small and the list is searched using a binary search so the plugin is very fast!

This plugin also adds two shortcodes which can be used to display specific content to Tor or non-Tor users. Shortcode usage:

[tor_users]Hi, I see you're using Tor.  I support privacy and free-speech too! Visitors not using Tor will not see this message.[/tor_users]
[non_tor_users]Defend yourself against tracking and surveillance. Circumvent censorship. Visit to learn more. Visitors already using Tor will not see this message.[/non_tor_users]

Support Tor

Tor is a great thing. If you agree, consider volunteering, donating to the Tor project, or expand the Tor network by sponsoring a Tor relay which will be maintained by the plugin author.

Support this plugin

The author of this plugin values Tor as well as the security of your website. Considerable effort went into the development of this plugin as well as the code and infrastructure that provides you with the up-to-date exit lists.

You can support this plugin by installing it, rating it positively, donating to the author, or sponsoring a Tor relay which will be operated by the plugin developer in your honor.


  • Меню настройки VigilanTor в админке WordPress
  • Flagged users who registered using Tor (compatible with BuddyPress)
  • Сообщение, которое увидит Tor-пользователь, заблокированный при логине на сайт
  • Блокирование входа на сайт, совместимое с логин-плагинами, использующими Ajax
  • Сообщение, которое увидит Tor-пользователь, когда попытается зарегистрироваться (совместимо с BuddyPress)
  • Блокирование комментариев от Tor-пользователей
  • Total site block showing generic message to Tor users
  • Total site block showing a custom page to Tor users (works with most themes)
  • CAPTCHA protection for total site block when no block page is specified
  • CAPTCHA protection added to the block page


Installation is simple

  1. Download the plugin and extract contents to a folder named vigilantor in your /wp-content/plugins/ directory
  2. Активируйте плагин через меню «Плагины» в WordPress.
  3. Customize the settings from your WordPress administration panel

Or, from the WordPress admin screen:

  1. Navigate to Plugins >> Add new
  2. Search for VigilanTor and click Install Now!

Часто задаваемые вопросы

How does this plugin work?

This plugin detects Tor users by using a pre-downloaded list of Tor IP addresses. One nice thing about the Tor network is that it is very easy to get lists of IP addresses that allow Tor users to access the internet.

When a user visits your site and tries to perform one of the restricted actions, their IP is checked against the list of known Tor exit IP addresses. If it’s a match, they won’t be allowed to do what they were trying to do.

Where do the exit lists come from?

Exit lists are served from these domains:


One of these lists is maintained by us. You can see the contents here. Please be kind if you choose to use it for purposes other than this plugin.

How often are the exit lists updated?

You can choose to update the exit lists every 10, 20, 30, 60, 120, or 360 minutes. Updating every 30 or 60 minutes is recommended.

How does the real time checking work?

The real-time checking is very fast since it uses the public Tor DNS exit list service run by the Tor project. A small DNS request is sent that contains the visitor’s IP address which is compared to a list of observed exit relays.

The DNS request will yield a positive response from the service if the criteria matches. Since DNS uses UDP and the packets are small, this is typically a fast and efficient way to perform the check.

How does the CAPTCHA protection work?

In order to use the optional CAPTCHA protection, first install the «hCaptcha for WordPress» plugin and enable the «Block Tor users from all of WordPress» configuration option in VigilanTor.

Когда пользователь Tor зайдёт на ваш сайт, ему будет предложено изображение CAPTCHA. Если он успешно пройдёт CAPTCHA, будет установлена сессионная кука с секретным токеном (сохранённым в БД WordPress), позволяющая обходить блокировку Tor. Эта кука хранится в БД 1 час, и её значение меняется каждый визит, чтобы предотвратить её использование несколькими браузерами.

What PHP version does VigilanTor require?

VigilanTor should work with PHP 5.6 or greater. It has been tested on PHP 5.6, 7.0 — 7.4, and 8.0. If you run into any problems, please report them here. This plugin is not compatible with any PHP 4 version!


It is frustrating to see your website under attack and not be able to do anything because your security software thinks you have to allow TOR, free speech and privacy and all… Well there is no legitimate reason to access my site with TOR and there are clearly many illegitimate reasons. So thank you very much for this plugin, tested it and it works perfectly!


J’aimerais pouvoir être capable de faire ça !!!!
Посмотреть все 11 отзывов

Участники и разработчики

«VigilanTor» — проект с открытым исходным кодом. В развитие плагина внесли свой вклад следующие участники:


Перевести «VigilanTor» на ваш язык.

Заинтересованы в разработке?

Посмотрите код, проверьте SVN репозиторий, или подпишитесь на журнал разработки по RSS.

Журнал изменений


  • Update plugin compatibility to WordPress 6.3.2


  • Update plugin compatibility to WordPress 6.2
  • Update to work with hCaptcha 2.x and 1.x
  • Sanitize vitor_realtime_timeout option in admin settings page


  • Update plugin compatibility to WordPress 5.9
  • Update readme with hCaptcha info


  • Update plugin compatibility to WordPress 5.6
  • Tor’s bulk exit list is now integrated in blocklist; separate download no longer necessary
  • Fix hCaptcha integration to work with latest hCaptcha version
  • Ensure plugin compatibility with PHP 8.0


  • Fix change that broke compatibility with PHP < 5.6


  • Add support for hCaptcha on block page (see &
  • Add option to enable Cloudflare support (recognize CF-Connecting-IP header)
  • Fallback to other page templates when the current theme doesn’t have a «Page» template


  • Update real-time lookup to use newer, simplified Tor DNSEL service (see
  • Exit lists are now a combination of the Tor Project’s bulk exit list and our own maintained Tor exit list
  • Add non_tor_users shortcode
  • Update compatibility to WordPress 5.4.1


  • No changes, released immediately after 1.3.4 where the update URLs were left commented out


  • Update compatibility to WordPress 5.2.3
  • Add backup update URL
  • Fix issue with Ajax list update for when wp-cron is broken; may have used URL with WP_Http that resulted in a redirect and was not followed


  • Add option to use a custom message when «Block Tor users from all of WordPress» is enabled
  • When blocking from the entire site and not using custom block page, set page title to «Access Denied» instead of the default «WordPress Error»


  • Add custom blocklist support
  • Add option to hide comment form from blocked users
  • Reduce download size of exit list and include all IPs from Tor network
  • Add text domain to plugin so it can be translated


  • Expand Tor IP list from relays with the Exit flag to all nodes (some relays without Exit flag in directory are providing exit services)


  • Add optional CAPTCHA protection for Tor addresses
  • Improve exit list update process when wp-cron isn’t working properly


  • Add blocking statistics tracking
  • Prevent race condition causing the exit list to download twice in a short time
  • Remove some PHP 5.3 syntax to lower PHP version requirement


  • Fix issue with Total Site Block option returning false positive


  • Initial release!